At colleges and universities across the nation, all departments receive questions about how they use resources (financial, physical and personnel) at one time or another. For some departments, inquiries arise more often than others due to the nature of their discipline. For example, which might be questioned more, the mathematics department or the theater department? The theater department, because they often purchase items appearing to be personal expenses, such as shoes (a costume) or cigarettes (a prop), for a dramatic production.
Asking questions isn’t intended to hassle a department based upon a discipline’s professional practices but to ensure adherence to institutional policies, procedures and state and federal law. These policies, procedures and laws (commonly known as “controls”) dictate—or control—resource utilization. Having the business office, internal auditor and external auditor regularly test controls minimizes the institution’s risks (legal, financial and reputational).
Internal Controls (the Hassling)
The business office oversees internal controls. Internal controls serve as management tools to prevent theft and fraud by reviewing, reconciling and verifying transactions and activities. The responsibility for adhering to internal controls spans the entire chain of command—from faculty and staff to midlevel and senior administrators.
For illustration, let’s say an office purchases a Bose sound system for several thousand dollars using an institution’s credit card. What might be some controls for such a purchase? A budget, spending limits, steps for authorization, procurement policies and a system for labeling, tracking and verifying use (inventory systems and audits).
The purchase or use may be red-flagged, indicating a reasonable belief that the purchase or use is not permitted, which would trigger questions or an investigation. A red flag might be that the item was delivered to the user’s home address, the cost was over the spending limit for individual transactions and/or the item was not tagged for inventory. Another red flag could be that the documented purpose was a noise-cancelling device to enable privacy during confidential conversations for an on-campus office, but it isn’t in the office.
Internal Audits (the Fear of Zeus)
There exists no greater fear (almost) for a department than a notification announcing an internal audit. While it may feel like there’s a target on the back of the department head and its members, that is (typically) not the purpose. Conducted by trained and credentialed professionals, an internal audit investigates operations to ensure that controls are in place, and cannot be bypassed. Internal audits take place according to a proscribed cycle. One rationale to deviate from a cycle would be a series of red flags described above or a report of possible issues.
The internal auditing process has numerous steps:
- formulating opinions,
- identifying findings,
- reporting and requesting responses,
- recommending changes or additional controls,
- creating final reports,
- presenting final reports to leadership,
- follow-ups as proscribed, and
- sharing final reports with external auditor.
Departments selected for review are determined based on several factors, including
- audit history,
- required follow-ups from previous audits,
- potential for risk and vulnerability,
- size of department,
- number of hours needed to conduct the audit, and
- other best practices.
Internal auditors are responsible for all aspects of audit process described above. The internal auditor’s educational background may be in finance, accounting or a related field. Typically, they have credentials as a certified public accountant and a master’s degree in accounting or business. Dependent on the state, sometimes internal auditors report to the vice president/vice chancellor of administration and finance or the president/chancellor. In other cases, the internal auditor may report to the governing board with a dotted line to the president/chancellor. At public institutions, internal auditors also function as contempt of complaints brought to the attention of state governments via mechanisms like fraud hotlines.
While often described as the “gotcha police,” bashing, burning and embarrassing employees, that should not be the role or intent of the internal auditor. When acting appropriately, the internal auditor focuses on
- educating about the controls in place and why they’re necessary,
- evaluating processes,
- protecting the university and employees,
- identifying issues before a problem arises,
- helping to create better controls to mitigate risk, and
- highlighting work of departments modeling exceptional stewardship of the institution’s resources.
Here’s a scenario: an employee is responsible for collecting fees for an off-site weekend event, including handling cash, checks and credit card information. The employee earnestly understands the need to secure the monies and information. In the absence of a safe place to hold the funds on-site or a way to make a deposit, the employee locks several thousands of dollars in their car’s trunk. The employee didn’t mean to do something knuckleheaded; they just had no other solution.
In this case, the internal auditor’s role would be to make recommendations to create a more appropriate mechanism to secure the funds, thereby mitigating the possibility of theft and adverse consequences for the employee. Ideas might include only using online registration and payment for the event or require a campus police officer to pick up the monies and deposit them into an on-campus safe until the next business day.
External Audits (the Reckoning)
As explained in a previous post, “Information Institutions Can’t Hide,” the US Internal Revenue Service requires nonprofits to prepare audited financial statements annually. Independent external certified public accounts prepare the report using generally accepted accounting principles. The financial statements are evaluated by independent auditors using generally accepted auditing standards. The statement provides information about the institution’s financial position and performance.
External auditors play a more formal and official role in accounting for financial resources (read: scarier than internal audits because outcomes are public and can affect the institution’s reputation and ability to secure funding and be reaccredited). Although accustomed to the process, business officers have a heighten sense of anxiety during the audit as they want to ensure the institution receives a “clean” or unqualified audit.
There are fundamental differences between internal and external auditors.
- are not employees of the institution,
- must be CPAs,
- are hired by the governing body rather than management,
- serve as an objective third party,
- conduct their work once a year rather than throughout the year,
- work with the business office rather than all departments,
- examine and certify financial statements,
- use specific industry standards and formats to create opinions and letters, and
- are not consultants and may not give advice.
Why are external audits necessary?
- are required by some state and federal laws,
- can inspire trust and confidence with potential donors,
- can provide assurances to the governing body, accreditors and credit raters as to management’s performance and stability,
- are often required for grants, loans and other financial dealings.
The external auditing process takes place following the closing of the books after the end of the fiscal year. The fiscal year isn’t necessarily the end of the calendar year—June 30 typically marks the end of the fiscal year in higher education. Closing the books entails finalizing financial data and preparing final reports and statements. The external auditors use these documents to conduct the audit. The external auditors then test the information by reviewing a sampling of information such as receipts, invoices and processes.
Finally, the auditor create an audit report stating the external auditor’s opinion on whether management has provided “true and fair” statements: unqualified (good), qualified (not good), (bad) or disclaimer (likely bad, but not enough information to determine).
Look forward to next week’s follow-up post on how the theater department may respond to an internal audit.