My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business Officer Magazine

Document This, Control That

Higher education leaders are challenged to rethink financial processes. More deliberate steps and sharper vigilance are part of the new mind-set.

By Sue Menditto and Kimberly Dight

This poses challenges—particularly for small, tuition-dependent institutions with no internal audit departments and for decentralized environments with the administrative, fiscal, and academic autonomy that suits the primary mission of an institution—and carries a need for stewardship and control. Such institutions must stay competitive while allocating resources to the primary academic mission.

Several forum sessions underscored the need for institutions to be vigilant in establishing clearly defined processes and documentation requirements.

Assessing Internal Controls: A Small Institution Perspective

The packed room at a session on assessing internal controls flagged the topic as a critical issue on the minds of higher education controllers. A quick poll of the audience, representing campuses across the country, showed that only 25 percent of those in the room had implemented or were planning an internal control assessment. Furthermore, of those in attendance from institutions with fewer than 5,000 students, none had an internal audit department.

Session presenter Ken Pifer, controller of the Claremont University Consortium, California, walked attendees through the what, why, and how of an institutional internal control assessment. He used as an example the consortium—a group of seven small colleges with enrollments between 750 and 1,500 per college and a total enrollment of approximately 5,500 students. The goal of the consortium’s internal control assessment was to document procedures, compare them to best practices, and promote changes where necessary to strengthen the system of internal control throughout the consortium. (See figure, “Why Assess?”)

Mapping a plan. The Claremont project was inspired by the NACUBO Advisory Report 2003-3: The Sarbanes-Oxley Act of 2002: Recommendations for Higher Education, in which NACUBO encouraged institutions to begin planning how an internal control assessment might be conducted. Around the same time, a new vice president of finance and administration—with an auditing background—joined one of the consortium’s member institutions. He supported NACUBO’s recommended review of internal controls and eventually became the Claremont project leader. According to Pifer, assessment was crucial to building credibility and strengthening the system of internal control to the level that Claremont deemed necessary due to a changing audit environment. While resources are often a consideration when undertaking a project of this magnitude, the consortium institutions believed that the need was critical enough to justify allocating dedicated resources.

Getting the job done. When considering resources, Pifer noted, the first decision to make is whether to outsource the effort or keep it in house. The benefits of outsourcing include experience, an outside perspective, strong knowledge of best practices, and little burden on staff. Yet, the decision to outsource can be costly and may compromise certain advantages to the institution. For example, keeping the project in house allows the college or university to contribute to and gain firsthand knowledge from the process. In addition, the output is more likely to be tailored to the organization.

Whether using outside resources or conducting the internal control review yourself, the steps of the review process are similar, said Pifer.

1. Determine the structure and scope of the project. Begin with a risk assessment that is tied to your institution’s financial statements, examining key balances and transaction processes. One area to which small institutions need to pay particular attention, cautioned Pifer, is management override in financial statement preparation. In other words, do not have one person responsible for all steps in preparing significant entries such as pledges receivable. Some type of review process must be in place.

2. Prioritize the areas to assess and then plan your process based on the organizational approach that best meets the institution’s needs—for example, by financial statement line, by transaction cycle, or by department. Before launching into the assessment, consider the type of documentation you want to produce. It might be helpful to build a template, since the documentation produced from the assessment will be a critical deliverable. In Claremont’s case, documentation resulting from the assessment was used to produce a “living document” manual subject to ongoing updates.

3. Conduct appropriate interviews, which are an important step in the assessment process. First and foremost, engage the right individuals. Consider using a checklist to facilitate the interviews, and be sure to document the results.

4. Test your institution’s internal controls. One way to do this is to go back to what you heard in interviews and find evidence of proper—or lacking—controls. In addition, look at items such as bank reconciliations and perform a random sampling of transaction testing on such areas as cash disbursements, cash receipts, grants accounting, and payroll.

Reporting the results. Communicate the details of the internal control assessment to management and trustees of the institution. Include in the report possible solutions for any control deficiencies identified. This will prove useful if your auditors make the same discoveries during the annual audit.

For the Claremont consortium, the assessment identified a number of issues, primarily related to segregation of duties. Several were fairly quick fixes and have already been implemented. Other processes are still being corrected. Pifer noted that, as the consortium looks to the future, leaders are considering an approach to periodic process updates and whether that might include an internal audit function.

Can Certifications Help?

With regard to accountability, control, and transparency, a session on financial subcertifications featured two multifaceted organizations. Session presenters were Charles Chaffin, chief audit executive and systemwide compliance officer for the University of Texas System, Austin, and Jay Bounty, controller at Harvard University, Cambridge. While the environments at UTS and Harvard are both highly decentralized, their approaches to subcertification couldn’t be more different; yet together they provide some tips for effective processes. 

The University of Texas System
UTS is a large, diverse, complex public system encompassing 15 institutions, 190,000 students, 80,000 faculty and staff, $36 billion in assets, a $10 billion operating budget, six hospitals, $1.8 billion in research, and five Division I NCAA programs. The system has eight accounting systems and no uniform chart of accounts. About 20 years ago, Texas state auditors began auditing the state as a whole rather than auditing individual institutions or systems. While all federal programs are subject to OMB Circular A-133, two UTS programs—student financial aid and research—reach the state threshold for materiality as major programs. Consequently, during the past two decades, UTS has been laying a foundation to facilitate stewardship, accountability, compliance, and a positive state A-133 audit report. The system has taken the following actions:

  • grown the staff of the internal audit department to 130 strong;
  • developed a nationally renowned administration compliance program in tandem with the focus on internal audit;
  • begun fiscal training programs (in 1994), teaching proper segregation of duties and reconciliation procedures with the goal of certification of financial information at the department level;
  • imposed (in 1995) a mandatory internal audit of each department every three years (currently the requirement to audit a department is based on a risk assessment performed by internal audit); and
  • launched (in 2003) an initiative known as the “Spirit of SOX” (Sarbanes-Oxley).

The spirit of SOX. In the wake of corporate scandals and the Sarbanes-Oxley Act, Chaffin seized an opportunity to expedite progress toward accountability. Under Chaffin’s leadership, UTS used NACUBO’s advisory report on Sarbanes-Oxley and held a SOX education event as a kickoff to the system’s Spirit of SOX initiatives. Subsequently UTS drafted a paper on the application of SOX within the system, formed an ad hoc committee to draft an action plan, and facilitated the board of regents’ adoption of the plan. Although the action plan was multifaceted, a key component involved certification of financial results. With more than a decade of foundation work complete, obtaining comprehensive systemwide certification was still a substantial effort but not as daunting as it otherwise might have been. 

Subcertification. In a decentralized environment, financial certification by the chief business officer is enabled through certifications by all those with fiscal responsibility. Such certification by account owners or fiscal officers is known as subcertification. At UTS, each institution’s chief financial officer must decide on the level at which subcertification is required. One institution might require subcertification by a department head, while another might require it by the dean of a school. Complexity of the institution, breadth of responsibility, and ultimately the comfort level of the CFO influence this decision.
UTS employs two types of certifications:

1. Certification from institutions to the system office involves a standard representation letter signed by the president, CFO, financial reporting officer, and chief audit executive.

2. Subcertification from the departments to the financial reporting officer certifies that all accounts are reconciled, revenues and expenses are accurate, segregation of duties is adequate, and evidence of fraud is absent.

Any large and complex organization would be hard pressed to turn on a dime and begin a meaningful and reliable subcertification process. While UTS had completed years of foundational work, an action plan embraced by senior executives really got the ball rolling. Before subcertification could begin, UTS enhanced internal controls and fraud awareness in its fiscal training curriculum. The internal audits of every department helped identify segregation of duties and reconcilement strengths and weaknesses. Another positive, and necessary, outcome was the formal appointment of a department reconciler. Finally, UTS produces a manager’s responsibility handbook, which is provided to all who have fiscal responsibility.

Discoveries. It is easy to see how preparation at the department level maps to the department subcertification referenced earlier. It has been three years since the Spirit of SOX movement got underway at UTS. Although readiness was more than a decade in the making, several discoveries have led to some improvement tweaks. For instance, UTS discovered that all department-level professionals are intelligent and capable people, but they need specialized training to develop and hone financial awareness and stewardship skills.

Through the years, department heads have been able to assess the need for staff with accounting-type skills and, where needed, have hired experienced employees to monitor the financials and reconcile accounts. Financial accounting inspections lead internal auditors to believe that they’re approaching 90 percent accuracy with attestations. Without departmental or some form of lower-level certification, executives at each institution in the system would lack the comfort needed to sign representation letters. 

Harvard University
Founded in 1636, Harvard University is the oldest institution of higher education in the country. Harvard has more than 6,000 undergraduates, more than 13,000 graduate students, and 15,000-plus faculty and staff. A decentralized environment is part of Harvard’s rich history. In fact, the expression, “Every Tub on its Own Bottom” (ETOB) was coined at Harvard in the early 1800s. A tub is a high-level institutional unit responsible for its own budgeting, fundraising, and solvency. ETOB is used to describe the decentralized organization and financial arrangement of Harvard’s principal academic and service units. Among Harvard’s 12 schools and various academic and service units, more than 50 tubs and hundreds of sub-tubs are independently funded, managed, and controlled. This decentralization results in the central administration having less authority than it otherwise might have.

A subcertification plan. In 2003, after 367 years without subcertifications, Harvard’s central administration began laying out a subcertification plan. The immediate need was to assist the president, provost, vice president for finance and CFO, and controller with signing an external audit representation letter that was more than 32 paragraphs long. The subcertification approach was developed using the following steps:

1. Parsing the universitywide representation letter into three sets of financial representations that map to the responsibilities of Harvard’s vice presidents, central administration directors, and tub leaders. This step created a financial responsibilities map.

2. Creating a three-column matrix from the financial responsibilities map that indicates the representation (first column); “yes,” “no,” or “not applicable” (second column); and comments and disclosures (third column).

3. Requiring individuals in each of the three groups (vice presidents, central administration directors, tub leaders) to indicate a “yes,” “no,” or “not applicable” response to every “assigned” financial representation.

4. Requiring written comments for every “no” response.

5. Attaching the completed matrix to a certification letter addressed to the vice president for finance and CFO.

6. Requiring that deans and directors responsible for the certification sign the letter, making the attestation official and complete.

The certification process began in 2004, a year after the plan and approach were developed. In contrast with UTS, Harvard did not have a history of formal fiscal training. As the process unfolded, the office of the controller answered many questions and provided background resources for staff.

Discoveries. Subcertifications at Harvard were deemed necessary, and the university was quite serious about compliance. Rather than spending years studying and training, institution leaders began the new process with the intention of gaining knowledge and techniques along the way. An early concern raised by those with fiscal responsibility was indemnification. In other words, would the university indemnify an individual in the event there were issues related to one of the individual’s representations? Bounty recommended involving general counsel from the start.

Another concern was the determination of materiality within the context of one’s area of fiscal responsibility. Accordingly, the controller’s office assisted with materiality determinations. Finally, the controller’s office was asked to provide guidance to assist with determining the appropriateness of certain fiscal representations. Since 2004, the controller’s office has been adding tools, resources, and training. The institutionwide result has been a higher level of engagement by all with fiscal, budgeting, and solvency responsibilities.

Stay Tuned

The NACUBO Advisory Report 2003-3 recommended that institutions start identifying and evaluating the adequacy of their controls over financial reporting. Institutions were also advised to consider certifications and subcertifications. Several years later, many institutions are implementing certifications and addressing their internal controls challenges. With the first audit season underway for which SAS 112 applies, there will be more to come in this general area. Keep abreast of these topics using the recommended resources noted in this article.

SUE MENDITTO is director of accounting policy at NACUBO, and KIMBERLY DIGHT is director of fiscal services special projects, George Mason University, Fairfax, Virginia.


  • NACUBO Advisory Report 2003-3: The Sarbanes-Oxley Act of 2002: Recommendations for Higher Education,
  • COSO Internal Control Over Financial Reporting—Guidance for Smaller Public Companies, 
  • “Taking the Right Path: Sarbanes Summit,”
  • SAS 112 Resource Page,
  • Practitioners Publishing Company Guide to Audits of Nonprofit Organizations, available from