Page 1

I V o l u m e 5 5 I N u m b e r 2 I S UMMER 2 0 1 3 I


ACUA Members Out and About The Control Environment – Reviewing Organizational Infrastructure and Reporting Lines Techniques for Auditing Reputation Controls Part II: Steps Toward Preventive Reputation Risk Management The Key Element of Leadership What the Internal Revenue Service Discovered – And What You Can Do About It

! r o t i d u A e h t o t Power Fight Fraud and Protect Revenues! Import data faster than a speeding bullet. Analyze thousands of records in a single pass. IDEA® empowers you to conduct more efficient and effective audits ... almost like you’ve acquired superpowers. 2013 Strategic Partners Providing ACUA Members with Exclusive Benefits, Resources and Discounts • Preferred Pricing • Hands-on Training at the Mid Year Conference • Live Online Demonstrations

Contact us to see IDEA in action. 888.641.2800 • College & University Auditor

S U M M E R 2 013


ACUA members are invited to submit letters and original articles to the editor. Go to and click on the Resources – College & University Auditor Journal for further guidelines. Please send your copy electronically to the editor or ACUA in Word 95 (or higher) or text file format. The editor reserves the right to reject, abridge or modify any advertising, editorial or other material.


2 3 4

From the Editor Editor

To the Editor

From the President­



ACUA Members Out and About By Betsy Bowers and Patricia Snopkowski


The Control Environment Reviewing Organizational Infrastructure and Reporting Lines By Catherine Finamore Henry


Techniques for Auditing Reputation Controls Part II: Steps Toward Preventive Reputation Risk Management By Dr. Bradley W. Brooks, Joe Oringel and Ken Ramaley


The Key Element of Leadership By Marcus Stanley


What the Internal Revenue Service Discovered – And What You Can Do About It By Steve Hoffman

College & University Auditor is the official publication of the Association of College & University Auditors. It is published three times a year as a benefit of membership. Articles in College & University Auditor represent the opinions of the authors and do not necessarily represent the opinions of governance, members or the staff of the Association of College & University Auditors. Acceptance of advertising does not imply endorsement by ACUA. ©2013 Association of College & University Auditors. Send address changes to:

ACUA PO Box 14306 Lenexa, KS 66285-4306

1 College & University Auditor

Clarice Maseberg, Wichita State University 316-978-5824 Deputy Editor

Sam Khan, Oregon University System Editing Staff

Amy Hughes, Michigan Tech David Dixon, Governors State University Mary Ann Mackenzie, Auburn University Michael Foxman, University System of Georgia Sterling Roth, Georgia State University ACUA Management

Stephanie Newman, Executive Director

Letter FROM The Editor By Clarice Maseberg, CPA, CIA Editor

In my three years as an internal auditor at Wichita State University, I’ve been surprised by the diversity of issues auditors face on a day-to-day basis. To borrow a phrase I heard during a recent Institute of Internal Auditors webinar, internal auditors are expected to be “expert generalists,” with a little knowledge about a multitude of topics. The assortment of articles presented here further highlights that fact. This issue is full of insightful articles on a wide range of subjects, with both valuable information and suggestions for putting what you learn in practice at your institution. “UBIT Report Released: What the Internal Revenue Service Discovered and What You Can Do About It,” by Steve Hoffman, details the results of the IRS’ College and University Compliance Project on unrelated business income, what was discovered and how this might affect your college or university. In “The Key Element,” Marcus Stanley offers suggestions This issue is full of insightful on increasing employee morale and motivation. “The Control Environment: articles on a wide range Reviewing Organizational Infrastructure and Reporting Lines,” by Catherine Finamore Henry, discusses key factors for conducting these reviews. of subjects, with both valuable information and suggestions for putting what you learn in practice at your institution.

This issue also features a continuation of Dr. Bradley Brooks, Joe Oringel and Ken Ramaley’s article from the spring issue, “Techniques for Auditing Reputation Controls.” In part one, “Fundamental Sources of Reputation Risk,” they discussed how to measure reputation and quantify reputation risk. Now, in part two, “Steps toward Preventive Reputation Risk Management,” they outline a step-by-step approach to managing reputation risk.

“ACUA Members Out and About,” by Patricia Snopkowski and Betsy Bowers, provides updates on recent presentations by fellow ACUA members at both the Association of Governing Boards National Conference on Trusteeship Participation and the Society of Corporate Compliance and Ethics Higher Education Conference, as well as participation in an NCAA focus group on improving athletic department financial reporting. This issue of the journal couldn’t have been produced without many volunteers, including the authors themselves, and the editing staff, who do so much behind-the-scenes work. I’m grateful for all their invaluable assistance. I especially want to thank Doug Hawks, the previous editor, for all his support during the transition. I would also like to introduce the journal’s new deputy editor, Sam Khan, at the Oregon University System, which he recently joined in February. Previously he worked in the areas of business process improvement and information security at Oregon State University. Sam has many great ideas for the future of the journal, and I look forward to working with him to make the journal even better. I’m excited to be serving as editor and I welcome your feedback. Please feel free to email or call me (, 316-978-5824) with your suggestions or comments. I am especially interested in hearing about any topics you would like to see covered in future issues of the journal. Letters to the editor are always appreciated. Sam or I would very much like to hear from you if you have any interest in writing an article, or even a series of articles. Please don’t hesitate to contact us, even just to ask for more information. Your contributions are what make the journal possible! n

2 College & University Auditor

Letter to The Editor

Someone forwarded me the last ACUA magazine and I enjoyed reading the memories of some of the members. They brought back a flood of my memories of past ACUA conferences and midyear seminars. I was the Director of IA at UNC-Chapel Hill from 1981-1994. I was introduced to ACUA by Preston Bethea, the former Director at NC State University, who told me it was a good group to be involved with, a true understatement! ACUA has always set itself apart from other professional organizations I know of. Folks always willing to help their colleagues, sharing experiences, audit programs, their beer, etc. ... I made a lot of really close friends, many of whom I still communicate with almost daily. ACUA has always set itself apart from other professional organizations I know of.

The fun we had after the sessions is legendary, but we did attend the next day sessions, as Mary Lee Brown stated. I trust that the current ACUA members will continue the tradition of helping their university auditor colleagues. Do not forget that each of you have a skill or ability that can help someone. As someone told me years ago ...“sharing is caring ...� Best to you & all ACUAites.

Eddie Capel (part-time beach bum) n

3 College & University Auditor

Letter From The President By Phillip W. Hurd, CISSP, CISA President

As President I get to see the unique perspective that helping out in a volunteer organization gives. It hasn’t always been that way, though. When I joined the military in the late '80s, one of the first things I was told by the other recruits was, “Don’t volunteer for anything.” I heard this message repeated over and over. One day a drill sergeant named Jewell told me that volunteering was the quickest and best way to promotions and opportunity. I trusted him because he seemed to know what he was talking about and I had quickly figured out that everybody else around me, most of whom were 18 or 19, were as clueless to the keys of success as I was. I changed my attitude and started volunteering for everything I thought I could reasonably do and a few things I was pretty sure I couldn’t. I pulled a lot of KP duty, some janitorial duties, and some other unpleasant duties. A few months into my tenure I was assigned to orderly duty (essentially an assistant to the unit commander) by the commander of our company. He assigned me because he knew me from always seeing me in the action, a direct result of my volunteering. One day I overheard the commander talking to a senior non-commissioned officer about the military’s promotion strategy. The commander was particularly concerned that some younger enlisted soldiers didn’t understand that they “promoted I get to see the unique themselves” through the manipulation of the point scale. I listened intently while I did perspective that helping out my duties. Later, the commander stopped by on his way out and I mentioned overhearing in a volunteer organization the conversation. He gave me a few words of advice that changed my life. I made the rank of sergeant faster than anyone else in my entire Military Occupational Specialty gives. (MOS) and all because I volunteered. I kept volunteering when I was in the service and when I got out. I had my pick of opportunities and many privileges because of the places that volunteering took me. When I started at Georgia Tech I did the same with ACUA that I had done in the military. I started as a proctor, became a track coordinator, speaker, presenter, committee chairs, board member and now I am President. If I had one hundred pages to write this on I still wouldn’t be able to cover the tremendous impact that volunteering has had on my life. What fascinates me about some folks I see entering the audit field is they constantly ask the question, “What do I get out of it?” “If I don’t get paid…,” or “If I don’t get some direct very tangible benefit right then…,” then their attitude seems to be, “I won’t do it.” The reason I described my first experiences with volunteering is to illustrate the point that tangible benefits may not be there on every volunteer assignment that comes around. My conversation with my first long-term commander was about 10 times removed from the volunteer activity that resulted in an accelerated promotion strategy. What’s my ACUA volunteering done for me? What opportunities has it opened up? It certainly didn’t hurt to tell Georgia Tech I was on the board of an international professional association when I was bidding for the CAE job. When I started speaking professionally, the years of practice in preparation for teaching, speaking and dealing with speakers for ACUA made the journey far easier. The list could go on and on. The point I am making is this: If you haven’t volunteered for something in ACUA and you have wanted to … GO AHEAD AND DO IT. It will affect your life for the better in ways you many not even be able to see now. For those of you who are curious as to what that commander said to me so long ago, I will share it with you. Before I do, though, I must tell you it is profound. I have to point that out because I have found that in my writing and speaking sometimes my audiences miss my “profound statements.” My commander shared with me a few wise words, a philosophy if you will. He looked at me that night so long ago and said, “Private Hurd, in my experience, whatever you do to or for another will come back to you greatly multiplied – whether it is good or bad.” Now that is profound. Will you consider volunteering for ACUA? May the twelve great riches of life be with you. n

4 College & University Auditor

5 College & University Auditor

ACUA Members Out and About By Betsy Bowers, CIA, CFE, CGFM, CIG, CRMA and Patricia Snopkowski, CPA, CIA

The Association of Governing Boards National Conference on Trusteeship Participation This past April, two ACUA members were invited to be part of the AGB national conference by holding morning Idea Exchanges. Our members teamed with Baker Tilly, a proven ACUA supporter. The sessions held were: • Enterprise Risk Management, led by Michael Somich, Executive Director of Internal Audits,

Duke University and Raina Rose Tagle, Partner, Baker Tilly. • How Trustees Can Leverage Internal Audit to Gain Assurance, led by Patricia Snopkowski,

Chief Audit Executive, Oregon University System and Kimberly Ginn, Principal, Baker Tilly. This was the first time ACUA members were invited to this important event. Mike, Patti, Raina and Kim interacted with trustees from all over the country noting the importance of internal audit in higher education.

About the AuthorS

Betsy Bowers, CIA, CFE, CGFM, CIG, CRMA is the Associate Vice President for Internal Auditing & Management Consulting at the University of West Florida (UWF), where she has directed internal auditing since 1993. She is also an adjunct professor at UWF, teaching an upper-division course on White Collar Crime. Ms. Bowers is a past national president of the Association of College & University Auditors (ACUA), past editor for the ACUA College & University Auditor journal, and coordinator for ACUA Faculty. She is on the Board of Directors for the Northwest Florida Institute of Internal Auditors and the Northwest Florida Association of Certified Fraud Examiners. Patricia A. Snopkowski “Patti”, CPA, CIA has been the Chief Audit Executive for the Oregon University System (OUS) Internal Audit Division since 2000. The Division serves the seven public universities of the Oregon University System. Prior to joining OUS, Patti held various audit positions with the Pennsylvania Auditor General’s Office, SAFECO Corporation, the University of Washington, and Cornell University.

NCAA Focus Group Participation In March, Clint Hangebrauck, Associate Director of Internal Audit at NCAA, invited ACUA to participate in a national focus group that examined ways to improve athletic department financial reporting. The focus group was made up of external audit partners, university vice presidents for finance and administration, athletics directors, conference leaders, and athletics finance officers. Patti Snopkowski led the effort to gather and present ACUA member feedback to the group. Several improvements to Several improvements reporting will be announced as a result of the focus group’s work. to reporting will be ACUA’s feedback was highly regarded. As a result, Clint will be convening a future ACUA focus group to discuss how to improve announced as a result of current agreed-upon procedures for Division I and II universities that the focus group’s work. will provide greater value to the institutions. Society of Corporate Compliance and Ethics (SCCE) – Higher Education Conference ACUA Faculty member Michael Somich, Duke University; ACUA member Sheryl Vacca, University of California; and retired ACUA member Charles Chaffin, University of Texas System, served on a panel at the kickoff general session for the Higher Education Conference in June 2013 in Austin, Texas. With moderator Dr. Urton Anderson, the panel discussed “Shooting the Messengers: A Survival Guide for Audit and Compliance in Higher Education.” ACUA Faculty member Ransom McClung was also a presenter at the SCCE Conference on the topic “What to Do if You Suspect a Fraud in Your Office.” Other ACUA members presenting at this conference were: • Luanna Putney, University of California, on the topic “Matching and Mismatching Metrics

for Meaning,” • David Galloway, Brigham Young University, on the topic “Integrating Audit, Compliance,

Risk Management & Legal,” • Steven Tremaglio, Northwestern University, on the topic “Compliance Program Assessments

in Higher Education: How They Add Value,” and • Mark Phillips, Duke Medicine, on the topic “FISMA Compliance in Higher Education.”  n 6 College & University Auditor

The Control Environment

Reviewing Organizational Infrastructure and Reporting Lines By Catherine Finamore Henry, MBA, CIA, CRMA, CCEP, CIPP/US


overnance is the combination of processes and structures implemented by the board to inform, direct, manage and monitor the activities of the organization toward the achievement of objectives.1 An organization’s governance or control environment infrastructure is comprised of various functions such as risk management, internal audit, compliance and ethics, legal and quality. In some organizations, these functions operate as separate departments. In other organizations, these functions operate under a variety of possible permutations resulting from chance, strategic design, budget cuts, politics, and/or power struggles. Below are four key factors to consider in providing assurance over management’s efforts to establish the control environment infrastructure and reporting lines. 1. Understand the Distinctions and Avoid Conflicts of Interest Although interconnected, each function is a distinct discipline requiring specialized education, training, licenses and/or certifications. An infrastructure of interconnected yet distinct disciplines strengthens the control environment by providing checks and A consolidated or hierarchical balances that prevent corruption, minimize conflicts of interest, and prevent any individual or group from becoming too powerful. relationship between internal audit and risk management

According to the Ethics Resource Center’s 2011 National Business Ethics Survey (NBES),, from 2009 to 2011, the is an example of an percentage of employees who perceived pressure to compromise standards in order infrastructure-imposed conflict to do their jobs climbed from eight percent to 13 percent; and the share of companies with weak ethics cultures climbed from 35 percent to 42 percent. An of interest. NBES recommended action step is to help senior executives set the proper tone at the top – a daunting task if conflicts of interest or other control weaknesses are inherent in the control environment infrastructure and reporting lines. A consolidated or hierarchical relationship between internal audit and risk management is an example of an infrastructure-imposed conflict of interest. Such an arrangement weakens governance by impairing internal audit’s objectivity and independence. This example continues through the remainder of this article.

About the Author

Catherine Finamore Henry, MBA, CIA, CRMA, CCEP, CIPP/US President of Finamore Associates, LLC, specializes in risk management; compliance and ethics; internal audit; information privacy; training; and business processes, policies and procedures.

2. Follow Globally Accepted Guidance The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) provides mandatory and strongly recommended guidance for the global internal audit profession. Notably, the IIA’s standard- and guidance-setting processes are overseen by an independent IPPF Oversight Council which includes the following: • International Federation of Accountants (IFAC), • International Organization of Supreme Audit Institutions (INTOSAI), • National Association of Corporate Directors (NACD), • Organization for Economic Co-operation and Development (OECD), • Committee of Sponsoring Organizations of the Treadway Commission (COSO), and • The World Bank. (continued on page 8) 7 College & University Auditor

Guidance that conflicts with the notion of consolidated or hierarchical internal audit and risk management functions can be found in the following IPPF documents: • Code of Ethics • Standard 1100: Independence and Objectivity • Standard 1130: Impairment to Independence and Objectivity • Practice Advisory: 1130.A.2-1: Internal Audit’s Responsibility for Other (Non-audit) Functions • Position Paper: The Role of Internal Auditing in Enterprise-wide Risk Management • Position Paper: The Three Lines of Defense in Effective Risk Management and Control 3. Follow Industry Guidance United States regulatory agencies also provide guidance on infrastructure. For example, the Office of the Comptroller of the Currency guidance, comptrollers-handbook/2003AuditHB.pdf, emphasizes the requirement for auditor independence and objectivity, and specifies that the IIA’s standards have been adopted for certified bank auditors. Similarly, the Office of Inspector General, Department of Health and Human Services guidance emphasizes the need for audit personnel to be independent.2 4. Have Courage If an examination of the control environment infrastructure and reporting lines points to needed changes, be prepared for possible resistance from the executive team. If, after examining control environment infrastructure and reporting lines, the board supports a deviation from globally accepted and/or industry specific guidance, be sure to document the rationale and management’s acceptance of related risks. Corrective action, such as the development of mitigating controls, may be required. Compromised control environment infrastructure and reporting lines will work until they don’t, i.e., until they are stressed by a risk event. At that time, investors, investigators and other stakeholders will expect If an examination of the control an explanation. Both management and the board will need the courage of their conenvironment infrastructure victions. and reporting lines points to

This article looked at one example of infrastructure/reporting line weakness in the control environment. It is an especially poignant example that may surface as the result of an internal audit department’s quality assurance review or an external audit. for possible resistance from the Other examples include, but are not limited to, consolidated or hierarchical relationships between: executive team. • internal audit and compliance and ethics, • legal and compliance and ethics, and • risk management and compliance and ethics. n needed changes, be prepared

__________________________ 1. International Standards for the Professional Practice of Internal Auditing (c) 2012 The Institute of Internal Auditors. 2. Supplemental Compliance Program Guidance for Hospitals, Federal Register/Vol. 70, No. 19/Monday, January 31, 2005/ Notices p.4875.

8 College & University Auditor

College and university professors preparing tomorrow’s professionals in the dynamic and rapidly growing internal audit arena should take this opportunity to arm their students with the most up-to-date, relevant, and applicable information to be competitive in this growing and lucrative profession. Written through the collaboration of educators and practitioners and published by The IIA Research Foundation, this textbook serves as a cornerstone for your internal audit education program.

Instructors interested in ordering a desk copy may contact The IIA Research Foundation Bookstore by email at Requests are limited to one per instructor and two per institution.


130828 RF-Txtbook Ad-College and University Auditor_FNL.indd 1

9 College & University Auditor

6/17/13 2:29 PM

Techniques for Auditing Reputation Controls

Part II: Steps Toward Preventive Reputation Risk Management By Dr. Bradley W. Brooks, Joe Oringel, CIA, CPA, and Ken Ramaley, CIA

Boosters Probed in Athletic Recruiting Scandal 125 Students Identified in Cheating Scandal National Science Foundation Announces Special Investigation into Grant Fraud Resume “Errors” Cause University Official to Withdraw Nomination About the AuthorS

Dr. Bradley W. Brooks (left) is tenured Professor of Marketing, McColl Business School, Queens University of Charlotte. He may be contacted at: Joe Oringel, CIA, CPA, (right) is a Managing Director at Visual Risk IQ, an advisory firm specializing in data analytics, visual reporting and continuous auditing. Joe will be presenting at the 2013 ACUA Conference in Norfolk with a session titled “Let’s Get Rolling with Data Analytics and Continuous Auditing.” This session will include a mock audit planning meeting where attendees will jointly plan an audit of one or more business processes specific to Higher Education. He may be contacted at:

Ken Ramaley, CIA, is Managing Director of Ramaley Group, a management consulting firm specializing in reputation risk management. He may be contacted at:

Beloved Professor Admits to Plagiarism, Exaggerated Research Claims


eadlines such as these are so common today that no university can possibly be immune. With such seemingly isolated incidents being so prevalent, is there anything an institution can do except hope it will get through another year without being in the news for the wrong reason? The rise of social media and shortening of the news cycle serve to ensure that previously localized events become broadly disseminated with correspondingly broad reputation impacts. Consequently, a proactive approach to managing reputation risk is needed. In Part I of this series1 we identified methods for quantifying reputation risk and its sources. These methods provide reputation risk measures which are best assessed against consistent standards. A thorough understanding of the evolution of reputation risk is helpful in determining these standards and in developing a proactive, preventive approach to reputation risk events. Traditional risk responses of risk avoidance, risk acceptance, risk transfer and risk mitigation all have their place in helping manage reputation risk. This article focuses primarily on risk mitigation as an activity that higher education internal audit teams can help facilitate, though other techniques may also be appropriate. The first key to preventive reputation risk management is an acknowledgement that idiosyncratic, reputation-damaging events are not merely likely – they are nearly certain. In light of that expectation, proactive internal audit departments must hold leaders accountable for implementing controls to mitigate opportunities for damage created by such events. As we identified in Part I, the most significant reputation risks occur when the gap between reality and perceived reality is greatest. The best way to diminish this gap is to have a keen sense of an institution’s reality, and an understanding of what kinds of external events (like the headlines above) could change your stakeholders’ perceptions of the institution’s reputation. Once more aware of the possibilities, campus leaders can proactively prepare communications and actions to realign perception with reality rapidly when such a negative unexpected event occurs. Techniques such as brainstorming, scenario analysis and incident response are critical for understanding possible negative influences on perception and for deriving appropriate responses before the heat of the moment. Reputation-aware internal auditing activities (continued on page 11) 10 College & University Auditor

Good news: The tools for managing reputation risk are the tools that internal audit professionals bring to most any assurance or advisory engagement.

benefit by aiding in the adoption of these and other techniques as part of a comprehensive reputation risk management strategy by university leadership. Tools for Managing Reputation Risk Good news: The tools for managing reputation risk are the tools that internal audit professionals bring to most any assurance or advisory engagement. As a profession, internal auditors are particularly skilled in risk assessment, facilitation and documentation, and these skills support effective implementation of the tools and techniques identified below.

In consultation with the appropriate university administrators, internal auditors in higher education should formally identify the appropriate standards for reputation measurement before conducting a reputation risk audit. This can be accomplished by identifying stakeholders (e.g., alumni, donors, faculty, peers, students) and reviewing expectations that drive the school’s reputation, as described in Part 1 of this article. Understanding both the present and the historical context is helpful in this process. Step 1: Brainstorming Reputation Risk Scenarios In conducting a reputation risk audit, the first step is to brainstorm events that could adversely affect an institution’s reputation among its key stakeholders. Output from a brainstorming session will be a set of scenarios that might warrant further discussion, scenario planning and development of incident response procedures. These scenarios should include a wide array of campus functions and activities, not just academics. Consider recent examples of reputation damage and its consequences that originated in academic areas, athletic areas, and other areas. • In 2012, George Washington University lost its spot among U.S. News & World Report top rankings after

acknowledging it had misreported statistics that affected its academic perceptions for several years. Such rankings can affect student, employer and donor decisions.2 • Rutgers University saw high-profile university leaders leave in disgrace during 2013 after the men’s basketball

coach was found using offensive language and verbally abusing players. The replacement basketball coach was incorrectly introduced as a graduate of the university and has enrolled in the school to complete his bachelor’s degree while remaining head basketball coach. Additionally, the school’s new athletic director has been a polarizing figure due to issues from her past. Athletic donors immediately began reconsidering donations to the program. During a time when Rutgers was attempting to raise capital as the university was merging with the state’s medical school, Moody’s Investor Service subsequently downgraded Rutgers’ credit rating.3 • In 2012, students at McGill University in Canada went on strike in response to tuition increases enacted by

the Quebec Province government. The Times Higher Education World Reputation Rankings dropped McGill University from a tie for 25th place in 2012 (worldwide) into a tie for 31st place. Although such a ranking is still high, it could affect stakeholder decisions going forward.4 • The University of North Carolina spent more than $500,000 for public relations assistance during the last

two years, as a result of a long-running academic fraud scandal that prompted the resignation of Chancellor Holden Tharp and firing of football coach Butch Davis.5 This brainstorming can begin within an internal audit department but should eventually involve campus leadership from both line and staff roles. Starting the brainstorming within internal audit has the benefit of generating some initial scenarios specific to higher education, as well as rehearsal of the facilitation process in preparation for a similar activity with a broader set of an institution’s stakeholders. It is common for several

As with other types of brainstorming, the purpose of the brainstorming session is not to determine a solution but simply to identify potential scenarios that might require scenarios to be selected for further consideration during scenario planning and developing an incident response further action as a result of the decision tree. It is common for several scenarios to be selected for further action as a result of the brainstorming session. The potential adverse reputation risk events identibrainstorming session. fied during brainstorming commonly brings reactions such as “How should we respond?” or “If we did ______, how would that affect us? Why?” Formally measuring the likelihood and/or severity of a scenario should not be part of brainstorming; however, general evaluations of these measures should (continued on page 12) 11 College & University Auditor

Although internal audit can generate interesting scenarios, it is important for the brainstorming activities to involve a cross-section of executive leadership from a variety of staff and line functions.

be a subsequent activity as explained below. Although internal audit can generate interesting scenarios, it is important for the brainstorming activities to involve a cross-section of executive leadership from a variety of staff and line functions. Step 2: Prioritizing and Ranking The next step requires prioritizing and ranking scenarios that could have adverse effects on the institution’s reputation risk. Identifying the most significant risks is critical in determining action steps and in prioritizing limited resources for managing specific risks. Effective risk assessment skills are particularly important when prioritizing scenarios and determining which ones require action, if any. The authors recommend relying on an existing risk assessment framework(s) at your organization to accomplish such a risk assessment. Likelihood and impact are two common measures of risk, and these or similar measures could be part of an ongoing research process.

Risk assessment should consider both inherent risk (IR) and residual risk (RR) where residual risk is the risk left unmitigated by control risks (CR), as expressed in the following formula. IR – CR = RR Step 3: Scenario Planning Scenarios identified as having a high residual risk related to reputation should then be selected for detailed scenario planning. Such proactive planning begins by developing strategies that simultaneously accomplish three objectives: (1) reduce the likelihood of these most significant scenarios through internal controls and training; (2) reduce the severity of reputation damage should one of these scenarios still occur; and (3) prepare a response should one of these scenarios still occur. The response planning should include incident response, public relations, and board-level communication. Executing Reputation Audits in Practice Brainstorming, prioritization and scenario planning are only useful concepts insofar as they can be executed consistently and with some quantitative rigor. A simple prioritization matrix can serve as the centerpiece of this activity. Consider the sample below, taken from one of our headlines: Event




Inherent Risk

Athletic Recruiting Violations


Decreased prestige, reduced ability to recruit strong athletes and coaches, loss of revenue



Controls Pre-approval of recruiting activities

Control Effectiveness

Residual Risk



In this example, we have taken an event identified during brainstorming and assessed its likelihood, possible effects if it were to occur, the severity of those effects, the existing controls, and the effectiveness of those controls – leaving us with a residual risk and a clear prioritization of the need for scenario planning. A few key items to note in this example: 1) The likelihood of the event should take into account the environment at the school and at comparable schools. All of the events we are discussing are relatively difficult to predict, so a simple assessment of overall population frequency is likely best. 2) The effects of the event and their severity will vary greatly based on the school and the underpinnings of its reputation. An athletic recruiting scandal would likely have different repercussions at a school with nationally recognized athletic programs than at a school with a smaller focus on athletics. The revenue implications would likely vary based on athletic-driven donations as well. 3) Inherent risk is here quite simply defined as [severity * likelihood]. 4) There are likely a set of controls in place to prevent or detect such an event and/or mitigate its impacts. In assessing the effectiveness of those controls, consider the likelihood that a control functions as designed (i.e., detects/prevents the activity), as well as how well it will perform its control function. (continued on page 13) 12 College & University Auditor

5) We have defined control effectiveness as ([likelihood of control functioning as designed] * [effectiveness of design]). These dimensions can be tracked on the same 1-5 scale as event likelihood and severity enabling easy comparison. 6) Residual risk is calculated as [inherent risk – control effectiveness]. Once the prioritization has been completed, it is important to recall that consistency is one of the keys to effective reputation management.

Creating such a matrix for the events identified during brainstorming can provide a onepage guide to prioritization of critical reputation risks and provides directions as to which scenarios are the most critical for preventive approaches to reputation risk management. Once the prioritization has been completed, it is important to recall that consistency is one of the keys to effective reputation management. If the analysis reveals one or more high-risk scenarios, it is incumbent upon the university to have an effective, transparent plan for addressing that scenario to avoid the amplifying effects of a confused response in the moments following an adverse reputation risk event.

Summary of Risk Responses As described earlier, traditionally available responses to risk are to accept, mitigate, transfer or avoid those risks. While much of this article focuses on reputation risk mitigation through brainstorming, scenario planning and incident response, risk transfer is becoming more common. Innovative new insurance products can aid in risk transfer of adverse reputation risk events, while other risks may be avoided or should be accepted depending on an institution’s risk appetite. It is quicker to suffer damage

Action Items for Internal Audit It is quicker to suffer damage to an organization’s reputation than it is to build or re-build to an organization’s reputait. Preparing for adverse reputation risk scenarios is an activity that can be accomplished tion than it is to build or with a thoughtful yet modest investment of brainstorming time and careful planning of re-build it. incident response decision protocols. The authors encourage internal audit professionals in higher education to initiate dialog with leadership of their institutions. Such dialog will help identify the existing blend of risk acceptance, risk avoidance, risk transfer, and risk mitigation procedures that are in place for potential adverse reputation risk events, and should yield changes in investment should the current blend be out of balance. n __________________________ 1. “Techniques for Auditing Reputation Controls: Fundamental Sources of Reputation Risk,” College & University Auditor, (Spring 2013): 14-17. 2. Turley, Jonathan (2012, November 15). GW stripped of ranking and placed in “unranked” category by U.S. News & World Report, Retrieved June 5, 2013 from: 3. Sherman, Ted and Kelly Heyboer (2013, April 12), Rutgers basketball scandal could have negative effect on school's credit rating, agency says. Retrieved June 5, 2013 from scandal_cou.html Sherman, Ted (2013, May 31). Moody’s downgrades Rutgers bond rating, cites uncertainty with merger, Retrieved June 5, 2013 from: 4. McInnis, Allen (2013, March 4). University rankings: McGill still world class – but slipping, Retrieved June 5, 2013 from: 5.

13 College & University Auditor

The Key Element of Leadership By Marcus Stanley


very type of successful leader has one thing in common. From the fiery, in-your-face drill instructor to the calm, quiet, amicable chief audit executive, if they are successful as leaders, they all share one trait: THEY CARE!

Successful leaders don’t just say that they care or act like they care; they sincerely and honestly care. They care about each individual as a person, not just as an employee. This is why some coaches can scream at players at the top of their lungs and those same players are ready and willing to run through a wall for the coach. This also explains why the mild-mannered boss doesn’t have to chastise her people at all. They excel because they want to make her proud. Successful leaders don’t just say that they care or act like they care; they sincerely and honestly care.

In this article we will explore a variety of ways to demonstrate caring and compassion for those whom you lead. The examples given are intended to be a foundation for you to build upon. You should certainly add your own style and flavor to make these ideas work best for you. They are presented according to difficulty and involvement, starting with the most basic and progressing to the most in-depth.

The easiest way to show someone you truly care for them is to simply talk to them. The more you have direct contact with your employees, the better you will get to know them. Simply asking how someone’s husband or wife or child is doing can go a long way. There is a catch, however, in that you have to listen to their answers. Asking a question and not listening to the answer will actually have a negative effect. Avoid wandering eyes and disinterested body language. You must look the person you’re conversing with in the eye and focus on what they are telling you. That can make all the difference between pretending to care and sincerely caring. Some leaders shy away from sharing or discussing personal information. If this is your leadership style, that is perfectly fine and this technique can still work just as well for you with a slight modification. Go speak to everyone just the same but instead of asking personal questions, give them encouragement. A verbal pat on the back along with an authentic “thank you” can mean more to some than you could possibly imagine.

About the Author

Marcus Stanley is a motivational speaker and life coach, with several years of management experience in the aircraft industry. His email address is and he can be found on Twitter @MarcStan10.

Speaking a few encouraging words and asking about one’s family is free, doesn’t take much time and has an enormous return on investment. If this is not your style or you don’t have time or you are not in direct contact with your employees, fear not! There are solutions for you as well. Speaking a few encouraging There is one thing in this world that virtually every employee in the history of employees loves: food. Taking your employees words and asking about one’s to lunch can give an instant boost to morale. Of course, in the family is free, doesn’t take much tight budget environment of higher education, coming up time and has an enormous with extra funds is easier said than done, but at a minimum return on investment. you could try baking the occasional plate of cookies. However, there is one pitfall to be aware of with this approach. If you never spend face-to-face, quality time with the recipients, they may view it as trying to buy love. They will eat the food, but someone else may receive the credit and goodwill in their minds. Last, but not least, is perhaps the most effective way to show that you care. It’s very simple and costs no money. It does require the most significant time commitment of all the methods discussed in this article, but the rewards are almost immeasurable. All you have to do is ask (continued on page 15) 14 College & University Auditor

each person to write down their goals and then spend some time with them individually discussing how they are going to get there. Some potential areas to focus on might include what skills they’d like to develop in their current role; a professional certification they’d like to achieve, such as Certified Internal Auditor; what role they might like to move into at some point in the future; or an advanced degree they’d like to earn. This would be a good opportunity to make them aware of any assistance your organization provides, such as tuition reimbursement or internal training opportunities.

The potential downside to helping further your employees’ achievements is that they may eventually leave your university or even internal audit entirely to

Asking your employees about their goals and then helping them work toward those achievements will ingrain deep loyalty; something money could never buy. Most people don’t even need much assistance; they just need you to nudge them forward.

pursue something else.

The potential downside to helping further your employees’ achievements is that they may eventually leave your university or even internal audit entirely to pursue something else. This is true, but while they are working for you and going for their dreams that employee will give you everything they have to give. Is it better to have a passionate and appreciative employee for two years or one that begrudges their job but sticks with it for nine? No matter how you plan to go about it, like Nike says, “Just do it.” You will not regret the effort for one moment. These are just a few ideas; you can likely come up with hundreds more. Just remember that all human beings want to be cared about. Once people know that you truly care about them on a deep level, there is nothing they won’t do for you. n

We speak your language.

“Candor. Insight. Results.” is more than a tagline; it is how we conduct ourselves every day in support of our clients, which include many premier institutions of higher education. Baker Tilly is a full service accounting and advisory firm. We collaborate with internal audit departments to provide surge capacity and address areas of strategic importance, including: > > > > > > >

Risk management Research compliance Construction management Fraud and forensics Sustainable energy Cost reduction Information technology

Our experienced professionals provide practical, proactive, and customized services, and are adept at navigating the complex culture found in universities, research institutions, and teaching hospitals. Connect with us:

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. © 2011 Baker Tilly Virchow Krause, LLP

15 College & University Auditor

What the Internal Revenue Service Discovered – And What You Can Do About It By Steve Hoffman


long-awaited final report from the Internal Revenue Service (IRS) has been released. The College and University Compliance Project, conducted by the IRS Exempt Organizations Division, was launched in 2008. Detailed questionnaires were sent to 400 randomly selected colleges and universities. The IRS then selected 34 of the 400 for examination based upon the responses. The IRS had released an interim report but now with more than 90 percent of the examinations completed, the final report has been released. The report highlights some interesting information on what was discovered in the The examinations were designed examinations, including compensation and comparability data, employment tax issues and retirement plan issues. to focus on unrelated business income tax and executive compensation of three groups: small, medium and large colleges and universities.

The Examination Results The examinations were designed to focus on unrelated business income tax and executive compensation of three groups: small, medium and large colleges and universities. Exams covered all returns including Forms 990 and 990-T, employee plans returns, excise tax returns and employment tax returns.

The examinations resulted in increased unrelated business taxable income totaling $90 million, with more than 180 adjustments made to the returns. More than half of the adjustments were related to the following activities, in order of frequency: • Fitness and recreation centers and sports camps, • Advertising, • Facility rentals, • Arenas and • Golf courses. On 75 percent of the returns examined, the IRS disallowed losses totaling approximately $170 million that could amount to more than $60 million in assessed taxes. A reason offered for the adjustments was a misclassification of activities as a trade or business. The IRS also disallowed net operating losses of more than $150 million because the losses were not connected with an activity that had a profit motive.

About the Author

Steve Hoffman is a tax expert with many years of experience and education and is dedicated to providing consulting and workshops on tax compliance to colleges and universities. He can be reached at

Expenses were disallowed on more than 60 percent of Forms 990 because the expenses were based on improper allocations between exempt and unrelated business income. Net operating losses on examined returns in the amount of $19 million were disallowed because the losses were not calculated correctly or were unsubstantiated. At more than 40 percent of colleges examined, there were activities determined by the IRS to be unrelated and subject to tax. These adjustments totaled nearly $4 million. Many of the returns filed had been reviewed prior to filing: 13 percent by outside counsels, 57 percent by independent accountants and 50 percent by boards of directors or board committees. (continued on page 17) 16 College & University Auditor

Compensation Issues The final report produced some interesting observations on compensation of top management officials. Highest to lowest average compensation by position was in this order: • Investment managers, • Sports coaches, • Heads of departments, • Faculty, • Other and • Administrative/managerial.

One third of colleges and universities examined did not have formal compensation policies, and about one half used outside compensation consultants to assist with setting compensation.

Adjustments to salaries or wages from the examination of employment-related returns were due to a number of reasons: •  Failure to include in income the value of personal use of automobiles, housing and   social club memberships and travel; •  Misclassification of employees as independent contractors; • Failure to withhold taxes for wages paid to nonresident aliens (foreign students,   scholars); and •  Failure to include in income the value of certain graduate student tuition waivers   and reimbursements.

The IRS also made adjustments for deferred compensation as a result of examinations at eight colleges and universities. Adjustments amounted to slightly over $1 million that generated over $200,000 in additional tax. The Setting of Compensation One third of colleges and universities examined did not have formal compensation policies, and about one half used outside compensation consultants to assist with setting compensation. The IRS had concerns about the comparability of outside data. The final report shows that: • About 20 percent of institutions did not use an appropriate data set. There was no documentation of the selection criteria and no explanation of why those schools used for comparison were deemed comparable to the school relying on the data. • Many schools relied on a compensation survey compiled by an independent firm; however, some of the data in the compensation surveys were removed or not limited to schools that were comparable. • The compensation surveys did not indicate if the amounts included only salary or included other types of compensation. The IRS issued 24 advisories to 24 institutions on a number of activities that could result in tax liability in the future.

The IRS issued 24 advisories to 24 institutions on a number of activities that could result in tax liability in the future. Some Conclusions The IRS has not issued clear instructions with regard to what is subject to the unrelated business income tax.

The IRS has not made clear what expenses can be deducted from unrelated business income and needs to clarify what an allocation of expenses method is and not rely on “reasonable expenses.” Better record keeping is needed to support the calculation of net operating losses, and substantiation needs to be maintained. Reviews of tax forms before filing with the IRS have produced little value. It appears, based on the dollars generated from an examination of only 34 colleges and universities, that reviewers may have had little knowledge of the areas of assessment by the IRS. (continued on page 18) 17 College & University Auditor

Many of those with responsibilities related to compensation do not have a clear understanding of the taxability of fringe benefits; the differences between an independent contractor and an employee; the tax treatment of wages paid to foreign students, scholars and researchers; and the taxability of tuition waivers and reimbursements. There is a lack of understanding about the taxability of certain deferred compensation arrangements. My Belief and Survey Results This final report reaffirms my belief in the need for dedicated tax positions within colleges and universities. The National Association of College and University Business Officers (NACUBO) 2011 tax survey revealed that only 22 percent of the 220 colleges and universities responding had positions devoted solely to tax, and most of these positions were at research institutions. Overall, 55 percent of research institutions responding had a person devoted solely to tax matters, while only two percent of other types of institutions responding did. One telling finding of the survey is that few colleges and universities had plans to create a position devoted solely to tax. What You Can Do About Assuring Compliance Demand more accountability from your independent accountants. More than half of the returns examined had been reviewed by such accountants. The results of the IRS Compliance Project show that a more thorough review needs to be done by these firms. More education of boards and board committees on unrelated business income tax is clearly needed.

Half of the unrelated business income tax returns filed and audited by the IRS in this project were reviewed by boards of directors or board committees. More education of boards and board committees on unrelated business income tax is clearly needed.

Thoroughly review the five areas listed above as the sources of more than half of the IRS adjustments. Insure activities in these areas are appropriately monitored and reported. Universities should be conducting an unrelated business income tax survey annually on their campus. This is generally done via a readily available questionnaire. Institutions should not simply rely upon personal knowledge of activities on campus.

More than $170 million in losses were disallowed by the IRS. This indicates the people responsible for the preparation of the returns lacked a clear understanding of what constituted a business activity and what losses were allowable. A well-trained tax manager would understand these areas and be able to accurately complete the tax return for the university. Learn what are taxable fringe benefits and adjustments to salaries and wages. The IRS opened 11 employment tax examinations for other issues at the 34 universities audited. Increases in salaries and wages of over $35 million resulted from those additional examinations – generating more that $7 million in employment taxes. Train staff members in the decision-making process for declaring an individual an independent contractor. Determine which staff members make this decision and provide them training on a continuing basis. Training should also be required on withholding of taxes from student employees, as this was also an important issue in the IRS report. The IRS will continue to focus on determining whether colleges and universities comply fully with tax laws. The amount of revenue generated by the 34 examinations described above should make the IRS’s pursuit clear to colleges and universities. Schools can and should prepare now for such audits by implementing a tax compliance program at their institutions. Those that do not are putting themselves at financial and reputational risk. n

18 College & University Auditor

ACUA Leads!  The premier resource for              ACUA members for   TRAINING          training, mentoring, and                                MENTORING   guidance to emerging leaders.           GUIDANCE   

About ACUA Leads! ACUA Leads! is a year‐long leadership program that provides a framework to develop  leadership skills, including communication, strategic planning, performance management,  self‐awareness, and innovative problem solving. 

ACUA Leads! Benefits         

Grow both professionally and personally.  Become more aware of your leadership and communication styles.  Understand how to build relationships in a collaborative environment.  Enhance written and verbal communication  skills.  Understand the dynamics of change  management.  Nominations for Cohort III in  Discuss emerging issues.  2014 will open September  Network with other emerging leaders.  2013!  Work one‐on‐one with a mentor.  Develop your leadership potential.  Interested? Full details are 


posted on the ACUA Leads! web  page at : ACUA_Leads.asp 

19 College & University Auditor

What is the ACUA Risk Dictionary?  The ACUA Risk Dictionary is a comprehensive database of  risks and their associated controls for areas specific to  higher education. Higher Education audit departments can  use the risk dictionary for identification of an audit  universe specific to higher education which can be used  for performing their annual risk assessments and  preparing their annual audit plan.   The ACUA Risk Dictionary can also be used to prepare project level risk assessments for areas such as: ‐ NCAA Compliance   ‐ Student Financial Aid  ‐ Export Controls  ‐ Research Compliance and many more! After having identified the risks for your audit project, the ACUA Risk Dictionary contains the  associated controls which can then be used to prepare an audit program to test whether the proper  controls exist.

Is the ACUA Risk Dictionary for YOU? 

Business officers, risk officers, compliance officers and other higher education leadership can use the  ACUA Risk Dictionary to provide a comprehensive list of areas that could likely need their attention.  For someone new to their position or new to higher education, the ACUA Risk Dictionary will be  especially beneficial in identifying not only broad areas where inherent risks are common, but also  specific risks within those areas and their associated controls. In the absence of a formal risk management structure, the ACUA Risk Dictionary provides a concrete  and comprehensive starting point for identifying, evaluating, and managing risks across the  organization. You now have the ability to submit new risks and controls for the dictionary. The Risk Dictionary is a  living document, so check it out with an eye toward what you can contribute.  The ACUA Risk Dictionary is available for FREE as a benefit of ACUA membership or by subscription to  non‐members.  

20 College & University Auditor

Acua candu journal fall 13 final2  

ACUA, Summer 2013, Association of College and University Auditors

Read more
Read more
Similar to
Popular now
Just for you