Page 1

Techniques for Auditing Reputation Controls

Part II: Steps Toward Preventive Reputation Risk Management By Dr. Bradley W. Brooks, Joe Oringel, CIA, CPA, and Ken Ramaley, CIA

Boosters Probed in Athletic Recruiting Scandal 125 Students Identified in Cheating Scandal National Science Foundation Announces Special Investigation into Grant Fraud Resume “Errors” Cause University Official to Withdraw Nomination About the AuthorS

Dr. Bradley W. Brooks (left) is tenured Professor of Marketing, McColl Business School, Queens University of Charlotte. He may be contacted at: Joe Oringel, CIA, CPA, (right) is a Managing Director at Visual Risk IQ, an advisory firm specializing in data analytics, visual reporting and continuous auditing. Joe will be presenting at the 2013 ACUA Conference in Norfolk with a session titled “Let’s Get Rolling with Data Analytics and Continuous Auditing.” This session will include a mock audit planning meeting where attendees will jointly plan an audit of one or more business processes specific to Higher Education. He may be contacted at:

Ken Ramaley, CIA, is Managing Director of Ramaley Group, a management consulting firm specializing in reputation risk management. He may be contacted at: ACUA Summer 2013, Vol. 65, No. 2

Beloved Professor Admits to Plagiarism, Exaggerated Research Claims


eadlines such as these are so common today that no university can possibly be immune. With such seemingly isolated incidents being so prevalent, is there anything an institution can do except hope it will get through another year without being in the news for the wrong reason? The rise of social media and shortening of the news cycle serve to ensure that previously localized events become broadly disseminated with correspondingly broad reputation impacts. Consequently, a proactive approach to managing reputation risk is needed. In Part I of this series1 we identified methods for quantifying reputation risk and its sources. These methods provide reputation risk measures which are best assessed against consistent standards. A thorough understanding of the evolution of reputation risk is helpful in determining these standards and in developing a proactive, preventive approach to reputation risk events. Traditional risk responses of risk avoidance, risk acceptance, risk transfer and risk mitigation all have their place in helping manage reputation risk. This article focuses primarily on risk mitigation as an activity that higher education internal audit teams can help facilitate, though other techniques may also be appropriate. The first key to preventive reputation risk management is an acknowledgement that idiosyncratic, reputation-damaging events are not merely likely – they are nearly certain. In light of that expectation, proactive internal audit departments must hold leaders accountable for implementing controls to mitigate opportunities for damage created by such events. As we identified in Part I, the most significant reputation risks occur when the gap between reality and perceived reality is greatest. The best way to diminish this gap is to have a keen sense of an institution’s reality, and an understanding of what kinds of external events (like the headlines above) could change your stakeholders’ perceptions of the institution’s reputation. Once more aware of the possibilities, campus leaders can proactively prepare communications and actions to realign perception with reality rapidly when such a negative unexpected event occurs. Techniques such as brainstorming, scenario analysis and incident response are critical for understanding possible negative influences on perception and for deriving appropriate responses before the heat of the moment. Reputation-aware internal auditing activities (continued on page 11) 10 College & University Auditor

Good news: The tools for managing reputation risk are the tools that internal audit professionals bring to most any assurance or advisory engagement.

benefit by aiding in the adoption of these and other techniques as part of a comprehensive reputation risk management strategy by university leadership. Tools for Managing Reputation Risk Good news: The tools for managing reputation risk are the tools that internal audit professionals bring to most any assurance or advisory engagement. As a profession, internal auditors are particularly skilled in risk assessment, facilitation and documentation, and these skills support effective implementation of the tools and techniques identified below.

In consultation with the appropriate university administrators, internal auditors in higher education should formally identify the appropriate standards for reputation measurement before conducting a reputation risk audit. This can be accomplished by identifying stakeholders (e.g., alumni, donors, faculty, peers, students) and reviewing expectations that drive the school’s reputation, as described in Part 1 of this article. Understanding both the present and the historical context is helpful in this process. Step 1: Brainstorming Reputation Risk Scenarios In conducting a reputation risk audit, the first step is to brainstorm events that could adversely affect an institution’s reputation among its key stakeholders. Output from a brainstorming session will be a set of scenarios that might warrant further discussion, scenario planning and development of incident response procedures. These scenarios should include a wide array of campus functions and activities, not just academics. Consider recent examples of reputation damage and its consequences that originated in academic areas, athletic areas, and other areas. • In 2012, George Washington University lost its spot among U.S. News & World Report top rankings after

acknowledging it had misreported statistics that affected its academic perceptions for several years. Such rankings can affect student, employer and donor decisions.2 • Rutgers University saw high-profile university leaders leave in disgrace during 2013 after the men’s basketball

coach was found using offensive language and verbally abusing players. The replacement basketball coach was incorrectly introduced as a graduate of the university and has enrolled in the school to complete his bachelor’s degree while remaining head basketball coach. Additionally, the school’s new athletic director has been a polarizing figure due to issues from her past. Athletic donors immediately began reconsidering donations to the program. During a time when Rutgers was attempting to raise capital as the university was merging with the state’s medical school, Moody’s Investor Service subsequently downgraded Rutgers’ credit rating.3 • In 2012, students at McGill University in Canada went on strike in response to tuition increases enacted by

the Quebec Province government. The Times Higher Education World Reputation Rankings dropped McGill University from a tie for 25th place in 2012 (worldwide) into a tie for 31st place. Although such a ranking is still high, it could affect stakeholder decisions going forward.4 • The University of North Carolina spent more than $500,000 for public relations assistance during the last

two years, as a result of a long-running academic fraud scandal that prompted the resignation of Chancellor Holden Tharp and firing of football coach Butch Davis.5 This brainstorming can begin within an internal audit department but should eventually involve campus leadership from both line and staff roles. Starting the brainstorming within internal audit has the benefit of generating some initial scenarios specific to higher education, as well as rehearsal of the facilitation process in preparation for a similar activity with a broader set of an institution’s stakeholders. It is common for several

As with other types of brainstorming, the purpose of the brainstorming session is not to determine a solution but simply to identify potential scenarios that might require scenarios to be selected for further consideration during scenario planning and developing an incident response further action as a result of the decision tree. It is common for several scenarios to be selected for further action as a result of the brainstorming session. The potential adverse reputation risk events identibrainstorming session. fied during brainstorming commonly brings reactions such as “How should we respond?” or “If we did ______, how would that affect us? Why?” Formally measuring the likelihood and/or severity of a scenario should not be part of brainstorming; however, general evaluations of these measures should (continued on page 12) ACUA Summer 2013, Vol. 65, No. 2

11 College & University Auditor

Although internal audit can generate interesting scenarios, it is important for the brainstorming activities to involve a cross-section of executive leadership from a variety of staff and line functions.

be a subsequent activity as explained below. Although internal audit can generate interesting scenarios, it is important for the brainstorming activities to involve a cross-section of executive leadership from a variety of staff and line functions. Step 2: Prioritizing and Ranking The next step requires prioritizing and ranking scenarios that could have adverse effects on the institution’s reputation risk. Identifying the most significant risks is critical in determining action steps and in prioritizing limited resources for managing specific risks. Effective risk assessment skills are particularly important when prioritizing scenarios and determining which ones require action, if any. The authors recommend relying on an existing risk assessment framework(s) at your organization to accomplish such a risk assessment. Likelihood and impact are two common measures of risk, and these or similar measures could be part of an ongoing research process.

Risk assessment should consider both inherent risk (IR) and residual risk (RR) where residual risk is the risk left unmitigated by control risks (CR), as expressed in the following formula. IR – CR = RR Step 3: Scenario Planning Scenarios identified as having a high residual risk related to reputation should then be selected for detailed scenario planning. Such proactive planning begins by developing strategies that simultaneously accomplish three objectives: (1) reduce the likelihood of these most significant scenarios through internal controls and training; (2) reduce the severity of reputation damage should one of these scenarios still occur; and (3) prepare a response should one of these scenarios still occur. The response planning should include incident response, public relations, and board-level communication. Executing Reputation Audits in Practice Brainstorming, prioritization and scenario planning are only useful concepts insofar as they can be executed consistently and with some quantitative rigor. A simple prioritization matrix can serve as the centerpiece of this activity. Consider the sample below, taken from one of our headlines: Event




Inherent Risk

Athletic Recruiting Violations


Decreased prestige, reduced ability to recruit strong athletes and coaches, loss of revenue



Controls Pre-approval of recruiting activities

Control Effectiveness

Residual Risk



In this example, we have taken an event identified during brainstorming and assessed its likelihood, possible effects if it were to occur, the severity of those effects, the existing controls, and the effectiveness of those controls – leaving us with a residual risk and a clear prioritization of the need for scenario planning. A few key items to note in this example: 1) The likelihood of the event should take into account the environment at the school and at comparable schools. All of the events we are discussing are relatively difficult to predict, so a simple assessment of overall population frequency is likely best. 2) The effects of the event and their severity will vary greatly based on the school and the underpinnings of its reputation. An athletic recruiting scandal would likely have different repercussions at a school with nationally recognized athletic programs than at a school with a smaller focus on athletics. The revenue implications would likely vary based on athletic-driven donations as well. 3) Inherent risk is here quite simply defined as [severity * likelihood]. 4) There are likely a set of controls in place to prevent or detect such an event and/or mitigate its impacts. In assessing the effectiveness of those controls, consider the likelihood that a control functions as designed (i.e., detects/prevents the activity), as well as how well it will perform its control function. (continued on page 13) ACUA Summer 2013, Vol. 65, No. 2

12 College & University Auditor

5) We have defined control effectiveness as ([likelihood of control functioning as designed] * [effectiveness of design]). These dimensions can be tracked on the same 1-5 scale as event likelihood and severity enabling easy comparison. 6) Residual risk is calculated as [inherent risk – control effectiveness]. Once the prioritization has been completed, it is important to recall that consistency is one of the keys to effective reputation management.

Creating such a matrix for the events identified during brainstorming can provide a onepage guide to prioritization of critical reputation risks and provides directions as to which scenarios are the most critical for preventive approaches to reputation risk management. Once the prioritization has been completed, it is important to recall that consistency is one of the keys to effective reputation management. If the analysis reveals one or more high-risk scenarios, it is incumbent upon the university to have an effective, transparent plan for addressing that scenario to avoid the amplifying effects of a confused response in the moments following an adverse reputation risk event.

Summary of Risk Responses As described earlier, traditionally available responses to risk are to accept, mitigate, transfer or avoid those risks. While much of this article focuses on reputation risk mitigation through brainstorming, scenario planning and incident response, risk transfer is becoming more common. Innovative new insurance products can aid in risk transfer of adverse reputation risk events, while other risks may be avoided or should be accepted depending on an institution’s risk appetite. It is quicker to suffer damage

Action Items for Internal Audit It is quicker to suffer damage to an organization’s reputation than it is to build or re-build to an organization’s reputait. Preparing for adverse reputation risk scenarios is an activity that can be accomplished tion than it is to build or with a thoughtful yet modest investment of brainstorming time and careful planning of re-build it. incident response decision protocols. The authors encourage internal audit professionals in higher education to initiate dialog with leadership of their institutions. Such dialog will help identify the existing blend of risk acceptance, risk avoidance, risk transfer, and risk mitigation procedures that are in place for potential adverse reputation risk events, and should yield changes in investment should the current blend be out of balance. n __________________________ 1. “Techniques for Auditing Reputation Controls: Fundamental Sources of Reputation Risk,” College & University Auditor, (Spring 2013): 14-17. 2. Turley, Jonathan (2012, November 15). GW stripped of ranking and placed in “unranked” category by U.S. News & World Report, Retrieved June 5, 2013 from: 3. Sherman, Ted and Kelly Heyboer (2013, April 12), Rutgers basketball scandal could have negative effect on school's credit rating, agency says. Retrieved June 5, 2013 from scandal_cou.html Sherman, Ted (2013, May 31). Moody’s downgrades Rutgers bond rating, cites uncertainty with merger, Retrieved June 5, 2013 from: 4. McInnis, Allen (2013, March 4). University rankings: McGill still world class – but slipping, Retrieved June 5, 2013 from: 5.

ACUA Summer 2013, Vol. 65, No. 2

13 College & University Auditor

Acua sum13 vol65 no2 techniques for auditing reputation controls part ii  

ACUA, Summer 2013, Techniques for auditing reputation contriols