ACUA College & University Auditor, Fall 2013 by AMP, Inc

I V o l u m e 5 5 I N u m b e r 3 I fa l l 2 0 1 3 I

INSIDE:

Why Build a Tax Strategy? Strategy to Implement Enterprise Risk Management Programs at Colleges and Universities Colorado State Universityâ&#x20AC;&#x2122;s Audit Follow-Up Process HIPAA Breach Violations Now Come with Harsher Penalties Security Review to the Rescue!

! r o t i d u A e h t o t Power Fight Fraud and Protect Revenues! Import data faster than a speeding bullet. Analyze thousands of records in a single pass. IDEA® empowers you to conduct more efficient and effective audits ... almost like you’ve acquired superpowers. 2013 Strategic Partners Providing ACUA Members with Exclusive Benefits, Resources and Discounts • Preferred Pricing • Hands-on Training at the Mid Year Conference • Live Online Demonstrations

Contents

FA L L 2 013

ACUA members are invited to submit letters and original articles to the editor. Go to www.acua.org and click on the Resources – College & University Auditor Journal for further guidelines. Please send your copy electronically to the editor or ACUA in Word 95 (or higher) or text file format. The editor reserves the right to reject, abridge or modify any advertising, editorial or other material.

Departments

2 3 5 8 9

From the Editor

From the President

Editor

New Member Profiles

Clarice Maseberg, Wichita State University clarice.maseberg@wichita.edu 316-978-5824

Awards Committee Report

Deputy Editor

New ACUA Board Member Bios

Sam Khan, Oregon University System

Features

Editing Staff

Why Build a Tax Strategy? By Steve Hoffman

Strategy to Implement Enterprise Risk Management Programs at Colleges and Universities By Betty J. Simkins, PhD, and Keri Dawson

Colorado State University’s Audit Follow-Up Process By Stephanie Wolvington

HIPAA Breach Violations Now Come with Harsher Penalties By Sam Khan

Security Review to the Rescue! By Kristie Newby, MBA, CFE

College & University Auditor is the official publication of the Association of College & University Auditors. It is published three times a year as a benefit of membership. Articles in College & University Auditor represent the opinions of the authors and do not necessarily represent the opinions of governance, members or the staff of the Association of College & University Auditors. Acceptance of advertising does not imply endorsement by ACUA. ©2013 Association of College & University Auditors. Send address changes to:

ACUA PO Box 14306 Lenexa, KS 66285-4306 ACUA-info@goamp.com

1 College & University Auditor

Amy Hughes, Michigan Tech David Dixon, Governors State University Mary Ann Mackenzie, Auburn University Michael Foxman, University System of Georgia Sterling Roth, Georgia State University ACUA Management

Stephanie Newman, Executive Director

Letter FROM The Editor By Clarice Maseberg, CPA, CIA Editor

I’m writing this letter having, like many of you, just returned from the Annual Conference in Norfolk. It was a great experience to hear many informative speakers, meet fellow auditors and bring back ideas to put into practice in my own work, not to mention visit the beautiful city of Norfolk. It was especially exciting to put faces with many of the names of people I’ve worked with on the journal, or seen on ACUA-L messages. In this issue, as well as future issues, we will be publishing articles submitted by the conference presenters.

Even if you were unable to attend the conference, or did attend but were forced to choose among equally appealing sessions and weren’t able to attend every session you would have liked to, you can still benefit from those presenters’ knowledge and experience here in the journal. In this issue, as well as future issues, we will be publishing articles submitted by the conference presenters. Some of these articles will cover the same material as the presentations, and some will focus more narrowly on specific aspects. Even if you attended a particular presentation, you still may learn new and useful details from the corresponding article.

This issue of the journal contains articles on a wide variety of topics, with helpful information for both new and veteran auditors. In “HIPAA Breach Violations Now Come with Harsher Penalties,” Sam Khan describes some new and significant changes to the Health Insurance Portability and Accountability Act. Stephanie Wolvington’s article, “Colorado State University’s Audit Follow-Up Process,” tells us about CSU’s transition to a more efficient way to manage and follow up on outstanding audit recommendations. Betty Simkins and Keri Dawson describe a “Strategy to Implement Enterprise Risk Management Programs at Colleges and Universities.” In a follow-up to his article in the previous issue of the journal, Steve Hoffman discusses “Why Build a Tax Strategy?” In “Security Review to the Rescue,” Kristie Newby describes how this type of review can help address concerns related to university assets and employees. Sam Khan profiled each of the newly elected ACUA Board members, Vijay Patel, Janet Covington, Sandy Jansen and Frank Tresnan, for this issue. Each discusses their beginnings in ACUA and what they hope to contribute in their new roles. I’d also like to welcome several new members, who’ve recently joined ACUA, and encourage you to read their profiles as well. This issue also includes Awards Committee chair Gail Klatt’s remarks from the awards presentations at the Annual Conference. Congratulations to Betsy Bowers, winner of the 2013 Member Excellence in Service award, and Michael Somich and Tom Luccock, winners of the Outstanding Professional Contributions award. In her remarks, Gail describes their contributions to ACUA and the internal auditing profession. Finally, some people have asked about why they no longer receiving issues of the journal by mail. This isn’t a postal error – the journal has been online only for several issues now. Visit the College & University Auditor journal page on the ACUA website, located under the Resources menu, to read the current issue, as well as back issues dating to 2000. The most recent issues are available in two formats for easy reading online as well as downloading and printing. As always, I welcome your feedback on how we can continue to make the journal even more relevant and accessible. n

2 College & University Auditor

Letter From The President By Doug Horr President

Greetings friends and colleagues, It is with an immense amount of pride that I write my first “Letter from the President” to you. It is not pride in my achievements, nor even pride that I didn’t trip over myself in my presentation during the business meeting, but pride in being engaged in such a collegial, professional and vibrant organization. If you have any doubts as to the sincerity behind these adjectives, then I am sorry you were not able to attend this year’s Annual Conference, because all were in full display. We had more than

Whether you were a first-time attendee, or you were a 20+ year conference veteran (don’t worry, I won’t be calling anyone out), the organization demonstrated what makes 150 first-time attendees, it so special. We had more than 150 first-time attendees, many new to higher education many new to higher auditing. They were not only welcomed by our ACUA ambassadors and Board members at the first-time attendees’ reception, but they also were actively engaged in education auditing. networking with their peers from similar institutions throughout the conference, learning what it is that makes higher education auditing (and ACUA) so unique. I had lunch with many of the new attendees from “small shops” at the luncheon roundtables, and I look forward to engaging the new energy they are bringing into our organization. Those fortunate enough to attend the conference were engaged in some incredible professional education. In addition to three dynamic general sessions on ethics, fraud and leadership, auditors were exposed to great sessions on research compliance, tax issues for university auditors, emerging areas like auditing mobile devices and auditing governance processes, just to name a few. I’d like to extend my thanks to the Professional Education Committee (PEC) and Annual Conference committee one more time for a great experience. By now I’m sure the detail-oriented group that you are has observed that I have used the word “engaged,” or some form of it, several times throughout this letter. Rest assured, it is not because I am a one-verb pony. I chose this word because one of my goals for ACUA this year is to increase the number of our members that are engaged in this great organization. Whether this engagement takes the form of volunteering for a committee, assisting with a conference, writing an article for College & University Auditor, presenting a webinar or simply responding to a member survey, I would like to see every individual of every member institution have an impact on the growth and enhancement of this organization and our profession. Allow me to quickly follow-up on my member survey comment. One of the other priorities established for this year is to enhance ACUA’s services to its members, both institutionally and individually. Over the next few months you will be asked to respond to various surveys. Please take the brief time needed to respond to these requests. It is only through your engagement that ACUA can better serve you, and in doing so, serve and enhance the organization itself. Albert Einstein once noted, “Nothing happens until something moves.” I look forward to our next year together and I thank you for joining me in continuing to move ACUA, and auditing in higher education, forward. Warm regards. n

3 College & University Auditor

What is the ACUA Risk Dictionary? The ACUA Risk Dictionary is a comprehensive database of risks and their associated controls for areas specific to higher education. Higher Education audit departments can use the risk dictionary for identification of an audit universe specific to higher education which can be used for performing their annual risk assessments and preparing their annual audit plan. The ACUA Risk Dictionary can also be used to prepare project level risk assessments for areas such as: ‐ NCAA Compliance ‐ Student Financial Aid ‐ Export Controls ‐ Research Compliance and many more! After having identified the risks for your audit project, the ACUA Risk Dictionary contains the associated controls which can then be used to prepare an audit program to test whether the proper controls exist.

Is the ACUA Risk Dictionary for YOU?

Business officers, risk officers, compliance officers and other higher education leadership can use the ACUA Risk Dictionary to provide a comprehensive list of areas that could likely need their attention. For someone new to their position or new to higher education, the ACUA Risk Dictionary will be especially beneficial in identifying not only broad areas where inherent risks are common, but also specific risks within those areas and their associated controls. In the absence of a formal risk management structure, the ACUA Risk Dictionary provides a concrete and comprehensive starting point for identifying, evaluating, and managing risks across the organization. You now have the ability to submit new risks and controls for the dictionary. The Risk Dictionary is a living document, so check it out with an eye toward what you can contribute. The ACUA Risk Dictionary is available for FREE as a benefit of ACUA membership or by subscription to non‐members.

4 College & University Auditor

New ACUA Board Member Bios By Sam Khan, Deputy Editor

“ACUA has really

Vijay M. Patel Vijay M. Patel is the Director of the Office of Internal Audit at the University of Southern Mississippi. He joined the university in 2000. Previously, he worked as a Senior Internal and Information Systems Auditor and a System Design and Information Analyst.

been a great resource, enabling me to tap into the vast information that our ACUA members have.”

Vijay has a Bachelor of Science in computer science and statistics and a Bachelor of Science in Business Administration in accounting. He is a Certified Public Accountant, Certified Information Systems Auditor and Certified Fraud Examiner. Vijay is currently working toward the Certified Internal Auditor certification.

Since becoming an ACUA member in 1996 and attending his first Annual Conference in Norfolk, Vijay said, “ACUA has really been a great resource, enabling me to tap into the vast information that our ACUA members have.” ACUA has allowed him to network with his peers, “I have made many lasting and valuable friendships from my participation with ACUA.” Vijay points out that ACUA is built from its audit professionals and from the countless hours that are given up for the organization by its devoted member volunteers. In his present ACUA role, Vijay serves as a Board Member-at-Large and Board Committee Liaison to the Accounting and Auditing and Government Relations committees. Past roles include Board Member-at-Large from 2006 through 2009 and Secretary/Treasurer, Professional Education committee member and Investment committee chair from 2009 through 2011. As a past and present Board member, “I would like to see the membership grow, including international members,” Vijay said. “I enjoy being involved and would continue to be available to the many committees that we have to excel and promote ACUA.” Janet Covington Janet Covington joined Rice University’s internal audit function in 2003, where she serves as Director of Internal Audit. Prior to her arrival, the university’s internal audit department had been outsourced. Janet’s internal audit career began in the early 1990s. She has worked at three of the Big Four public accounting firms. Janet earned a Bachelor of Science in accounting from the University of South Alabama. She is a Certified Internal Auditor and Certified Information Systems Auditor, as well as a former board member of the Information Systems Audit and Control Association. Janet attended her first Annual Conference in 2003. It was at that “My first goal is to conference where Seth Kornetsky, former ACUA president, approached learn how the board her to help draft a white paper about outsourcing internal audit. really works and then “At that point, I knew ACUA was an organization that valued the opinions of all members, both new and long-standing to the organization,” figure out how I can Janet said. best contribute to the As a board member, Janet looks forward to giving back. activities that serve “My first goal is to learn how the board really works and then figure out the organization as a how I can best contribute to the activities that serve the organization as whole,” Janet said. a whole,” Janet said. 5 College & University Auditor

Since joining ACUA, she has attended almost every annual and midyear conference. The only thing that has stopped her was Hurricane Ike. Janet is grateful to the ACUA colleagues who have reached out to her in response to her requests, and for their insights, experience and wisdom. She adds, “I personally value the work that volunteers are willing to engage in to make ACUA a great professional organization.” Sandy Jansen Sandy Jansen is the Executive Director of Audit and Consulting Services at the University of Tennessee System. She joined UT in February 2012. Prior to UT, she worked in the Texas Tech University System for 21 years, serving the last seven years as assistant chief audit executive. “I had the opportunity Sandy received her Bachelor of Business Administration in accounting from to learn skills through Texas Tech University. She is a Certified Internal Auditor and holds a Certification in Control Self-Assessment and a Certification in Risk Management Assurance. She has also served on my volunteer roles the board of the Texas Association of College and University Auditors and on the board of the that I otherwise would West Texas Chapter of the American Society for Training and Development. not have had the “ACUA has had a tremendous impact on my professional development and career,” Sandy said. opportunity to develop.” “I had the opportunity to learn skills through my volunteer roles that I otherwise would not have had the opportunity to develop.” In addition, the education she received at the conferences has helped her stay on the cutting edge and provide value to her university. The network she has developed over the years has been a great resource. “I can contact a number of different auditors anytime I have a question or need advice,” she said. “I believe all of the benefits I have received from ACUA prepared me for serving in my current role as the chief audit executive for the University of Tennessee.” Her recent role as the Professional Education committee chair has given her the opportunity to work with other organizations with goals similar to ACUA. As a board member, Sandy said, “I intend to continue to develop those relationships so that ACUA can strengthen collaborations.” Sandy has served in a number of roles since she first began volunteering as a proctor at the annual and midyear conferences nearly 20 years ago. Other roles include serving as the Midyear Conference Director, as an ACUA Faculty member, and as the Professional Education committee chair. As the Midyear Conference Director, she was responsible for the behind-the-scenes logistics and for developing educational programs to meet the needs of our membership. “Get involved and attend every conference you can,” Sandy said. “At the conferences, make contacts and begin to build a network. These contacts will assist you in your professional development.” Frank Tresnan Frank Tresnan joined the Office of Audit, Compliance and Privacy at the University of Pennsylvania in 1997 as a Health System Internal Auditor. He has served in positions of increasing responsibility, and since 2011, he has served as the Executive Director of Internal Audit. Prior to joining the University of Pennsylvania, he worked in the sponsored projects finance department for a large medical school and “I consider ACUA health system. He began his career in public accounting. membership essential Frank has a Bachelor of Science in business administration and accounting from LaSalle to a career in higher University in Philadelphia. He is a Certified Internal Auditor with expertise in the design education internal audit,” and evaluation of internal controls, sponsored projects administration and compliance, accounting, business process design, business administration and project management. Frank said. “ACUA provides a multitude of resources that I’ve used over the years to advance my work at Penn.”

“I consider ACUA membership essential to a career in higher education internal audit,” Frank said. “ACUA provides a multitude of resources that I’ve used over the years to advance my work at Penn.” These include audit programs from the Resource Library, the NCAA Compliance Guide, the Risk Dictionary, ACUA-L, and most importantly, the network of professional colleagues he 6 College & University Auditor

has established with other members. He also believes that ACUA’s conferences and webinars provide the best value in continuing professional development, offering relevant education for members of the industry. Frank became an ACUA member in 1997. He has previously served as a session presenter and a proctor at ACUA conferences. “[As the new secretary/treasurer,] I want to do my part to help ensure that ACUA continues to provide high quality resources to the membership,” Frank said. Frank encourages ACUA members to take advantage of the many ACUA resources. He notes that the resources will be especially useful for new members who are transitioning into the higher education environment. He also encourages new members to participate and engage with other members. As he said, “They will, without a doubt, be the biggest ‘win’ you get from joining ACUA.” n

We speak your language.

“Candor. Insight. Results.” is more than a tagline; it is how we conduct ourselves every day in support of our clients, which include many premier institutions of higher education. Baker Tilly is a full service accounting and advisory firm. We collaborate with internal audit departments to provide surge capacity and address areas of strategic importance, including: > > > > > > >

Risk management Research compliance Construction management Fraud and forensics Sustainable energy Cost reduction Information technology

Our experienced professionals provide practical, proactive, and customized services, and are adept at navigating the complex culture found in universities, research institutions, and teaching hospitals. Connect with us: bakertilly.com/higher-education

7 College & University Auditor

New Member Profiles By Clarice Maseberg, CPA, CIA, Editor

David Bishop, Audit Coordinator, Washington State Board for Community & Technical Colleges

David has been working in internal audit for more than 25 years, with more than two years at the Washington State Board for Community & Technical Colleges. He has a Bachelor of Business Administration in accounting, and is an enrolled agent. To David, the most enjoyable part of internal auditing is discovering issues and working together with the colleges to find solutions. As a member of ACUA, he hopes to gain insights, networking, best practices and educational experiences. Jeremy Guillory, Director, Internal Audit, University of Louisiana at Lafayette

Jeremy has worked in internal audit for 13 years, and has been at the University of Louisiana for 10 months. He has a Bachelor of Science in management and an MBA with a concentration in information systems and internal audit. Jeremy is also a Certified Internal Auditor. He says that the most enjoyable thing about internal auditing is continually learning new information or business processes. From his ACUA membership, Jeremy hopes to gain a strong network of fellow internal audit professionals in higher education. Lorry Mahone, Internal Auditor, Missouri Baptist University Lorry has more than 28 years of accounting and auditing experience, more than 10 of them in internal audit. She has worked at Missouri Baptist University for the past five months and has a Bachelor of Science in business administration/accounting. Lorry is also a Certified Public Accountant and Certified Internal Auditor. She enjoys internal audit because of the opportunity to partner with management in addressing risks that affect the organization. As a member of ACUA, Lorry hopes to have access to information specific to internal audit in the higher education industry. Darren Skolnick, Director, Internal Audit, Iona College Darren has been at Iona College for six months, and has worked in internal audit for 28 years. He has a Bachelor of Science from Brooklyn College and an MBA from Pace University, and is a Certified Public Accountant and holds a Certification in Risk Management Assurance. Darren serves as a member of the Board of Governors of the New York chapter of the Institute of Internal Auditors and as a member of the Board of Directors of The Bridge, a nonprofit organization providing services to persons with serious mental illness. Darren says the thing he enjoys most about internal audit is being able to help the organization improve its operations and fulfill its mission. By joining ACUA, Darren hopes to gain more insights into the risks facing higher education institutions, have resources to help deliver services more effectively, and have networking opportunities. Aimee Slade, Quality Assurance Manager, Ashford University Aimee has worked at Ashford University for six years, two of them in internal audit. She has a Bachelor of Arts in communication with a minor in English from San Diego State University and a Master of Arts in organizational management from Ashford University. Aimee enjoys working in internal audit because of the opportunity to service students indirectly and find trends for improvement. From her ACUA membership, Aimee hopes to gain a community of auditors. She feels that, as a unique group, itâ&#x20AC;&#x2122;s important to find support and guidance with other professionals working in a similar environment. n

8 College & University Auditor

Awards Committee Report By Gail Klatt, CIA, CRMA, Awards Committee Chair

his year’s Awards Committee had a number of outstanding award nominations, which made selecting the winners all the more difficult. However, the committee came to a decision and at the Annual Conference in Norfolk, Va., announced the winners of the 2013 Member Excellence in Service and the Outstanding Professional Contributions awards. The Member Excellence in Service award was presented to Betsy Bowers,

The Member Excellence in Service award recognizes a member who has made outstanding contributions to the mission of ACUA through exceptional service. The award was presented to Betsy Bowers, from the University of West Florida.

from the University of West Betsy Bowers exemplifies excellence in service over many years. She has served as ACUA’s Vice President and President, as the Publications Director and editor of the Florida. College & University Auditor journal and as an ACUA Ambassador to other professional organizations. She has led sessions at previous Midyear and Annual Conferences where she has shared her professional experiences and insights with members. She has participated in many quality assurance reviews that have provided valuable improvement feedback. Most recently, Betsy has taken on the challenge of overseeing the ACUA Faculty program to extend ACUA’s message of the value of internal auditing in higher education to other organizations. There are always those notable intangibles. “Enthusiastic,” “engaging” and “collegial” all are apt descriptors of Betsy. As one nominator said, “[Betsy is] a true ambassador to those new to higher education auditing; [she] is the one who engages everyone at a conference with a smile and from whom you immediately get an understanding of what defines professional collegiality. [Betsy] truly represents the best of what ACUA is all about.”

About the Author

Gail Klatt is the Associate Vice President of Internal Audit for the University of Minnesota where she is responsible to the University’s Board of Regents for all internal audit work carried out on each of the five university campuses. She is a Certified Internal Auditor and is certified in risk management assurance (CRMA).

This year the committee selected two winners of the Outstanding Professional Contributions award. This award recognizes a member who has made outstanding and noteworthy contributions to the profession of internal auditing in higher education through creating wider recognition of the profession, promoting cooperative relationships with other governance-related organizations, promoting high professional standards, and sustained service to higher education and internal auditing professional organizations. The first Outstanding The first Outstanding Professional Contributions award was presented to Professional Michael Somich from Duke University. Contributions award Michael has made a significant mark on raising the awareness of the was presented to value of internal auditing in higher education. He frequently gives talks about the profession at a wide spectrum of external organizations includ- Michael Somich from ing the Association of Governing Boards, the AICPA, Moody’s Investor’s Duke University. Service, the American Accounting Association, other institutions, a variety of IIA local chapters, and the list actually does go on. Having personally taken away a lot of really good ideas and information when attending sessions presented by Michael, I can think of few people who are as effective in communicating what it is we do and how we can add value every day. However, Michael’s efforts haven’t been solely externally-focused. He also participates in quality assurance reviews and internal auditing consulting assignments at some of the premier research universities in the country, and many conference presentations have provided platforms for the sharing of expertise within the ACUA community as well. A contribution which was deemed particularly notable was Michael’s involvement and support of the recently established ACUA Leads program and the commitment to the development of our next generation of leaders. Serving as both an executive sponsor and as a mentor within the program has helped it get off to a great success. 9 College & University Auditor

The second Outstanding Professional Contributions award was presented to Tom Luccock of Michigan State University. Tom has been actively involved in promoting the internal audit profession for decades, serving on the International Professional Conference Committee, the Publications Advisory Professional Contributions Committee and the Editorial Advisory Board for the Institute of Internal Auditors for many years. He has participated on a number of quality assurance review teams demonstrating a award was presented to commitment to continuous improvement. Nominators also highlighted that he has actualized Tom Luccock of Michigan the concept of being a “trusted advisor,” being sought out by leadership and the Board to help arrive at solutions for difficult problems. It was, however, Tom’s commitment to creating as State University. many intersections between the student experience and internal auditing that truly resonated with the committee. The committee was also impressed by his initiatives that were centered on students. The second Outstanding

Tom established an outstanding internship program which provides students with “real life” audit experience. The program provides an excellent platform for creating interest in future careers in the profession, and as part of that program, he personally serves as a mentor to each of the students. The program seizes every opportunity to enhance the interns’ experience, including giving the interns the opportunity to make presentations about their experiences at meetings of his conference colleagues. One nominator shared that one of these presentations was key in making a decision to try to replicate the program at his own institution. Tom also established a program at his institution that pairs mentors with at-risk freshmen aspiring to be business majors. He has personally established scholarships to support students at his current institution, as well as at his alma mater. Tom’s active involvement with students was recognized when he was selected as the keynote speaker at his institution’s business school scholarship event. He has served for several years on the international committee that reviews research papers submitted by students to be selected for the Esther B. Sawyer Award by the IIA. n *********************** The 2013 Awards Committee consists of Gail Klatt, University of Minnesota, (Chair); Robert Gerber, Cuyahoga Community College; Vallery Morton, University of Central Florida; and Barbara Deily, University of Virginia.

10 College & University Auditor

Why Build a Tax Strategy? By Steve Hoffman

’d like to give you the results of a report from the IRS on its college and university compliance project and what it really means to you, the internal auditor. First, some background: The IRS sent 400 questionnaires to colleges and universities in 2008. From that sample, 34 audits have been completed. Here’s what the IRS found.

Underreporting of unrelated business income tax The result of this underreporting was increases by the IRS to unrelated business income tax of about $90 million. That’s right, $90 million. Further, there were 180 changes to the The result of this underamount of unrelated business income tax reported by colleges and universities on reporting was increases Form 990T.

by the IRS to unrelated

Disallowance of losses There were disallowances of more than $170 million in net operating losses, which is about $90 million. estimated to result in an additional $60 million in assessed taxes. The IRS also threw out expenses claimed by the universities that they determined were not connected to the actual activity.

business income tax of

This misreporting of income and expenses occurred in two ways: 1. The IRS determined that there was a lack of a profit motive, which means no net operating losses can be claimed. The IRS requires a profit motive in order for the unrelated business activity to be reported on the tax return. Another IRS determination showed improper expense allocations – reporting of expenses against income that the IRS found to be incorrect. 2. The IRS also found that there were errors in computation and substantiation of net operating losses and because of these errors, the IRS disallowed $19 million in losses. Additionally, with 40 percent of the colleges and universities examined, the IRS reclassified some of the claimed exempt activities from being unrelated to being taxable. That is, the IRS disagreed with the university on what was reported on their tax return. Thus, nearly $4 million in income was now subject to tax. Are you keeping track of the dollars assessed so far? What specific activities were re-classified among the 180 changes that were made?

About the Author

Steve Hoffman is a tax expert with many years of experience and education and is dedicated to providing consulting and workshops on tax compliance to colleges and universities. He can be reached at Steve@TheTaxTranslator.com.

There were more than 30 different activities that were reclassified, but they can be reduced to five major groups. Does your school have any of these? Are you reporting them correctly? Are you looking at these activities for potential tax risks? 1. Fitness, recreation centers and sports camps 2. Advertising 3. Facility rentals 4. Arenas 5. Golf courses Unless you are intimately involved in the preparation of the tax return, chances are that you do not know the answers to these questions. The focus of this article is on the report by the IRS and how to defend your school in an audit. The IRS report also included information on compensation and comparability data and employment tax issues (which resulted in wage adjustments of $36 million that resulted in tax 11 College & University Auditor

The focus of this article is on the report by the

in penalties of over $7 million). These two other areas, compensation and employment tax, will be discussed in future articles.

Interestingly enough, the IRS report concluded that the IRS plans to look at unrelated business income reporting more broadly. No kidding! With the amount of tax assessed shown in the your school in an audit. report from only 34 completed audits, the IRS found the pot of gold at the end of the rainbow. Are you ready for an audit? IRS and how to defend

Are you ready for an audit? I firmly believe you cannot get ready for an audit, you have to stay ready. And to stay ready, you have to get ready. In my book, “Taxation for Universities and Colleges: Six Steps to a Successful Tax Compliance Program,” I outline the six steps you should take to build your audit defense – to get ready and stay ready. Briefly, these six steps are:

1. Awareness There are many different kinds of taxes you need to be aware of at your school. Besides unrelated business income tax, there is sales tax, excise tax, employment tax, nonresident alien tax for foreign students and scholars, independent contractor tax liability, possible severance taxes, and even taxes in foreign countries, among others. All these taxes have different filing and reporting requirements and different deposit dates. Once you are more aware of the taxes affecting your campus, I suggest you build a list, whether a simple spreadsheet or a ‘tax calendar’ (sample available from the author by email). Then, determine who is responsible for completing each of the tasks and when they are due. This will help you monitor and control your tax risk.

2. Identification Does your university have a tax gap? There are various methods for seeking out taxes on your campus. There are questionnaires and surveys, automated queries within your financial systems and more. I learned, after 12 years as a tax manager at three different universities, that unidentified tax gaps will not come knocking on your door. It is necessary to seek them out. This cannot be done within your office. It is a campus-wide effort. Are you involved in meetings on a regular basis where tax issues are discussed? 3. Compliance Compliance with tax law does not just happen. It’s a concentrated effort led by a CFO or VP of Business and Finance or a controller and the internal auditors. A tax compliance program is a collaborative approach to developing a strategic path forward that will drive even more compliance with tax laws. I have a saying, “Compliance breeds compliance,” and it’s true: Once you set the goal, compliance can and will happen willfully. Tax compliance requires a tax team. Build one now and include the various people who have knowledge of campus activities. Another way to look at it: In the event of a large audit assessment of tax, it may be the Chief Internal Auditor who must address the questions, “How did this happen? And why did this happen?” The truthful answer is, “We didn’t get ready or stay ready.” Did you know that the 4. Reporting University of Michigan Simply stated, reporting is the fulfilling of your school’s requirements to provide the correct information on a timely basis to the federal, state and local taxing files more forms with authorities. Reporting and filing the forms at year-end is the culmination of the the IRS than General work done throughout the year, not only at year-end. Penalties for filing incorrect information returns with the IRS were just increased. But don’t worry; they very Motors? kindly capped the penalties at $1.5 million. Did you know that the University of Michigan files more forms with the IRS than General Motors? Your school also files more forms with the IRS than you can imagine. This brings us to the next step.

5. Monitoring Monitoring of internal controls is a continual activity and obligation of the Chief Internal Auditor for the entire campus. Monitoring is the reviewing and managing of the control system that begins at the top. I believe every university should have tax policies in place – before an audit. (Get Ready, Stay Ready.) 12 College & University Auditor

6. Audit defense Preparation for an audit has to begin now, and continue tomorrow and everyday – not the day when the auditors arrive. A single person does not accomplish an audit defense. However, it is led by a single person with the help of others on campus. These six steps are not a “speed dating” approach to tax compliance. Implementation will take some time, but it begins with the first step and follows through step number six. I was the first-ever tax manager at the largest land-grant college in the United States. At times, I felt I was trying to change the course of the Titanic with only one oar in the water. The result of a tax compliance strategy I created and implemented was the lowest ever audit assessment made against the university – only $4,000. And that was after eight months of having three auditors in my office. Compare that to prior audits of the same university where the IRS left with checks totaling $3 million and $1.5 million for the two prior audits. Following the six steps will save you money and time. Attending a tax

I have found in many smaller schools there is no designated tax person. Tax responsibilities are conference once a year decentralized and are often an “other duty as assigned.” These tax duties are often only done once a year and there is very little, if any, training provided to the people with tax responsifor a day and a half is bilities. Attending a tax conference once a year for a day and a half is insufficient training on all of the taxes faced by a university. Tax laws, rules and regulations change quite frequently. insufficient training on Internal auditors need training in assessing tax risk at their university. all of the taxes faced I have also found through informal surveys by speaking at many universities across the country by a university. that an amount equal to approximately 15 percent of the total budget goes out the door every year to taxing authorities, yet there is no strategy, no tax team and very few controls, none of which are monitored. Many auditors are not aware of who signs the tax returns for the university, when the tax is due, if deposits have been made timely and sometimes not even the various penalties that have been assessed against the university. Chief Internal Auditors generally have a strategy for large undertakings or an audit plan for the year. Is tax risk included in your audit plan? There may be a fraud strategy, an audit strategy, but no strategy for tax compliance. n

13 College & University Auditor

Strategy to Implement Enterprise Risk Management Programs at Colleges and Universities By Betty J. Simkins, PhD, and Keri Dawson

“Colleges and universities have traditionally perceived themselves as substantially different and separate from other for-profit and not-for-profit entities, and the “outside world” has historically viewed and treated them as such. Today’s risk managers know all too well what others in higher education administration are coming to realize: in addition to an increased focus on, and accountability for, student safety and welfare, colleges and universities face many of the same pressures and exposures to risk as those in the corporate world.” …. Anne E. Lundquist (2011)1

ven though colleges and universities have been traditionally perceived as different from other commercial entities, the fact remains that the risks they face are very similar to those in the corporate world.

Most universities, like corporate organizations, have implemented risk management initiatives in a decentralized manner. The various internal units function independently and are not always coordinated in their approach to address risk issues. This lack of a cohesive Enterprise Risk Management (ERM) program could hinder business performance.2

To help avoid such a scenario, this article explores how universities, like corporate organizations, can build a more integrated and effective ERM program that drives value for stakeholders, reduces the cost of risk and helps achieve strategic objectives. It draws lessons from corporate organizations to demonstrate the benefits of a university-wide risk management program, best practices in building such a program and the role of technology in doing so.

About the AuthorS

Betty Simkins, PhD, Williams Companies Professor of Business and Professor of Finance, Oklahoma State University. Dr. Simkins conducts research, teaches and consults in the areas of enterprise risk management, risk management and energy finance. Keri Dawson, VP Industry Solutions and Advisory Services, MetricStream. Ms. Dawson leads the integration and continued growth of MetricStream’s cloud-based content and consulting services.

The Importance of a University-wide Risk Management Program Let’s take a quick look at the corporate world. Today, most organizations are bound to have a risk governance program in place to ensure that they are compliant with regulatory requirements and to protect the interests of stakeholders. However, the recent financial crisis has led to greater governmental concern, monitoring and regulation around managing risk in corporations. The need for improved risk management has never been greater. In fact organizations with better risk management strategies are known to have better value. The hallmark of an effective risk management strategy is the ability to take a holistic view of risks across the enterprise and link it with corporate governance. That’s where ERM becomes important – it helps organizations achieve top-level oversight into risks across the enterprise and leverage this risk intelligence in strategic decision-making, as discussed by Fraser and Simkins (2010).3 Despite this advantage, ERM was not always a top organizational priority. The traditional approach to managing risks was more fragmented. Most units in an organization looked at risks in silos. Their focus was narrow and mainly on insurable risks like market risk or credit risk. 14 College & University Auditor

The newer and more effective ERM paradigm is more integrated and comprehensive. It enables the senior management and board of directors to have greater oversight of risks and build a strong risk awareness culture. Risk management is seen as an ongoing process that requires all business units to be involved. Visionary organizations that have adopted this approach to ERM as an integral part of their business processes and strategy are reaping significant benefits. An ERM survey conducted by the Conference Board of Canada has indicated that ERM can be used to enhance corporate governance and the board’s confidence in management. It can also help generate risk intelligence to drive improvements in corporate performance and reputation.4 Other research5 demonstrates that ERM adds significant business value. In the Conference Board of Canada survey, 98 percent of respondents indicated that ERM provides organizations with a “higher ability to anticipate and respond to risk events, thereby mitigating the downward variability to stakeholders.” The survey also found that ERM shows promise as a mechanism to increase employee engagement. An integrated, enterprise-wide risk management program with top-level oversight is critical if universities want to successfully manage, anticipate and

Similar benefits can be realized from an ERM program in universities. For instance, ERM can reduce the cost of risk and thereby help achieve strategic objectives. To explain this a little more in detail – the cost of risk is defined as the total cost of losses, risk control costs and finance and administration costs associated with risk management. The implementation of an enterprise-wide risk management program is viewed positively by credit rating agencies, which in turn, has a positive impact on the university’s credit rating. A higher credit rating translates to better interest rates and, therefore, a reduction in the interest costs borne by the university on loans.

mitigate their risks. The key to achieving these benefits is to realize that, like corporate organizations, universities must stop approaching risks in an ad hoc and fragmented manner. An integrated, enterprise-wide risk management program with top-level oversight is critical if universities want to successfully manage, anticipate and mitigate their risks. Implementing a Successful ERM Program ERM in a corporate organization invariably requires a change in enterprise culture. The ERM program needs to be championed at the highest level.

ERM Best Practices Outlined by the Association of Governing Boards of Universities and Colleges

In a university, there are no easy steps for the implementation of • Define risk broadly such a program. But a good thing to do is to study ERM best prac• Recognize both the tices in the industry (see box alongside) and use the ERM Six Step approach which is discussed in greater detail below. opportunities and downsides of risk 1. Risk identification – Identify all risks Universities need to look at risks in a broad and strategic • Develop a culture of evaluating manner to ensure that nothing is overlooked. and identifying risk at multiple levels 2. Risk assessment – Quantify critical risks After all potential risks have been identified, the university • Look at the total cost of risk should hold a vote among senior management to arrive at the • Boards and presidents should top 10 risks. Voting can be done using the Delphi method collaborate wherein a group decision-making process is conducted anonymously, thereby removing the possibility of voters (Source: Enterprise Risk Management: influencing the outcome. Voting on risk helps prioritize risk. Best Practices for Boards, Presidents, But the more important step is to quantify risks in terms of and Chancellors – http://agb.org/ their impact and likelihood or probability of occurrence. This sites/agb.org/files/u3/AGB_UE_ bestpractices.pdf) will enable the university to determine the most appropriate risk mitigation strategies, in line with their risk exposure. 3. Risk analysis – Define interrelationships among all risks There is a definite relationship among risks and stakeholders have to be aware of the impact of these interrelationships across the university. The probability of risk occurrence and the quantification of its impact have a key role to play in the analysis.

15 College & University Auditor

4. Implementation – Implement risk controls and risk responses The implementation of risk controls and responses are dependent on the university’s ability to absorb potential risk losses and track the costs and benefits associated with managing such risks. Identifying the probability and impact of risks helps in forming an enterprise risk map. After forming the risk map, the necessary controls and risk responses can be implemented. 5. Monitoring – Gather risk information Monitoring risks is an ongoing activity. It is important to remember that risks are not static. The magnitude and probability of risks are dependent on risk mitigation initiatives as well as external factors. Therefore, there has to be an ongoing process to assess risks and their impact throughout the university. 6. Evaluation – Compare risks to the strategic plan It is critical to evaluate the significant risks facing a university and to see how they fit in with strategic objectives. Since it isn’t possible to avoid all risks, a better option would be to identify the key risks and assess them so that the university is well-prepared to handle the eventual impact. In summary, universities should ensure that they have a continuous and ongoing process of risk identification.

In summary, universities should ensure that they have a continuous and ongoing process of risk identification. The risks identified should be ranked in order of importance based on parameters such as risk severity, probability, frequency and bottom-line impact. Universities should then implement a robust, enterprise-wide risk management program that is fully backed by the senior management.

The Role of Technology in Effective ERM Technology can help universities build a truly robust, sustainable and holistic ERM program. It can also help in simplifying and strengthening ERM processes such as capturing risk likelihood and impact, performing risk-control assessments, mapping risks and controls to regulatory mandates and providing real-time oversight into overall risk exposure. Achieving these objectives requires moving away from decentralized, point solutions (e.g., spreadsheets, email) toward a more unified and sophisticated ERM framework. Below are the key capabilities and benefits of such a framework: Brings together all ERM processes, entities and data in a single point of reference A unified framework is capable of integrating all risks (e.g., IT risk, reputation risk, audit risk) in a single system for greater risk oversight. It is also able to consolidate all ERM processes – including risk and control selfassessments, compliance management, policy management, Key Risk Indicators (KRIs) monitoring, capital allocation and reporting – in a common, scalable infrastructure. This kind of centralized ERM framework provides multiple benefits. It strengthens risk transparency and accountability, standardizes risk language across the enterprise and breaks down risk siloes to facilitate real-time collaboration and communication. Provides a centralized data model to strengthen risk transparency One of the key benefits of technology – especially an advanced system – is its ability to map risk data to compliance regulations, as well as business functions and processes, controls, control tests, issues and action plans, KRIs and other critical data. This integrated mapping model helps universities gain a truly comprehensive and in-depth picture of their risks, which in turn helps senior management make more informed and risk intelligent strategic decisions. Streamlines ERM processes Technology can enable a systematic, workflow-based approach to the full range of ERM processes – right from risk scoping and documentation, to risk process mapping, risk-control assessments, risk mitigation, risk monitoring and risk reporting. This kind of streamlining significantly improves the efficiency of ERM processes and helps minimize redundancies. Tracks regulatory intelligence Since ERM processes are closely linked to regulatory requirements, an ERM technology framework should be able to monitor changes and updates across relevant regulations. One of the ways of doing so is by integrating the system with regulatory sources and feeds to filter information and route it to the responsible personnel. 16 College & University Auditor

Workflows also need to be triggered to manage regulatory impact analyses, compliance reviews and control assessments and updates. Built on enterprise-ready architecture A truly advanced ERM technology system is enterprise-ready – configurable, reliable, scalable, extensible and user-friendly. It integrates with other enterprise applications to push and pull relevant risk data. It is also able to streamline ERM workflows, automate reporting and analytics, provide robust security mechanisms and offer relevant content such as industry standards and ERM best practices to help universities derive maximum value from their ERM program. A robust ERM program along with good governance and oversight will assist universities in managing risks effectively and have a positive impact on business performance.

Conclusion The key to effective ERM in universities is to keep it simple but sustainable, ensuring a continuous and ongoing process for the review of risk. It is also important to ensure that the ERM objectives within the university have a broad buy-in and are aligned to operations and strategy across business units. A robust ERM program along with good governance and oversight will assist universities in managing risks effectively and have a positive impact on business performance. n

1. “Enterprise Risk Management in Higher Education: A Review of the Literature Reveals What We Know (And What We Don’t)” by Anne E. Lundquist, University Risk Management and Insurance Association (URMIA), 2011. 2. Refer to “The State of Enterprise Risk Management at Colleges and Universities Today,” Association of Governing Boards of Universities and Colleges, 2009 3. See Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow’s Executives, Edited by John R.S. Fraser and Betty J. Simkins, John Wiley & Sons, Inc., January 2010. 4. See Improving the Value of Enterprise Risk Management to Help Manage Corporate Reputation, Daniel Rogers, Betty Simkins, Karen Thiessen, Conference Board of Canada Research Report, October 2010, Publication 11-085 and Enterprise Risk Management: A Review of Prevalent Practices, by Joseph Rizzi, Betty Simkins and Karen Schoening-Thiessen, Conference Board of Canada Research Report, January 2011, Publication 11-165 5. “Does Gender Diversity on the Board of Directors Improve Risk Governance?”, Betty J. Simkins, Ilene H. Lang and Heather Foust-Cummings, Risk Watch, January 2012, 14-17.

17 College & University Auditor

Colorado State University’s Audit Follow-Up Process By Stephanie Wolvington

About the Colorado State University System he mission of the Colorado State University (CSU) System is to support, enhance and protect the unique missions of its constituent institutions and to encourage collaboration that benefits students and Colorado. The CSU System is made up of three member institutions, CSU, CSU-Pueblo and CSU-Global Campus.

CSU is home to several top centers and programs, including one of the top-ranked veterinary medicine programs in the country.

CSU, located in Fort Collins, Colorado, was founded in 1870 and is the state’s land grant institution. The student body totals nearly 30,000. CSU is home to several top centers and programs, including one of the top-ranked veterinary medicine programs in the country. CSU-Pueblo, located in Pueblo, Colo., was first established in 1933 as a junior college. In 1963, CSU-Pueblo became a four-year degree granting college. It has a student body of over 5,000. It has been designated a Hispanic Serving Institution.

CSU-Global Campus is a 100 percent online public university that focuses on learning opportunities for nontraditional students and working adults. It began enrolling students in fall of 2008 and has a current student body of over 5,600. CSU System Internal Auditing Office The CSU System Internal Auditing office reports through the Audit and Finance committee of the CSU System Board of Governors. The office was founded in 1967 and employs eight people, including a director, IT audit manager, audit manager, principal auditor, three senior auditors and a part-time administrative assistant. The majority of the staff is located in Fort Collins.

About the Author

Stephanie Wolvington is the IT Audit Manager for the Colorado State University System. She has worked in internal audit for more than 15 years. She holds a Bachelor’s degree in Accounting and Business Administration and a Master’s Degree in Accounting and Information Systems, both from the University of Kansas.

Why do audit follow-up? According to the Institute of Internal Auditors International Professional Practices Framework, audit follow-up “is a process by which internal auditors evaluate the adequacy, effectiveness and timeliness of actions taken by management on reported observations and recommendations.” According to Standard 2500, it is the As auditors, we perform responsibility of the Chief Audit Executive to establish and maintain follow-up engagements a system to monitor the disposition of results communicated to manbecause the standards agement. require them. As auditors, we perform follow-up engagements because the standards require them. If an issue is important enough to report on in the first place, shouldn’t we conduct follow-up procedures to monitor the final outcome? And what about a natural sense of curiosity? As auditors, many of us have this trait. We would like to know the results of our audit findings and recommendations and what impact they have had on business operations. Previous follow-up process At CSU, audit follow-up was done every six months. This meant that every six months, the auditor who had completed an audit would initiate a follow-up engagement to track the 18 College & University Auditor

The follow-up engagement could consist of interviews, verification of work performed, review of new or revised policies

implementation of corrective action for all the recommendations in the audit. The follow-up engagement could consist of interviews, verification of work performed, review of new or revised policies and procedures, or even additional test work. The work would result in a memorandum-style follow-up audit report. This report would detail the initial audit findings and recommendations and provide a status update on the implementation of the recommendations. The distribution would mirror that of the original audit report. The six month reviews would continue until all the recommendations were closed.

and procedures, or even

The six month timeframe for follow-up was arbitrary. None of the current internal audit staff could recall how that timeframe was selected. It may or may not have allowed for an additional test work. appropriate amount of time to resolve an audit finding. At that time, the Internal Auditing office was not requiring management to provide a target completion date for the implementation of audit recommendations. As a result, many recommendations would stay outstanding for multiple years. Additionally, recommendations that were implemented faster than the six month time frame would not be verified until the follow-up engagement had begun. The audit follow-up process was initiated by the departmentâ&#x20AC;&#x2122;s administrative assistant. She kept an index card-based tickler file to serve as a reminder of the follow-up engagement. At the beginning of each month she would provide a report to each auditor detailing the audits that still had open recommendations, together with details of the recommendations and a certification form on which the auditee provided status information for each recommendation. The audit certification is a Microsoft Word document that is used by the auditor in the conduct of the engagement. The certification details the audit recommendation and requires management to complete a status field, detailing the status of the audit recommendation. Management then signs and dates the certification form to certify the accuracy of the status of the recommendations. Revised follow-up process In 2011, a change in the audit director position served as the catalyst to revise the follow-up process. It was decided that for every audit recommendation in every audit report, as part of the management response, a target implementation date would be identified. This date, provided by management and documented in the audit report, would act as a trigger for follow-up procedures to occur. Follow-up procedures would now occur by finding and recommendation, and no longer by audit. It was also decided to move away from the index-card based tickler file and create a database, using Microsoft

It was also decided to move away from the index-card based tickler file and create a database, using Microsoft Access, to track follow-up for audit recommendations. At this time, the CSU System Internal Auditing office did not use an automated workpaper package, so using tools included in such a software package was not an option. The new database was created in-house by the IT audit manager.

Initial planning for the database required the audit staff to determine how the database was to be used. The audit staff would use the database to monitor the outstanding for audit recommendations. recommendations that had been assigned to them. Follow-up would now occur based on the implementation date provided by management (and not the previous six month timeframe) and reports for the auditors would be generated based on this date. Certification reports would still be used by the auditors to obtain management sign-off. These reports would now be automatically generated from the database with the push of a button, with no more copying and pasting from old audit reports. Access, to track follow-up

It was also decided to use the database to generate reporting for the audit committee of the CSU System Board of Governors. These reports detail overdue audit recommendations by institution. For each recommendation, the report provides the board with information on the audit recommendation, management response, responsible management personnel and the revised target completion date for implementing the recommendation. Internal Auditing reports only the overdue recommendations to the Board. The Presidentâ&#x20AC;&#x2122;s Office also receives a copy of this report and uses it to monitor the status of overdue audit recommendations. Once the desired uses for the data were determined, the actual design of the database began. The data to be collected and recorded for use in the generation of these reports was decided upon. Some of the fields

19 College & University Auditor

in the database include: audit number (unique audit identifier), audit finding, audit recommendation, management response, department, responsible management personnel, target completion date, revised target completion date (established if the auditee did not complete implementation by the original date), recommendation status, closed date and topic. This gives the database user the capability to filter or query on the information by audit, by department, by date, or by topic, such as policy and procedures or information technology. The responsibility for maintaining the audit tracking database resides with the Internal Auditing officeâ&#x20AC;&#x2122;s administrative assistant. At the completion of each audit, she inputs the audit findings, recommendations, management responses, target completion date and other pertinent data into the By keeping what worked database. On a monthly basis, she generates reports for each auditor that detail the recommendations scheduled for implementation during that month. She also generates from the old process the reports for the Board of Governors and the Presidentâ&#x20AC;&#x2122;s Office. and understanding what could be gained with

Conclusion While the level of follow-up work performed and the certification form process did not change, many other areas of the follow-up process did. The decision to require database, the CSU System management to provide target completion dates for each audit finding and Internal Auditing office recommendation served as the catalyst for a revised follow-up process. It also served to raise the level of accountability among managers for their audit responses and the greatly improved its followimplementation of corrective action. The creation of the audit tracking database allowed up process. for the automatic generation of reports to be used by the audit staff, Office of the President and the CSU System Board of Governors. It also allowed for the creation of ad-hoc reports based on any of the data fields in the database. By keeping what worked from the old process and understanding what could be gained with the implementation of a database, the CSU System Internal Auditing office greatly improved its follow-up process. n the implementation of a

20 College & University Auditor

HIPAA Breach Violations Now Come with Harsher Penalties By Sam Khan, Deputy Editor

nternal auditors can play a key role in ensuring that universities comply with the new Health Insurance Portability and Accountability Act (HIPAA) rules. For those universities that handle protected health information (PHI), the cost of noncompliance now comes with harsher penalties.

With the most recent modifications to the HIPAA rules in effect, also known as the final omnibus rule, the government’s enforcement capabilities have been strengthened by allowing for more severe penalties around breaches of unsecured PHI. The final omnibus rule was issued in January 2013; however, enforcement did not begin until Sept. 23, “The final omnibus rule marks 2013. the most sweeping changes to

Leon Rodriguez, director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), stated in a press release, “The the HIPAA Privacy and Security final omnibus rule marks the most sweeping changes to the HIPAA Privacy Rules since they were first and Security Rules since they were first implemented.” He added that the changes, “not only greatly enhance a patient’s privacy rights and protections, but implemented.” also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a healthcare provider or one of their business associates.” The final rule expands many of the requirements to business associates of entities that receive PHI, such as contractors and subcontractors. With business associates now accountable in complying with the HIPAA Security Rule, Rodriguez expects that the money collected related to HIPAA violations will increase significantly. Some of the largest breaches reported to HHS have involved business associates. For many years HIPAA’s enforcement capability was considered weak, which resulted in few prosecutions. It was not until 2006 that HHS issued the enforcement rule, which established monetary civil penalties for violating HIPAA rules and procedures. The rule also set parameters for investigations and hearings for HIPAA violations. Later, in 2009, HHS implemented a section of the Health Information Technology for Economic and Clinical Health (HITECH) Act that required HIPAA covered entities and their business associates to provide notification following a breach of unsecured PHI. About the Author

Sam Khan is the Deputy Editor of College & University Auditor. He works for the Oregon University System as a staff auditor. He has a Bachelor of Science Degree in Journalism from the University of Oregon and a Post-Baccalaureate Accounting Certificate from Oregon State University. He recently passed the Certified Information Systems Auditor exam. He can be reached at sam_khan@ous.edu

Before the final rule was issued in 2013, the maximum penalty for each violation was $100 with an aggregate penalty of $25,000 per year for each violation. To date, using this structure, HHS has collected $15.3 million relating to HIPAA violations and settlements. The final rule increases fines for civil penalties and now includes a tiered penalty structure. Penalties for noncompliance are based on the level of negligence with a maximum penalty of $1.5 million per violation. Penalties per violation range from: • $100 to $50,000 – when the covered entity or business associate is unaware of the violation

and would not have known of the violation by exercising reasonable due diligence. • $1,000 to $50,000 – when reasonable cause leads to a violation. • $10,000 to $50,000 – when a violation of willful neglect is corrected within 30 days of

discovery. 21 College & University Auditor

• $50,000 to $1.5 million – when a violation of willful neglect is not correctly addressed within the

required time frame. • If multiple HIPAA violations occur, penalties could surpass $1.5 million.

“Breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that PHI has been compromised.”

The final rule also strengthens the HITECH Act breach notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. According to HHS, “Breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that PHI has been compromised.” Under the final rule, a breach is defined as “an acquisition, access, use or disclosure of PHI in a manner not permitted … [and] is presumed to be a breach, unless the covered entity can demonstrate that there is a low probability that the PHI has been compromised.”

To demonstrate that there is a low probability that a breach compromised PHI, a covered entity or business associate must perform a risk assessment that addresses the following minimum standards: • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of

re-identification. • The unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI

was actually acquired or viewed. • The extent to which the risk to the PHI has been mitigated.

The Case at Idaho State Failure to secure electronic protected health information (ePHI) can result from varying reasons: a lack of encryption, failure to update related HIPAA policies, failure to perform an annual risk assessment, or as with the following case, a disabled firewall. In May 2013, HHS released settlement information in which Idaho State University (ISU) agreed to pay HHS $400,000 for HIPAA Security Rule violations. The settlement, which used the old penalty structure, involved the breach of unsecured ePHI of approximately 17,500 patients at ISU’s Pocatello Family Medicine Clinic. ISU operates 29 outpatient clinics and is responsible for providing health information technology systems security at those clinics. Between four and eight of those ISU clinics are subject to the HIPAA Privacy and Security Rules, including the clinic where the breach occurred. “Proper security measures and policies help mitigate potential risk to patient information.”

The OCR opened an investigation after ISU notified HHS of the breach in which ePHI was unsecured for at least 10 months, due to the disabling of firewall protections at servers maintained by ISU. OCR’s investigation indicated that ISU’s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities and that ISU also failed to assess the likelihood of potential risks occurring.

OCR concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner. “Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program,” said OCR Director Leon Rodriguez. “Proper security measures and policies help mitigate potential risk to patient information.” ISU has agreed to a comprehensive corrective action plan to address the issues uncovered by the investigation and its failure to ensure uniform implementation of required HIPAA Security Rule protections at each of its covered clinics.

22 College & University Auditor

Breach Reports HHS maintains a list of breaches of unsecured PHI affecting 500 or more individuals on their website. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html The full dataset can be downloaded and includes brief summaries of the breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches to HHS. The following university-related breaches have been reported during 2013: Individuals Affected

Date of Breach

Type of Breach

Location

Date Reported

University Of Michigan Health System

3,999

11/14/2012

Theft

Laptop

1/17/2013

The University of Texas MD Anderson Cancer Center

29,021

4/30/2012

Theft

Laptop

2/7/2013

University of Connecticut Health Center

1,382

06/07/2010 – 12/07/2012

Unauthorized Access/ Disclosure

Network Server

3/27/2013

The Brookdale University Hospital and Medical Center

28,187

9/21/2012

Unauthorized Access/ Disclosure

Other Portable Electronic Device

3/27/2013

The Brookdale University Hospital and Medical Center

2,261

8/11/2012

Unauthorized Access/ Disclosure

Paper

3/27/2013

Oregon Health & Science University

1,076

2/22/2013

Theft

Laptop

4/23/2013

University of Florida

14,519

03/01/200910/25/2012

Theft, unauthorized access/ disclosure

Desktop Computer, Electronic Medical Record

4/23/2013

1,114

2/22/2013

Theft

Laptop

4/23/2013

University of Mississippi Medical Center

10,000

11/01/201201/19/2013

Loss

Laptop

4/23/2013

Indiana University Health Arnett

10,350

4/9/2013

Theft

Laptop

5/17/2013

University of Florida

5,875

02/01/201204/11/2013

Theft, Unauthorized Access/Disclosure

Electronic Medical Record

6/5/2013

University of Rochester Medical Center & Affiliates

537

2/15/2013

Loss

Other Portable Electronic Device

6/5/2013

Louisiana State University Health Care Services Division

6,994

12/1/2011

Unauthorized Access/ Disclosure

Desktop Computer

8/9/2013

Covered Entity

Oregon Health & Science University

How does HIPAA Apply to University Clinics? University hospitals have dedicated staff to adhere to all parts of the HIPAA rules, but that is not always the case with small university health clinics. The final omnibus rule has not changed the fact that some university health clinics do not need to comply with all parts of the HIPAA rules. An auditor should check with the institution's legal counsel to determine which rules apply. According to HHS, when a university provides healthcare to students in the normal course of business, such as through a health clinic, it is a “healthcare provider” as defined by HIPAA. If a university also conducts any covered transactions electronically in connection with that healthcare, it is then a covered entity under HIPAA. As a covered entity, the university must comply with the HIPAA Administrative Simplification Rules for Transactions, and also with code sets and identifiers with respect to its transactions.

23 College & University Auditor

However, many universities, even those that are HIPAA covered entities, are not required to comply with the HIPAA Privacy Rule because the only health records maintained by the university are “education records” or “treatment records” of eligible students under the Family Educational Rights and Privacy Act (FERPA), both of which are excluded from coverage under the HIPAA Privacy Rule. In addition, the exception for records covered by FERPA applies both to the HIPAA Privacy Rule and the HIPAA Security Rule, because the Security Rule applies to a subset of information covered by the Privacy Rule. The Distinction between the HIPAA Privacy Rule and HIPAA Security Rule According to HHS, the Privacy Rule establishes a national standard to protect individuals’ medical records and other PHI and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain health care transactions electronically. The Privacy Rule requires appropriate safeguards to protect the privacy of PHI, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Security Rule is a subset of the Privacy Rule. It establishes a national standard to protect individuals’ ePHI that is created, received, used or maintained by a covered entity. The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical and physical safeguards for protecting ePHI. Specifically, covered entities must: • Ensure the confidentiality, integrity and availability of all ePHI they create, receive, maintain or

transmit; • Identify and protect against reasonably anticipated threats to the security or integrity of the information; • Protect against reasonably anticipated, impermissible uses or disclosures; and • Ensure compliance by their workforce.

Auditors may want to review contracts with cloud service providers to ensure they meet the standards of the Security Rule.

Auditors may want to review contracts with cloud service providers to ensure they meet the standards of the Security Rule. Recently, the Oregon Health & Science University (OHSU) notified 3,044 patients that their PHI had been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data.

Conclusion In light of recent changes to HIPAA, internal auditors can play a key role in ensuring that their institution complies with the final omnibus rule. An auditor should consult with their institution's legal counsel to determine how the rule changes might impact the institution and whether it would be necessary to audit controls to ensure compliance. Resources for Further Information Federal Register, Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule http://www.gpo.gov/fdsys/ pkg/FR-2013-01-25/pdf/2013-01073.pdf NIST Special Publication 800-66 Revision 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf n

24 College & University Auditor

Security Review to the Rescue! By Kristie Newby, MBA, CFE

s internal auditors in higher education, our work focuses on a variety of organizational functions. In academics, we examine areas such as financial aid, scholarships and bursar operations. In research, we scrutinize things such as grant compliance, radiation safety and legal issues with animal and human interaction. In athletics, we inspect issues related to NCAA compliance, tickets, scholarships and camps. However, in auditing these areas, we may not be performing all due diligence in regard to the entirety of risks faced by these functions. Staff can overlook or fail to implement the key internal controls necessary to address security concerns, particularly in areas experiencing turnover. A security review is a proactive tool that examines current internal control structure in areas where cash is present and evaluates security concerns related to institution assets and employees.

So what can we do to ensure these controls are in place and operating appropriately, and providing the right kind of coverage to mitigate these risks? A security review is a proactive tool that examines current internal control structure in areas where cash is present and evaluates security concerns related to institution assets and employees. A security review can be performed in any department or auxiliary that receives payments, such as the bursar, food court, athletics ticket office or university veterinary clinic business office. What are the key components of a security review? A complete security review will involve examination of the following areas:

• Current policies and procedures • Vault • Key security • Alarm systems • Closed Circuit Television (CCTV) systems • Cash drawers • Over/Short policies and procedures • Robbery preparations • Segregation of duties • General operations

About the Author

Kristie Newby, MBA, CFE, has more than 21 years of experience in financial accounting, senior level auditing in banking and higher education and federal government financial management. She may be contacted at kristie.newby@okstate. edu.

Current Policies and Procedures When reviewing current policies and procedures, you should first ask management for a copy of its manual – management should be able to provide access to these policies and procedures, and if the department lacks these materials, it should understand the associated risks. After familiarizing yourself with the official departmental policies and procedures, evaluate the policies and procedures for common sense and consistency. Make notes during your reading for further questions during interviews and list any risks that are created by existing policies and procedures or risks that are not adequately addressed. Key Personnel Interviews After reading the policies and procedures manual, it is time to perform interviews. Be sure that key personnel are interviewed separately. By doing so, this will encourage these individuals to provide information more easily, as the presence of management can affect an individual’s willingness to speak freely. Key personnel to be interviewed include the department head,

25 College & University Auditor

head cashier and other departmental staff as appropriate, including newly hired personnel. New staff members may be able to ask interesting questions about why a procedure is performed in a certain manner, while long-tenured personnel may be in a habit of doing what has always been done. When you interview personnel, attempt to put the individual at ease by explaining at the beginning of each interview that you are there to help.

When you interview personnel, attempt to put the individual at ease by explaining at the beginning of each interview that you are there to help. Ask them to describe their duties using open-ended questions, such as, “How does this process work?” Do not interrupt them during their answers, but be sure to take notes for follow-up questions. Ask if they have any questions or concerns about how the department operates. Inquire as to what they might change if they were in charge.

Once they have finished speaking, clarify any statements that appear to conflict with the department’s official policies and procedures to determine how operations are actually performed. Summarize each interview via a written memo with specific details and document your understanding of general departmental operations from all interviews in a separate working paper. Vault A physical walk-through of the department will help identify additional risk areas. The first area to examine, if present, is the vault. Observe the vault’s physical location. Is it at the front of the operational area, in view of customers? Is it in a location where most departmental staff work, or otherwise accessible? The vault should be in a secure location out of the public eye and in an area where only authorized personnel are allowed. Next, observe the vault’s locking mechanism. Strong vault security can be accomplished with a key/ combination lock, as it provides dual control with minimal effort, assuming that the key and combination are maintained separately (that is, generally, no one individual should have possession of both the key and the combination). If a combination is utilized, ask when it was last changed. The combination should always be changed following the separation of any employee who had knowledge of the combination. Ask when the vault is counted and by whom. It should be counted at least daily in the presence of at least two employees. Inquire as to how the vault count is documented, and how count forms are maintained. Counts should be documented on a count sheet, signed by both staff members present for the count, and kept in a secure location for preferably six months. Ensure that surprise vault counts are performed, by someone without vault access, on a regular basis. Finally, perform a vault cash count in the presence of departmental personnel, compare to the expected balance and evaluate the amount of cash being held in the vault in comparison to the department’s cash flow needs. Key Security Another important area to examine is key security. As you walk through the department, inquire about the location of keys to the office and cabinets containing sensitive information. Is a key box utilized? Keep in mind during this part of the review that appropriate key security may be different for each department/location and can be possibly accomplished without a key box, but that poor key security can result in quick losses with no clear suspect. As an example, at a financial institution I audited, a head teller lost her keys to the bank but failed to report this out of concern for her job security. A week later, the branch’s ATM was completely emptied of its contents, and $130,000 was lost with no forced entry to the building or the ATM. An inside job was suspected because the branch’s CCTV tape was taken from the manager’s office during the theft, but this was never verified due to a lack of evidence. An alarm system is not always necessary, but during the walkthrough, talk to management about the necessity and/or feasibility of one.

Alarm System An alarm system is not always necessary, but during the walk-through, talk to management about the necessity and/or feasibility of one. If one is already present, ask who has the access code, and whether it is different for each staff member. Inquire if and how often the system is tested to ensure functionality. It is prudent to test the alarm system at least once per month. Ask departmental personnel to perform a test to demonstrate the working status of the alarm system. 26 College & University Auditor

Closed Circuit Television Just as with alarm systems, CCTV systems are not always necessary, but may be appropriate for some cash handling areas. Discuss the need for and feasibility of a CCTV system with management. If such a system is present, ensure the system is working and that its images are of a high quality. Evaluate the area’s physical structure to see if the number of cameras and their placement effectively capture relevant activity. If the department manager does not already have a dedicated monitor with It is also recommended that active images, determine whether such a monitor would be appropriate. Inquire as to how the images are saved, and for what length of time. It is best to have images saved images from the CCTV system for at least three months and maintained out of physical proximity to the CCTV are transmitted to the campus system so that they are not altered, erased or stolen, as in my earlier example. It is police department, who can also recommended that images from the CCTV system are transmitted to the campus police department, who can actively monitor the activity. actively monitor the activity. Cash Drawers If the department accepts cash payments, they most likely will have cash drawers. During the walkthrough, determine how the cash drawers are secured overnight and who has access to them. I always recommend cash drawers have locking lids, with the keys given only to the corresponding cashier and management. Ask when cash drawer counts are performed and by whom. They should be performed at least daily and in the presence of at least two employees. Inquire how the counts are documented, and how the count forms are maintained. Cash counts should all be documented on a count sheet, and kept for at least six months. Just as with a vault, be sure that someone without cash drawer access performs a surprise cash drawer count on a regular basis. Finally, perform an unannounced cash count of the drawers in the presence of departmental personnel, compare to expected balances, and evaluate the appropriateness of the cash drawer limit in comparison to anticipated cash flow needs. Over/Short Policies and Procedures As you perform your walk-through, ask cashiers what they do if their drawer is over/short at end of day. I’ve interviewed cashiers who tell me that if they are over or short by a small amount (usually a dollar or less), they will simply add or remove funds to balance their drawer! Ask whether they document overages/ shortages on a form or log. Are the overages/shortages tracked by teller? Ask management if they monitor overages/shortages to determine potential trends. The use of these logs can help management determine the need for additional cashier training, or possible mishandling of funds. As internal auditors, we should encourage university management to perform the due diligence necessary to protect the institution’s employees.

Robbery Preparations Although departments are not banks, we should not neglect consideration of the risks of robbery. As internal auditors, we should encourage university management to perform the due diligence necessary to protect the institution’s employees. Does the department have height markers? Are they strategically placed and at the proper height? I know that checking for proper height placement sounds absurd, but during one audit, I discovered that I was 6 feet 11 inches tall, despite measuring 5 feet 7 inches on a normal day! Height markers are only an effective tool when they are accurate.

Does the department have panic buttons? Panic buttons can be important, as they can be used not only in the event of a robbery, but also in any event during which an employee wishes to contact the police with a non-audible alert. Does the department have a plan detailing assigned duties for each staff member in the event of a robbery? Having such a plan with forms and pre-assigned duties can assist in panic situations, as staff members have clear direction on what they should do. Does management perform robbery training on a consistent basis? Depending on the department, such training should be provided at least quarterly, as frequent training helps employees learn and display consistent, informed behavior in the event of a robbery. Segregation of Duties During the walk-through, listen for any possible issues related to a lack of segregation of duties. Many staff members want to structure their operations in a way that provides such controls, but just don’t know how. You may discover the opportunity to provide such guidance. 27 College & University Auditor

General Procedures As you perform the security review, remember that you should not expect the department to mirror every other department in regard to security and internal controls. Each department has its own operational processes and related needs. For example, some departments will have night drop boxes, while others donâ&#x20AC;&#x2122;t. It is crucial that you tailor your security review to meet departmental operations. When performed properly, Although our work often focuses on other areas and risks, it is important to consider the a security review fosters a basic security needs for those departments that handle cash as part of their normal business activities. When performed properly, a security review fosters a win-win environwin-win environment in all ment in all areas of higher education. It serves as a proactive step in deterring fraud, areas of higher education. creates a partnership between internal audit and management, strengthens relationships and enhances rapport, helps initiate a different mind-set in departmental personnel and protects university assets and staff members. n

Reason says: hire a jack of all trades. Instinct says: choose a master of one. GRANT THORNTON IS PROUD TO SPONSOR THE ACUA 2013 ANNUAL CONFERENCE At Grant Thornton, our higher education professionals work extensively with institutions just like yours. That total focus gives them deep experience to help their clients grow in their ability to succeed in their missions. See how they do it at GrantThornton.com/HigherEd.

Grant Thornton refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd.

28 College & University Auditor