High Tech, High Stakes
From operational efficiencies to transformational processes, information technology's role at colleges and universities demands top-tier leadership. Here are some areas where the CBO's steady oversight and involvement can be IT game changers.
By Nancy Gunza
As everyone in higher education is aware, technology spending can constantly increase and still not seem like enough," noted Mary Stephens, California State University, Long Beach, in her essay "When Modifications Are a Must," in the July/August 2012 Business Officer. CSU Long Beach's vice president for administration and finance, Stephens knows that network infrastructure is only part of the story.
From designing experimental classrooms for instructional technology to considering what kinds of mobile devices to use for information distribution, institutions continue to press forward with information technology applications. "People often don't realize," wrote Stephens, "that the infrastructure and security issues involved in providing such [things as] mobile services are significant. But that fact doesn't mean the demand will go away or that we can ignore it."
Meanwhile, colleges and universities already have fleets of professionals dedicated to filling technology demands, so why should a chief business officer focus specifically on IT? The typical answer is simple: Information technology is central to the institution's strategic vision, compliance issues, financial reporting, and internal controls. But, when you consider the fact that EDUCAUSE reported in its October 2011 Core Data Service Report that median central IT spending per institutional FTE ranged from $562 in associate's institutions to $2,051 in private doctoral institutions, it's clear that technology already has a front-row seat at the strategy table.
What's more, access to the latest technology has become a critical factor in the educational experience for students. The EDUCAUSE Center for Applied Research (ECAR) makes the following recommendation in its National Study of Undergraduate Students and Information Technology 2011: "Make more and better use of technologies that students value—and that are easily integrated into learning experiences in the shared environments in higher education (e.g., tablets, smartphones, student response systems, or clickers). In many cases, these are technologies that distinguish highly rated from less-highly rated institutions on the effective use of technology today."
Deal Yourself Into the Debate
Given the high stakes that IT represents, several top-of-mind issues have evermore influence on the business office:
IT is a prime target for cost cutting, which can put an institution at risk if expense reductions are not managed strategically. As such a large budget expense, technology-related line items are often vulnerable to software, hardware, and staffing cost reductions. Failure to strategically manage such adjustments can open up the institution to security risks, weaken its key internal controls, or undermine the success of its high-priority programs.
Since the business officer needs comprehensive knowledge of all IT costs in order to manage the institutional risks associated with financial priorities and strategies, a strong relationship between the finance office and the IT office is critical. Such an alliance can help ensure that technology spending decisions are supported and understood—and that cutbacks in technology do not impede the progress of the institution's strategic vision.
"I meet with the chief information officer frequently," says Laurie Levine, vice president for business and finance, Lynn University, Boca Raton, Florida. "We discuss IT priorities and budget matters. Communication is key to staying ahead of IT decisions and strategies."
At Lynn, says Levine, the CIO reports to the president. "Because of the close communication with the CIO and the entire management team, budget decisions are centralized and trade-offs are understood by all. An example of a recent IT decision has to do with extending the refresh cycle for computers and considering the impact that decision has on users."
This type of relationship also can be built when the CIO reports to the business office, but that is not typical. The EDUCAUSE 2011 Core Data Service Report indicates the following reporting lines, which have not changed appreciably since 2006: Roughly one third of higher education CIOs report to the president or CEO of the institution; slightly less than one third report to the chief administrative officer; one fifth report to the chief academic officer; and only 14 percent report to the chief financial officer.
Information technology poses significant compliance and reporting implications. Most, if not all, institution operations are regulated by federal and/or state rules, especially in the area of data protection and privacy. Such issues touch everything from student financial aid and privacy-including the Health Insurance Portability and Accountability Act (HIPAA)-to the U.S. Federal Information Security Management Act and numerous research activities. Institutions can avert compliance breakdowns with proper controls.
Internal and external reporting processes also can be leveraged with information technology for financial reporting, internal controls, and auditing. Institutional reporting requirements continue to increase at the same time that demands for administrative cost reductions expand. Federal and state reporting requirements under new legislation and regulations are the norm, including such recent additions as ARRA Section 1512 reporting, FFATA Subaward reporting, and FBAR reporting for foreign bank accounts. However, these processes also can be streamlined with efficient IT use.
Technology is a key factor in the institution's long-term sustainability and viability. Every school's strategic plan embraces bold institutional and transformational goals that can be achieved only by leveraging IT resources. Attracting and retaining students and faculty requires a commitment to maintaining and sometimes leading innovations in educational delivery systems. The business officer needs to be in sync with strategic plans and how they relate to IT functions and priorities in order for the institution to thrive and evolve.
The business officer needs to be in sync with strategic plans and how they relate to information technology functions and priorities.
For Joseph Trainor, senior vice president of finance and CFO at the University of the Sciences, Philadelphia, that means "participating in the university's standing technology committee, which includes representation from not only the business office, but the office of the provost, the IT department, faculty, and development." The committee meets frequently, says Trainor, "to review technology needs across the university, including IT security. Currently, we are evaluating the level of online programming we offer and wish to offer. Since we are a specialized institution, many of our courses have a lab component and require innovative solutions. As we expand our offerings, we see advantages with partnering with third parties for certain programming, while providing the entire infrastructure for others."
Additional Aspects for CBO Oversight
Apart from the areas mentioned earlier, the CBO can be involved in other concrete steps taken to support the strategic importance of IT. These relate to (1) overall costs, (2) IT acquisition and disposal policies and procedures, and (3) operational and security issues, some of which relate to the explosive growth of mobile computing on campus.
At what expense? University of the Sciences' Trainor notes that technology evolves so quickly that many private institutions such as his cannot look to tuition rate increases to absorb the costs of new technology. That poses the challenge of continuing to attract students who want the latest and greatest, while absorbing the associated expenses.
To determine current and future student technology needs, says Trainor, "We assessed what we had and how it fit into the university's strategic plan. As we further clarified the plan's imperatives, we specified technology priorities and timelines. Along the way, we performed an organizational review so that we could realign resource allocations where necessary."
Acquisition and disposal strategies. These may include decisions regarding leasing versus purchasing equipment and outsourcing versus insourcing services. Variables to consider with regard to costs and leasing versus owning include compliance factors, the extent to which business operations are centralized, and the size of the organization in terms of cost efficiencies for bulk-purchase agreements.
- Purchasing options. The useful life of technology can drive the lease-versus-buy decision. For example, as software and hardware need to be continually updated, leasing for short periods of time can be cost-effective. According to Trainor, the University of the Sciences leases its computers to maximize cost efficiencies and enable students, faculty, and staff to keep current. When the university purchases computers, notes Trainor, the tendency is to continue using them beyond a three- or four-year life cycle. "This means that students, faculty, and staff were dealing with older equipment, while IT staff was spending a greater amount of time stabilizing the older units. With students now arriving with their own new computers, this difference is being lessened, but computers represent only the tip of the iceberg." Trainor recognizes that the university has to make sure it is providing opportunities for faculty and staff to learn to use the latest software features such that their effectiveness and work satisfaction are not negatively affected. A proposed change in lease accounting rules could be an important factor in evaluating hardware purchasing versus leasing. The International Accounting Standards Board (IASB) and the Financial Accounting Standards Board (FASB) agreed in June on an approach for accounting for lease expenses as part of a project to revise lease accounting in International Financial Reporting Standards (IFRS) and the U.S. Generally Accepted Accounting Principles (U.S. GAAP). Under the new rules, many leases of more than one-year duration would be included on the balance sheet. This could have an impact on certain financial measures that are used both internally and externally to evaluate an institution's financial health and debt capacity. Another key cost consideration pertains to outsourcing IT services versus leveraging in-house resources. As new technology options enter the marketplace and third-party providers offer more resources and services, many institutions are finding that outsourcing can be customized to fit their needs. Not only can colleges and universities outsource certain services, such as payroll and help desk; but some institutions may choose to outsource key capabilities, including financial aid processing, student payments, or the IT internal audit function. "Outsourcing and insourcing are both strong considerations for IT costs," notes Lynn University's Levine, who says that her university typically considers how often to refresh specific pieces of equipment when making decisions about outsourcing. "The time frame for reviewing outsourcing decisions," explains Levine, "is anytime we are committing to a major purchase or extending an existing contract. Some examples of items we outsource are the online bookstore, student e-mail, campus cards, and online student tuition payments." (For a sample guide on IT equipment disposal, upgrade, or purchase, see sidebar, "Refresh or Replace.") Outsourcing can be used to limit liability associated with regulatory compliance, disaster recovery, data center consolidation, and leasing and licensing costs. Exposure to liability can be significantly decreased by outsourcing functions that involve the privacy of student financial information, credit cards, and accounts. At Lynn University, says Levine, all vendors dealing with cash are required to provide yearly PCI (payment card industry) compliance reviews. In some cases, IT costs have decreased. For example, the costs for server space, hardware, and telecommunications have gone down in recent years, allowing for IT expenses to be shifted to other priorities. And although it can be tempting to buy the latest and greatest device, "older" technology can be more cost-effective and perform equally as well as the newest technology for many institutional needs.Foiling Data Thieves" in the September 2010 Business Officer.) Long-term financial strategies also include considerations such as returning leased equipment and selling or donating owned equipment. Under lease agreements, every piece of leased equipment must be returned to ensure that the institution does not incur needless penalties. If donating is an option, ensure that the financial benefits have been included in IT strategic planning.
- Letting IT go. At first it may appear that decisions regarding the disposal of IT assets can wait until hardware and software are nearing the end of their life spans. It is wiser, however, to make IT asset disposal part of the overall IT strategy from the start, as it can be both risky and costly to postpone disposal decisions. Levine and Trainor note that disposal of equipment is outsourced at their respective institutions for security and liability reasons. One important risk area: Without advance planning and communication, data on hardware and software that is set to "expire" can be lost, disclosed, or inappropriately redistributed if equipment is not disposed of properly. HIPAA privacy breaches and other serious issues can arise when data remains, presenting potentially significant compliance concerns. Hard drives, discs, zip drives-all types of media that could include data-need to be controlled and destroyed under clear and consistent guidelines. (For more details on securing sensitive data, see "
Operations, security, and data recovery. Backup and recovery plans are essential to any IT planning effort, especially as they concern compliance. Temporary, short-term interruptions and malfunctions need to be considered as well as potentially long-term events such as natural disasters, fires, and other unforeseen events. The costs of recapturing lost data and staff time could be catastrophic if backup and recovery are overlooked.
Security issues shadow information technology virtually everywhere IT exists. Naturally, it's a hot topic among business officers. "Data breach from either internal or external sources remains a huge concern," says Levine.
Multiple types of data on campus are subject to confidentiality and privacy considerations relating to applicants, enrolled students, faculty, and staff. Payroll, academic, personnel, and financial aid records may be subject to privacy rules and regulations. Research and development data and content also need to be protected-even more so when an external funder is associated with research.
A proposed change in lease accounting rules could be an important factor in evaluating hardware purchasing versus leasing.
Outsourcing can be an option for protecting certain data and information, allowing third-party providers to take on the risk of retaining account information found in student records and payments. Establishing a formal contract with a reputable third-party provider is a must; perform due diligence on the provider, as well. Levine says, "We would ask for the following: PCI Compliance, SAS 70/SSAE 16 yearly review, security audits, disaster planning policies and procedures, and a clear statement on data ownership."
Risk mitigation is a vital aspect of every IT strategy. Campuswide vulnerability assessments allow for the evaluation of equipment, IT practices, and security issues in every department so that potential data and privacy risks can be addressed. Employ classification policies to identify data categories (such as confidential, public, proprietary, and sensitive); track and secure intellectual property; and assign accountability and responsibility to data owners.
While tablets and other mobile devices are lessening the need for the typical desktop computer in certain areas, many of these devices automatically interface with various campus ERP systems, says Trainor—and are more easily lost or stolen. Hence, password protection, data storage options, and encryption features are also issues that IT needs to constantly reassess.
A culture of security can be created by communicating consistent and timely messages about the use of passwords, not opening or forwarding suspicious-looking e-mails, limiting access to devices and computers, and backing up and shutting down computers.
Encryption is necessary for every device (including tablets and mobile phones) that could allow access to the institution's data. Higher education institutions can make for popular targets because of the news value of a major breach and the types of data that could be accessed and collected from a university.
Disaster recovery plans need to be living documents that are revisited annually, at a minimum. In your recovery plans, include virtual backups, alternative physical locations for operations and academic priorities, and policies and procedures that include IT considerations in crisis situations. Also include financial reporting processes and transactional logs that rebuild activities in the case of interruptions.
What's Up Next in IT?
Here are some evolving areas that will involve top-level institutional decision making.
Counting on the cloud. Quickly moving from novelty status to a generally accepted component of technology decision making is cloud computing. Widely used for data storage, it eliminates the need to maintain certain hardware and staffing functions in-house.
One of the cost considerations: Cloud computing allows for services to be expensed on a usage basis. Pricing of cloud services is generally based on the amount of capacity used on the cloud servers, thus reducing the cost by eliminating the need to purchase and maintain servers that exceed the capacity needed. This makes using the cloud more scalable, as institutions pay only for what they use; and additional capacity can be quickly added when needed without incurring additional hardware costs.
"Cloud computing has risen to the forefront because of the ease of administration and the fact that cloud computing allows quicker access to programs and solutions than we would experience if we had to build everything ourselves," says Levine.
Delaware County Community College, Media, Pennsylvania, is looking to contract with a vendor for cloud computing to store data, says John Glavin, vice president of administration and treasurer. As the students' and college's needs for greater capacity increase, the cloud may be a better option than buying more servers.
While cloud computing does offer cost and other efficiencies, it is not risk-free. Information stored in the cloud can be accessed from many devices; security controls need to be enabled on demand; and the cloud's perimeters are fluid, meaning that an attack on one organization could have an impact on other customers, including colleges and universities.
Consequently, when considering which functions are most suited for the cloud, CBOs and other senior leaders are wise to create a hierarchy of functions ranging from mission-critical to administrative and then evaluate whether to make each function cloud-based or not. As with other outsourcing decisions, multiple cloud solutions and vendors make selecting the best provider a challenge.
That said, the rewards of cloud computing are many, with the highest being third-party responsibility for security, storage, and operations. Oversight of cloud providers is essential, and all related agreements should include provisions for: data integrity; potential data loss, leakage, or tampering; account, service, and traffic hijacking; access management; encryption; data location and physical security of hardware; recovery; and investigative support.
Social media and other trends. Another emerging IT issue concerns budgeting for social media. In Gamechangers: Education and Information Technologies (EDUCAUSE, 2012), EDUCAUSE President and CEO Diana G. Oblinger writes: "A majority of students own a laptop (87 percent), an iPod (62 percent), a smartphone (55 percent), a digital camera (55 percent), and a webcam (55 percent). ... Virtually all students (99 percent) use e-mail, text messaging (93 percent), Facebook (90 percent), and instant messaging (81 percent)."
Establishing a clear direction and strategy for supporting and using such diverse devices helps prioritize expenses and protect the institution's credibility. A strong social media policy ensures consistent messaging from university authorities and also provides guidance for students to refrain from creating and distributing content that could put the university's reputation at risk. According to Levine, social media is a significant aspect of admissions marketing at Lynn University. All admission counselors are quite active on Facebook and Twitter, as are many academic departments. Additionally, many marketing campaign materials are distributed via social media.
Trainor says three major trends challenge the University of the Sciences in providing the technology students expect: wireless infrastructure, mobile devices, and virtual learning platforms such as simulated health-care clinical lab sessions.
Other institutions are looking at highly targeted IT solutions to fit specific needs. At Delaware County Community College, enrollment has grown so fast that student advisers can't keep up with the workload. As a result, the college is looking at software that would enable students to obtain academic "self-advising" information without hiring additional advisers. Gavlin says, "The college is also trying to provide more non-IT faculty and staff with end-user software so that they produce financial and research reports without IT staff."
The pressures to keep up with technology and hold costs in check has forced some innovative solutions, including sharing of resources between or among institutions. A notable collaboration was recently announced by five Massachusetts research universities (Harvard University, the University of Massachusetts, Massachusetts Institute of Technology, Boston University, and Northeastern University), the state government, and private industry. Together, they are building the $80 million to $100 million Massachusetts Green High Performance Computing Center in Holyoke, Massachusetts, in connection with Cisco Systems and EMC2. The facility will be the base for shared high-speed computers and collaborative research in climate change, biofuels, life sciences, clean energy, and other areas that rely on computation.
For an example of a partnership in the area of disaster recovery, see "A Beneficial Bet".
Regardless of IT issues and decisions specific to higher education-and no matter the size or type of institution-representative CBOs generally agree that collaboration with key technology staff is essential to effective IT gamesmanship. And, as Oblinger writes, "For higher education to achieve its mission, we owe it to ourselves and society to use IT well and wisely. IT can be a game changer."
NANCY GUNZA, a certified public accountant, is a partner at CliftonLarsonAllen LLP, an accounting and consulting firm in Philadelphia. She currently serves as chair of the not-for-profit committee of the Pennsylvania Institute of Certified Public Accountants.