1 I VOLUME 52 I NUMBER 3 I SPRING 2009 I. Higher Education Compliance Challenges INSIDE: Building a Compliance Program Electronic Workpapers All the Cash, Much of the Risk Medical Records Audit and Compliance Computer Assisted Audit Techniques SPRING 2009. CONTENTS FEATURES. ACUA LIFE. ACUA members are invited to submit letters and original articles to the editor. Go to and click on the FAQ and Publication for further 4 Meet Your ACUA Board Members Phil Hurd and Tina Maier guidelines. Please send your copy By Brenda K. Mowers electronically to the editor or ACUA in Word 95 (or Higher ) or text file format. 5 Inside ACUA-L The editor reserves the right to reject, Compiled by Brenda Mowers abridge or modify any advertising, editorial or other material. INTERNAL AUDIT ORGANIZATION. 7 Building a Compliance Program in Higher Education Institutions Without Compliance Officers By Susan Keller INTERNAL AUDIT PRACTICES Editor 11 Electronic Workpapers (On the Cheap) John M.
2 Fuchko, III, MBA, CIA, CCEP. By Mel Hudson-Nowak Board of Regents/. University System of Georgia Higher Education (404) 656-9439. 14 All the Cash, Much of the Risk, But Too Few of the Curbs Contributing Editors By Marianne M. Jennings ACUA Life: Vacant 17 Medical Records: Signed, Sealed and Secure Internal Audit Organization: By Kay Hardgrave Claire Sams Milligan, Alabama Department of 21 Audit and Compliance : Understanding the Difference Postsecondary Education By Andrea Claire Internal Audit Practices: Mel Hudson-Nowak, Bowling Green State University COLUMNS Higher Education : 23 Addressing Common Barriers to Using CAATs Michael J. Foxman, By Donald E. Sparks University System of Georgia Columns: Sterling Roth, Georgia State University Copy Editors ACUA Life: Brenda Mowers, Montana State University Bozeman Donna Stapleton, Technical College System of Georgia DEPARTMENTS Internal Audit Organization: 1 From the Editor David Dixon, Governors State University Internal Audit Practices: 2 From the President Amy Hughes, Michigan Technological University 3 From the Executive Director Higher Education : Mary Ann MacKenzie, Auburn University Columns: Beverly Hawkins-Llewellyn, The University of Montana ACUA Management College & University Auditor is the official publication of the Association of College & University Auditors.
3 Stephanie Newman, Executive Director It is published three times a year as a benefit of membership. Articles in College & University Auditor represent the opinions of the authors and do not necessarily represent the opinions of governance, members or the staff of the Association of College & University Auditors. Acceptance of advertising does not imply endorsement by ACUA. 2009 Association of College & University Auditors. Send address changes to: ACUA. PO Box 14306. Lenexa, KS 66285-4306. COLLEGE & UNIVERSITY AUDITOR. LETTER FROM. THE EDITOR. Hope is not a Method By John M. Fuchko, III, MBA, CIA, Compliance . Ethics. Scandal. Risk. Transparency. serves as a guest columnist with his column on CCEP, Editor Oversight. Ponzi scheme. Professionals in the field using computer assisted audit techniques. Finally, of Higher Education auditing and Compliance need Marianne Jennings makes an excellent case for the not look far when considering the potential risks importance of ethics in Higher Education .
4 Faced by their institutions. Our spring 2009 CandU. Auditor theme is Higher Education Compliance Our Summer 2008 edition will focus on Challenges . This edition is our attempt to provide Globalization & International Programs: Risk &. readers with some clear perspectives on how a Opportunity. Several interesting articles are Compliance program might reduce both already lined up for this issue to include an article Professionals in the field of the likelihood and the impact of some on the difference between GAAP and IFRS and of the potential risks that internal another article on understanding SAS 70 reports. Higher Education auditing auditors are called to assess. We also expect to see an article on study abroad programs, best practices in managing internal audit and Compliance need not However, a clear perspective is not and a column on information age fraud schemes.
5 Always easy to find. Genuine differences We will be establishing our themes for the next look far when considering exist on the role of internal auditing in year's issues prior to the ACUA Annual Conference. the Compliance arena. Some Reader suggestions and feedback are certainly the potential risks faced by professionals see a Compliance program welcome! as entirely distinct from internal audit. their institutions. Other professionals believe that internal On the lighter side, our ACUA Life section includes audit should help to start the Compliance our President's perspective on audit and Compliance . program while preparing the program Also, we have the opportunity to hear from our our for eventual independence from internal audit. Still new Executive Director, Stephanie Newman. other professionals might suggest that a Compliance Readers are also provided a short introduction program has a permanent place in the internal audit to ACUA Board Member Phil Hurd and ACUA.
6 Department, albeit with some distinction between Board Secretary/Treasurer Tina Maier. Finally, the internal audit function and the Compliance Brenda Mowers has once again done an excellent function. We have attempted to include authors job of highlighting and summarizing some recent who represent these various perspectives and we ACUA-L postings. will leave it to the reader to sort through the best solution for his or her institution. HOUSEKEEPING. I already noted that the editorial staff would BRIEF OVERVIEW AND FUTURE ISSUES certainly appreciate any feedback or ideas that our This edition includes an article by our very own Mel readers might have as it pertains to future themes Hudson-Nowak on how an institution might and articles. Please feel free to send me your implement electronic working papers using a thoughts at or you can call standard Microsoft Office product.
7 Mel also me at 404-656-9439. Also, please note that we have produced two articles for our winter 2009 issue. We several vacancies on our volunteer editorial staff. certainly appreciate her commitment to sound Mel Hudson-Nowak is leaving her role as Internal articles that add value to this publication. Susan Audit Practices Section Editor. Mel will continue to Keller provides some excellent insight on how an write for the journal and I am pleased to announce institution without a Compliance officer might go that Amy Hughes will step up from her role as about establishing a Compliance program while Internal Audit Practices Copy Editor into the role of Andrea Claire helps to clarify the difference between Section Editor. However, we still have vacancies in an internal audit function and a Compliance the ACUA Life Section Editor position and in the function.
8 Kay Hardgrave provides some practical Internal Audit Practices Copy Editor position. advice on auditing medical records. Donald Sparks Interested individuals should contact me. 1 COLLEGE & UNIVERSITY AUDITOR. LETTER FROM. THE PRESIDENT. Audit and Compliance A Natural Partnership By J. Richard Dawson, CPA, CIA, ACUA members have strong ties with Compliance RISK IDENTIFICATION. President functions. Many of our members are responsible for Annually, we perform a university-wide risk the Compliance functions at their institutions and assessment by providing the President, Vice- our association has been very supportive of Presidents and senior administrators with a Compliance activities. There is a Compliance track at comprehensive list of Higher Education areas. They our annual conference and our midyear conference score each risk for the impact it may have and usually includes many Compliance related subjects.
9 Probability of the risk occurring. This list is very Additionally, ACUA has been a sponsor over the similar to the list in the ACUA Risk Dictionary. last several years of the Conference for Effective We then assign a ranking to each item based upon Compliance Systems in Higher Education hosted by the score given and determine which items are of the Society of Corporate Compliance and Ethics. highest risk to the institution. The final list is usually around ten to twelve areas and is approved Other than ACUA President, I am one of those by the Executive Compliance Committee. It is ACUA members with dual responsibility. My job is important to note that we will drill down from executive director for Audit, Compliance & Risk the executive level risks to the operational level in Services at The University of Texas at San Antonio. order to ensure that all risks identified have been There are two separate offices that addressed from the C suite to the cubicles.
10 The close working relationship report to me. The Office of Auditing & Consulting Services functions as RISK OWNERSHIP. necessitates significant does any other audit activity. I view After the high risk list has been approved by the that office as a detective control Executive Compliance Committee, each high risk coordination and collaboration providing assurance that high risks area is assigned to an Institutional Risk Owner are being mitigated to an acceptable (IRO). Although there may be crossover among vice between the two functions [of level and that the institution is presidents, we assign one individual as IRO. This is operating efficiently and effectively. usually a vice president for whom the authority to audit and Compliance ] .. The Office of Institutional take action is most appropriate. Compliance & Risk Services, on the other hand, functions as a preventive RISK MANAGEMENT.