My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business Officer Magazine

Practicing New Steps

With board-level audit committees on the rise, business officers and internal auditors must embrace changes in reporting and working relationships. Choreographed correctly, it's a duet that helps the institution's beat go on.

By Mary M. Barnett and Mark Paganelli

*A confluence of factors is pushing the internal audit department at many higher education institutions into more demanding and prominent positions. Major issues influencing the shift include (1) the effects of the Sarbanes-Oxley (SOX) Act of 2002, which requires publicly traded organizations to have audit committees; (2) scrutiny of governing boards by external parties because of scandals over questionable spending; and (3) the standards governing the internal auditing profession.

The trend is likely to change the relationship that business officers traditionally have shared with their internal auditors. This is in large part because the responses to the governance issues have driven the move toward stand-alone audit committees that report directly to the college or university board of trustees.

What exactly does this shift mean for the chief business officer? On one hand, auditors who previously reported to the CBO now report directly to the board by way of the audit committee. If deftly practiced, this new relationship can provide an important avenue through which the business officer may access the board. On the other hand, the business officer will lose control of the work performed by internal audit.

In any case, there's no doubt that big changes are taking place regarding reporting relationships, governance dynamics, and strategic priorities. As a result, all parties are dancing to a different beat than before. Boards are learning to work effectively with audit committees; business officers are adjusting to the organizational changes in their dance cards; and all are seeking the advantages to be gained from a high-level audit committee that adds new perspective and expertise to addressing overall institutional risk. Following is a discussion of the new dynamics and some advantages and disadvantages of staying in step.

Multiple Moves Toward Modification

Three main areas of activity have influenced the move to board-level audit committees.

The Sarbanes-Oxley Act. The act has probably played the biggest role in reshaping the audit relationship. Although SOX does not apply to institutions of higher education, the National Association of College and University Business Officers (NACUBO) recommends that its members implement many parts of the act. Prior to SOX, internal audit departments often reported directly to the CBO, and audit committees were combined with finance committees. Thus, the chief business officer was the staff liaison to the board for audit matters, and any internal audit matters were agenda items for the finance/audit committees of the governing board.

The implementation of SOX has resulted in stand-alone audit committees, with the internal audit department now serving as the staff liaison and often reporting directly to this board committee instead of the business officer. Such is the case at the Pennsylvania State System of Higher Education, where Dean Weber, director of the office of internal audit and risk assessment, has seen the institution create a separate audit committee as part of the SOX advocacy movement. He now reports directly to the board-level audit committee.

The purpose of these standards, the SOX requirements, and audit committees is to provide a level of independence to the internal audit function whereby its work is objective and free from interference by management.

The audit committee is usually tasked with ensuring the integrity of the institution's financial statements, ensuring compliance with rules and regulations, overseeing the external and internal auditors, and informing the full board of activities when necessary. The size of the committee varies, but there are typically from four to seven members. One of the requirements of SOX is that at least one member of the committee be considered a financial expert. This is sometimes difficult, since board members are not usually appointed to the board for their ability to understand financial statements and internal controls. To compensate for this, audit committee charters often allow one or two nonboard members to be appointed to the audit committee.

Three independent surveys confirm the impact of SOX on higher education and internal auditing:

  • "The AGB Survey of Higher Education Governance," by Susan Johnston (AGB, 2009), reported that more than half of the nearly 700 respondents from public and private university boards said they now have audit committees. Just four years earlier, only one third of the participants in prior AGB surveys ("Policies, Practices, and Composition of Governing Boards," which were two separate surveys for public and independent institutions that year) stated they had created such committees.
  • Results of the study "Then and Now: Expectations and Reality of Sarbanes-Oxley" by Glen L. Gray (Institute of Internal Auditors Research Foundation, 2008), indicated that 76 percent of internal audit departments reported functionally to an audit committee and only 6 percent to a chief financial officer.
  • In January 2008, NACUBO conducted a follow-up survey on the association's SOX recommendations. Of the 429 institutions responding, 91 percent indicated they have an audit committee and 62 percent of the respondents stated the internal auditors report directly to the audit committee.

Public scandals. Malfeasance was uncovered at several higher education institutions during the same time period as the events at MCI, Enron, and other U.S. companies, which resulted in the passage of SOX. Although not as financially devastating in terms of dollar amounts and investor losses, mismanagement of funds at higher educational institutions can cause similar negative impact. In response to questions about the effectiveness of governing board and business officer oversight, boards created audit committees to demonstrate that leadership had taken steps to improve controls, accountability, and transparency.

Such was the case at the University of Tennessee. After a public scandal involving questionable spending by the then-president, the board of trustees created an audit committee that changed the reporting relationship. Now the internal audit department reports not to the president but directly to the audit committee and administratively to the chief financial officer.

Evolving professional standards. The Institute of Internal Auditors' standards require the internal auditor to have direct interaction with the governing board. This is typically accomplished through the creation of an audit committee.

The purpose of these standards, the SOX requirements, and audit committees is to provide a level of independence to the internal audit function whereby its work is objective and free from interference by management. Such a reporting relationship places internal audit at arm's length from the chief business officer and is far removed from the days when internal audit was a business office function and reported directly to the chief business officer.

Farther Apart–Yet Closer Together

Ironically, audit committees, which created this arm's-length relationship, can also cause internal auditors and business officers to work more closely together. In NACUBO's 2008 survey, for example, 63 percent of the respondents indicated the board of directors played a role in the action taken to address the recommendations of SOX. The respondents also indicated that chief business officers, controllers, and internal audit departments were all involved in implementations related to SOX at their institutions.

Unanticipated circumstances can also lead to such collaborative efforts. For example, seemingly excessive spending on the presidential residence at North Dakota State University, Fargo, came under scrutiny, resulting in the resignation of the president and some key financial officers. Similar to the reaction at the University of Tennessee, conversations continue to take place at NDSU about the appropriate reporting relationship for internal audit. Regardless of the outcome of these discussions, NDSU's Eric Miller, director of ethics, compliance, and audit, states that he and the current vice president for finance and administration have a common set of problems they are trying to resolve. They are working closely together, even though Miller does not report to the business office. Internal auditors and business officers who work together in this way can help ensure that a good internal control environment exists. (See sidebar, "Joining Hands to Protect Institutional Plans," for a further discussion about the value of concerted efforts of internal audit and the CBO in mitigating campuswide risks.)

Such revised relationships at a higher leadership level can mean big gains for all parties.

Tap Audit Expertise and Its Higher Profile

For the CBO, the audit committee, along with the staff internal auditor, can be an invaluable resource, regardless of the institution's size. The value lies in a number of areas, including:

Establishment of proper priorities. Most finance committees are consumed with discussions of budgets, investments, and capital projects. These are huge agenda items of great importance for the board, the business officer, and the institution. Having a separate audit committee allows everyone to devote the appropriate amount of time to the institution's audited financial statements and internal audit issues.

Tangible Benefits for the CBO

An internal audit department can serve as an invaluable source of objectiveness and independent information for the business officer. Among key areas are:

  • Welcome skills in dealing with budget reductions.
  • Assistance in assessing risks that may exceed the business officer's comfort level.
  • Institutional knowledge.
  • Outside expertise from networking.
  • Motivation of departments to maintain high levels of compliance.
  • Handling fraud investigations.

In one example, Joe Shepard, vice president for administration and finance at Florida Gulf Coast University, Fort Myers, recalls that approximately two years ago, the university's new president wanted to implement what is considered a best practice for an audit committee: separating the audit and finance committees into two independent autonomous committees. The president felt this sent a clear message that the audit function was important and that the board was attempting to protect resources through yet another mechanism. The separation allowed the right people to focus exclusively on auditing and fiduciary responsibilities, preventing these issues from being dominated by budgeting or financial matters. 

Shared responsibilities. The business officer is able to delegate the staff liaison role and administrative responsibilities for the committee to the internal auditor.

Venue for discreet discussions. Another advantage is that most audit committee charters allow for an executive session during which confidential matters can be presented to the committee privately. Although it may be rare for the business officer to present confidential material in this manner, the ability exists. The more likely scenario for the business officer might be to attend this session and provide sensitive information or an opinion about a particular topic without the fear of the matter being reported publicly.

Internal audit's direct avenue to the board also enables university employees to communicate their concerns through internal audit to the governing board. This communication line enables the internal audit department to learn about potential problems or issues that may require action by the business officer. This may enable the business office to promptly address these matters proactively, instead of after the fact.

In one example, according to Helen Vanderland, director of internal audit for the Virginia Community College System, the audit committee instructed her office to monitor a particular problem that was not being adequately addressed by one of the colleges and report to committee members monthly on the progress being made. Because of the board's involvement, a significant risk was addressed more quickly than it might otherwise have been.

On the business office level, the revised and upgraded audit function can lead to some tangible benefits for the CBO.

Objective and independent information. Although the internal audit function has generally provided valuable services to the business officer, these benefits can be enhanced with the elevated reporting relationship. A well-staffed internal audit department should be able to assist in a number of key areas. In these volatile economic times, this expertise can translate into:

  • Welcome skills in dealing with budget reductions. With shrinking resources, most business officers face the need to reduce their budgets, sometimes by millions of dollars. This might include eliminating departments and outsourcing operations. Furthermore, institutions are exploring additional research funding, business endeavors, and acquiring and selling capital assets to compensate for reduced state funding and other losses affecting their budgets. The audit staff can be invaluable in evaluating operations for inefficiencies, improving processes, and assisting the chief business officer in validating the data related to the tough decisions that are needed during an economic downturn.
  • Assistance in assessing risks that may exceed the business officer's comfort level. A direct reporting relationship to the audit committee may remove some of the potential interference and internal political ramifications affecting the business officer and provide an avenue to obtain factual, objective information that is reported directly to the business officer and the governing board via the audit committee. Working together, the business officer and internal auditor can demonstrate and validate sound business practices, reduce risks, and report this information to the governing board.
  • Institutional knowledge. Many audit directors have a long tenure at their institutions and can assist with institutional history to help prevent past mistakes from being repeated and also enable past successes to be remembered. This is particularly important to new business officers. Even if the internal audit director is also relatively new to the university, the audit department maintains reports and other reference materials about specific operations and departments, and the staff can provide a wealth of unbiased information to assist business officers.
  • Outside expertise. College and university auditors are well-networked through their professional associations as well as a listserver connecting more than 1,200 auditors at 500 universities. This resource, administered by the Association of College and University Auditors (ACUA), can be extremely useful in researching best practices and gaining a general understanding of how other institutions are handling various issues.
  • Motivation of departments to maintain high levels of compliance. Widespread knowledge that the audit department has a direct line to the governing board can assist the business officer in achieving compliance by establishing appropriate policies and reacting quickly to audit recommendations. Often, even the most difficult of problems can be solved internally when the alternative is reporting to the governing board that an issue could not be resolved or a project implemented as recommended. That is the preference of both the internal auditors and business officers but, if needed, the audit committee can assist in ensuring compliance.
  • Fraud investigations. Internal auditors are often asked to look into instances of theft or fraud involving university resources. Since some of these can be complex financial transactions, the audit department may be better equipped to handle these situations than the campus police–and auditors are often more experienced with financial fraud than the general counsel's office. In addition, using the general counsel's office to conduct investigations can potentially cause issues should counsel be called upon later to defend the university in any legal matters related to an investigation. It might be impossible for them to be both witness and counsel.

This new resource can greatly enhance trustees' understanding of university operations, fulfill their fiduciary responsibilities to stakeholders, and improve accountability and governance.

Hiring an outside entity to conduct these reviews may assist with confidentiality but can be substantially more expensive. These are some of the reasons why the Virginia Community College System internal audit office performs the review of calls to the state's fraud hotline that pertain to any of the 23 community colleges in the system. The calls might include alleged wrongdoing by someone at any level of college management. Since the audit director reports directly to the board, the likelihood of anyone influencing an investigation is remote.

Talent Turnabout

The CBO also has skills and expertise to offer the audit team, particularly in instances in which the transition to an audit committee is recent. For example, he or she will typically already have expertise in communicating with board members and can assist the internal auditor in explaining the financial operations and the roles of external auditors and in providing an overview of the institution's internal control structure. The internal auditor and chief business officer will usually have different but complementary perspectives of the operations and controls, and working together to provide this information to the audit committee will enable the committee to more completely understand the complexities of a higher education institution.

For example, during a sensitive discussion about the inappropriate use of university resources, the University of Tennessee's veteran internal auditors wisely sought the counsel of their recently retired chief business officer, Emerson Fly, executive vice president. With more than 40 years of experience as a business officer at the university, Fly was a tremendous asset to the internal audit department. Earlier, he played an important role in establishing the audit committee. He was familiar with board members and media relations, while also being an expert on the university's operations. Although the internal auditors were quite experienced, Fly's background and perspective contributed greatly to the overall communication and decision making by the board.

The Downside

While a reporting structure that calls for the audit function to report to the board has a number of benefits, it can cause some challenges for the business officer, including the following:

  • With the auditors no longer reporting to the business office, the CBO doesn't oversee the internal audit function. While the business officer may have some influence on what audits and reviews are performed, he or she is no longer able to set the priorities for internal audit. Instead, plans are now approved by audit committees. At the University of Tennessee, for example, the entire audit year could be spent performing reviews requested by the business staff. These have to be balanced with requests from audit committee members and other senior staff as well as the results of internal audit's own risk assessment.
  • Authority to hire and terminate the chief auditor is now the responsibility of the audit committee. This includes evaluating and setting the salary for the chief internal auditor. Conceivably, a salary offered by the audit committee could result in inequities with other employees with similar responsibilities.
  • The business officer no longer has total control over the size of the internal audit department. Those decisions reside with the audit committee. At the University of Tennessee System, where the audit committee has existed for six years, the audit director has benchmarked and evaluated the staffing on three occasions. Such benchmarking information is often requested by chief audit executives. The audit committee is responsible for ensuring that sound controls exist, and most members want to ensure that adequate resources are being devoted. In all likelihood, business officers would be consulted about any increase or decrease in staffing, but they no longer make the final decision. 
  • The requirement of internal audit to report matters to the audit committee can cause concern for business officers. Since the business office is responsible for the internal control structure, frequent or repeat findings can reflect poorly on the department and have the potential to place the business officer in an adversarial role with the auditor. With the requirement that the audit committee must receive and review such reports-along with related criticisms-the information is now presented at a board level instead of to the chief business officer or other senior-level official. In addition, by reporting all audit-related matters to the audit committee, some items that would not normally warrant a board discussion are being presented, such as thefts of small-dollar amounts. With sunshine laws in some states requiring the audit committee meeting to be public, the potential exists for these matters to be covered by the media. Depending upon the environment, trivial matters have the potential to become front-page news. This could be true for matters involving athletic departments, senior staff, or other highly visible operations.
  • The auditor and/or audit committee could become too focused on enforcement, adopting a "gotcha" mentality. This would significantly impair the working relationship between audit and business officers. Florida Gulf Coast University's Shepard recognizes that internal audit has the obligation to keep the audit committee informed but also feels that, if there is a shift to being punitive, the relationship could become counterproductive. The result, he says, could even have a stifling effect such that individuals would be reluctant to share important and relevant information with internal audit because of the potential repercussions. Shepard acknowledges that he has a good relationship with the university's internal audit staff and that both areas understand and appreciate the role of the other. He adds that internal audit assists greatly in educating and assisting with improving controls and should not be viewed as the enforcer or the enemy-a true partnership makes for the most effective relationship.

Choreographing the Future

This new dynamic requires the internal auditor and business officer to work closer together and to assist one other, if each is to be successful in implementing a strong internal control environment and communicating the results of this effort to the governing board.

As boards form audit committees, the relationship among the board, the internal audit department, and the business office will continue to evolve. This is a relatively new resource for many governing boards, but a very useful one that can greatly enhance trustees' understanding of university operations, fulfill their fiduciary responsibilities to stakeholders, and improve accountability and governance. The chief business officer can also benefit from the revised reporting relationships. Consequently, governing boards, business officers, internal auditors, and audit committees should make every attempt to keep in step with these resources to help them ensure that the goals and missions of the institution remain on track.

MARY M. BARNETT is the fraud investigations and special projects auditor for the Virginia Community College System; MARK PAGANELLI is interim executive director for administration and finance, University of Tennessee System, and the university's former audit director. Barnett is president of the Association of College and University Auditors; Paganelli is the immediate past president.


Joining Hands to Protect Institutional Plans

Now that implementation of governance changes resulting from the Sarbanes-Oxley (SOX) Act of 2002 are in place at many colleges and universities, enterprise risk management (ERM) is being discussed by many boards and presidents as a way to further demonstrate oversight and efforts to reduce or mitigate significant risks. Similar to SOX activities, this is an area in which the business officer and internal auditor can work as partners to produce an effective process.

There's much to be done in terms of ERM. In 2009, the Association of Governing Boards and United Educators jointly issued a publication titled The State of Enterprise Risk Management at Colleges and Universities Today. Interestingly, the report states that 60 percent of more than 600 respondents indicated their institutions do not use a comprehensive assessment framework to identify major risks to the missions of their institutions. The report recommends that college presidents and boards collaborate in developing such a process for monitoring and mitigating strategic risks to their institutions.

Another important aspect of ERM is to keep boards focused at the correct level; auditors and business officers working together can achieve progress with this. In other words, auditors and CBOs can encourage the board to focus on risks that may significantly interrupt operations, severely damage an institution's reputation, or even result in the closure of a university's key component. While major theft from the bookstore inventory would be significant, the institution would still function, likely suffering only short-term consequences. On the other hand, potentially catastrophic risks, such as the loss of accreditation, multimillion-dollar fines for violating federal regulations, endowment losses that threaten operations, or the lack of adequate disaster preparedness plans are priorities that rise to the level of board oversight. The task is to identify high-threat issues and ensure that senior management has taken steps to protect against them–or mitigate damage should emergencies occur.

A number of colleges and universities are taking such steps. At both Texas Tech University, Lubbock, and the University of Tennessee System, the chief financial officers participate in an institutional risk assessment process each year. Kimberly Turner, chief audit executive at Texas Tech, says that these results are used to assist with the department's audit planning. At the University of Tennessee, the results are presented annually to the audit committee to document the areas of greatest risk and the associated controls. Similarly, the results of the Virginia Community College System effort will guide annual audit planning and will also be used by management, including business officers, to help manage the identified risks.

To start work on a strategic risk assessment, consider these useful resources:

  • Risk assessment toolkit. Click here  to access NACUBO's materials and guidance on risk management. 
  • Searchable database. To also assist with ERM, the Association of College and University Auditors (ACUA) has created a risk "dictionary," listing hundreds of risks facing higher education institutions, as well as the corresponding controls to help mitigate those risks. The dictionary (available for ACUA members at the ACUA Web site) is a searchable database that is updated often and is an important resource when implementing an enterprise risk management process at a university or college.
  • ERM map. David Crawford, audit manager emeritus for the University of Texas System, has created a risk assessment application. Risks and controls are mapped to the institution's mission and presented in a "heat map," a graphic representation that highlights data with different colors. Such a visual is easy to present to the board and senior management and clearly shows the areas of greatest concern. This methodology has been used at several institutions in Texas and Tennessee and is currently being used at the Virginia Community College System.
  • Overview and case study of ERM activities in higher education. Read the cover story, "Ensemble Performance," and a companion article, "Learning to Harmonize," in the December 2008 Business Officer.