Rein in Your Risk, Manage Your Audit
Threats to institutional assets join the growing stable of business office concerns. A culture focused on knowledge, preparation, and deadlines helps reduce risk and keep accounting operations aligned with reporting requirements.
By Tadu Yimam and Bryan Dickson
Getting Ahead of Risk
Janice Abraham, president and CEO of United Educators Insurance, kicked off the forum by discussing risk as a concept. According to Abraham, “Many industries are trying to embrace risk management as a concept, which simply means understanding events that could happen that prevent an organization from achieving its mission. An institution’s assets, including those on the balance sheet and intangible assets such as an institution’s reputation, need to be adequately protected.”
Risk management is a construct that we are hearing more about because trustees are viewing their fiduciary responsibilities through a different lens, noted Abraham. Many governing board members have a business or corporate background, and every year more higher education leaders come from outside the industry. In a business environment, risk is dealt with as an everyday operational activity; consequently, trustees and leaders are sensitive to the significance of risk.
Abraham’s remarks helped the audience understand risk as an overlay that affects planning, resource allocation decisions, and daily operations. Risk management’s paradigm of identification, assessment, communication, and monitoring is compatible with a well-run organizational approach to meeting objectives.
Risk Considerations in Resource Allocation
In her session, Linda Kroll, director of university budgeting and financial planning at the University of Notre Dame, Indiana, took many of the points raised by Abraham and illustrated their application in planning and resource allocation decisions. Kroll began by defining risk management as the process of identifying areas of exposure for your institution and developing strategies to mitigate these risks. She asserted that there exist three primary types of risk: normal operating risk, internal risk, and external risk, of which disaster-related risk is a subset. Furthermore, a risk climate may include various factors: economic, environmental, political, social, technological, infrastructure, personnel, and organizational structure.
Normal operating risk. This type of risk is associated with loss of normal business activities. Normal operating risks are usually identified by management and external auditors and have reserves recorded in the institution’s financial statements.
Internal risk. The risk of large future expenditures or other operating risks for which reserves are not required by external auditors is classified as internal risk. These risks may hold reserves in unrestricted net assets and are identified by management and the organization. Common internal risks may include endowment fluctuation, technology refreshment, and regular facility maintenance.
External risk. While similar to internal risk, this type of risk is due to external, often unforeseen, events including a disaster, the loss of a major contract, or the loss of a major revenue stream.
Kroll noted that each of these key areas of risk is applicable to all institutions, whether public or independent, large or small. To adequately address each area, leaders must begin by identifying groups to meet regularly, even if only for a day, to assess where the institution may be at risk.
- Internal and external auditors along with the institution’s controller can assess normal operating risk.
- A group composed of planning and budgeting officers, the vice president for finance, and other university leaders ought to consider internal and external risks related to financial planning.
- The risk management office should assess external risk associated with property loss.
- Committees composed of executive management might best address disaster-related external risk.
In each instance, the appropriate teams brainstorm risk scenarios, evaluate probability, estimate impact, and propose a response. Kroll suggested that a series of standard questions can assist team members as they move from a list of risks to a proposed response.
- Are there needs accumulating or situations increasing on campus that have no current resource plan?
- What would happen in a disaster scenario?
- What operational activities could mitigate the disaster in this scenario?
- What financial resources are available to address the identified mitigating activities?
- Are there financial reserves that should be considered?
- Does the identified situation warrant recurring consideration in the annual planning process?
- Does the identified scenario need to be addressed through a long-term plan?
All of this, Kroll proposed, leads to an annual evaluation. Each year the results of the assessment are incorporated into an institution’s annual planning and budgeting processes.
As part of her presentation, Kroll provided examples from the assessment of normal operating risk, internal financial risk, and disaster-related risk from her own institution. Additionally, she shared suggestions of sources for building reserves for risk, including unrestricted bequests, endowment overhead, unrestricted endowment appreciation, and unit-level incentive funds for those units coming in under budget. The latter may help mitigate the end-of-year buying spree that can occur for some units and colleges that still have funds available near the end of their fiscal year.
Kroll concluded by detailing Notre Dame’s emergency plan (http://emergency.nd.edu/), which outlines a structured approach to classifying and responding to various emergency situations including communication, organizational structure, and protocols.
Tax Issues to Watch
Two representatives from NACUBO’s Tax Council presented an update on tax issues likely to affect higher education institutions in the year ahead. Joe Irvine, director of planned giving, Ohio State University, and Ed Jennings, corporate tax manager, University of Michigan, offered an overview of four issues particularly worth monitoring.
Endowments. During the past year, members of the Senate Finance Committee (SFC) have been seeking ways to address rising college costs. Senator Max Baucus (D-MT), chair of the SFC, and Senator Charles Grassley (R-IA), ranking member of the SFC, have promoted and encouraged nonprofit organization reform on issues that affect educational institutions.
A January 24, 2008, letter from Senators Baucus and Grassley to 136 colleges and universities questioned the stewardship of endowments and percent of spending on student aid and requested higher transparency. Irvine noted, “This year’s scrutiny is just the beginning of what may come—congressional requirement for colleges and universities with significant endowment assets to increase spending on student aid and to moderate tuition increases.” (No specific legislative proposal has been introduced.)
Cell phones. In mid-February 2008, bills were introduced in both houses of Congress (House Ways and Means Committee and the SFC) to update the tax treatment of employer-provided cell phones and devices such as Blackberrys and similar mobile communications. Under current law, employers, including colleges and universities, are required to maintain extensive records related to institution-provided cell phones for employees’ business use.
As an alternative to this recordkeeping requirement, institutions may provide a taxable allowance for employees to cover the purchase and business use of the phone. If adopted, the proposed legislation would allow employers to provide employees with these devices without either maintaining detailed usage records or generating taxable income to the employee. (As of press time, the House had approved the Taxpayer Assistance and Simplification Act of 2008 [H.R. 5719], but the bill had yet to be considered by the SFC.)
Form 990. Both Jennings and Irvine explained the recent release of the Internal Revenue Service’s revised and expanded Form 990 for tax-exempt organizations. “The new form is to be used beginning in 2009 for the 2008 tax year, and is the first major revision of the form since 1979,” said Jennings. The IRS’s guiding principles in redesigning the Form 990 were to enhance transparency, promote tax compliance, and minimize the burden on filing organizations. However, for most colleges and universities, the new reporting regime will be more complex and burdensome than before.
“The new format responds to many of the comments received on the draft form, including those filed by NACUBO and 18 other higher education associations,” added Irvine. The final revision includes a core form that all exempt organizations will complete along with up to 16 schedules that must be attached if relevant.
The IRS, in an effort to gather input from organizations that are transitioning to the new reporting regime, is soliciting comments from the exempt organizations community on the draft instructions that will accompany the new core form and schedules. The instructions are organized with a general overview for each form, along with line-by-line instructions to help in answering each question. Also included are a glossary of terms, a compensation table to assist organizations with determining how and where to report items of compensation, and examples. Public comments on the draft instructions were available for public comment until June 1, 2008. The final version is expected to be published later this year.
Tax-exempt bonds. During the past several years, the IRS has allocated additional resources and increased its focus on enforcement in the tax-exempt bonds (TEB) area. Jennings explained, “In order to promote voluntary compliance with the provisions of the Internal Revenue Code relating to tax-exempt bonds, TEB has expanded its pre-existing voluntary closing agreement program.”
Irvine and Jennings agree that the IRS has developed a general voluntary closing agreement program in an effort to encourage bond issuers and conduit borrowers to voluntarily correct violations of the tax law related to their tax-exempt bonds. The IRS is now working diligently to take the next major step of building out a general framework of voluntary closing agreement terms.
Assessing Your Audit Culture
With little or no dispute, the biggest news in accounting within this decade has been the 2002 Sarbanes-Oxley Act. Yet, SOX is directed at stock-issuing corporations, not nonprofits. Why should higher education institutions take note of that legislation and even follow some of its new rules? Louis Mezzina, partner, national industry director for higher education at KPMG, LLP, and Cheryl Soper, controller and director of financial operations, University of Michigan, offered attendees a sharp look at what to expect and what can be expected in today’s auditing world, including the need to be mindful of SOX rules.
Learning lessons, avoiding scrutiny. In addition to the fact that the nonprofit sector is a significant part of the overall U.S. economy, with assets reaching $1.73 trillion and investments circling $653 billion, many board members in higher education are chief executive officers, chief financial officers, or directors of corporations, Soper explained. They’re hearing about all their new responsibilities under SOX in those jobs, he said, and so it’s natural for them to ask institution leaders, “What are you doing along these lines?”
With state attorneys general enacting SOX-like requirements, the nonprofit sector is a top priority of the IRS. Various reasons such as e-filing, data mining, limited scope audits, compliance questionnaires, and the complete revision of Form 990 are only a few examples of increased public scrutiny. In addition, Soper added, “The more important reason is that there are lessons to be learned and best practices that we can put in place. SOX puts a lot of emphasis on internal controls, which are very important at all our institutions.”
Establishing clear communication. Mezzina moved the discussion toward Statement of Auditing Standards (SAS) 112 and 114. The most common conceptual misunderstanding, he said, is the belief that the auditor’s drafting of the client’s financial statements automatically results in a deficiency. Asking the auditor to draft the financial statements does not cause a control deficiency; however, it is likely the result of one. A control deficiency exists if the institution does not have controls over the preparation of the financial statements, including the footnote disclosures, which would prevent or detect a misstatement in the financial statements. This is something institutions must be clear about, Mezzina said.
In an effort to combat communication issues, the American Institute of Certified Public Accountants last year issued SAS No. 114, “The Auditor’s Communication With Those Charged With Governance.” SAS 114 broadens the applicability to all nonissuer audits and establishes a requirement for the auditor to communicate to audit committees certain significant matters related to the audit, continued Mezzina. SAS 114 uses the term governance for those individuals in the organization who are charged with the responsibility for overseeing the strategic direction of the entity and the obligations related to the accountability of the entity, including overseeing the entity’s financial reporting process.
“According to SAS 114, this includes the board of directors or audit committee, if those terms are used,” added Soper. Management, on the other hand, are those individuals who are responsible for achieving the objectives of the entity and who have the authority to establish policies and make decisions by which those objectives are to be pursued. Management is also responsible for the entity’s financial statements.
Preparing for an audit. Clear messages and communication are incredibly important to relieve frustrations on both ends of the auditing process. To prepare for your institution’s audit, Soper and Mezzina recommended some simple tasks for the client and the auditor, such as holding a planning meeting, identifying new accounting and auditing standards early on that may affect the process, segregating duties, and adhering to deadlines. The key is to manage expectations on both ends.
For an auditor, having a client that keeps complete, accurate, and accessible records and other information prepared well in advance will help ensure that the audit process goes smoothly and more quickly, reducing financial and emotional costs. For an institution, having qualified and knowledgeable audit staff who are flexible about audit schedule formats and well informed of current events is imperative. As Soper stressed, “These are your financial statements. Take control of the process.”
- ED Proposes Substantial Expansion of Financial Responsibility Indicators
- Supreme Court Hands Down Two Decisions with Higher Education Implications
- NACUBO Objects to Annual SFA Audits
- 2016 CAO and CBO Collaborations
August 1-2, 2016
- 2016 Planning and Budgeting Forum
September 19-20, 2016
- 2016 Managerial Analysis and Decision Support
November 17-18, 2016
- WEBCAST: The CBO's Role in Diversity and Inclusion on Campus
Thursday, June 30, 2016 1:00 PM ET
- ON-DEMAND: The Clery Act: Strategic Planning to Mitigate Institutional Risk
- ON-DEMAND: Title IX: Key Issues Surrounding Institutional Compliance
- ON-DEMAND: NACUBO Live! Higher Education Accounting Forum
- ON-DEMAND: Responsibility Center Management: Two Different Perspectives