New Administrator Orientation Office of Audit, Risk and Compliance

New Administrator Orientation Office of Audit, Risk and Compliance (OARC) August 5, 2019

Learning Objectives Understand OARC’s responsibilities Understand the compliance program Understand the audit process Understand common audit areas and findings Understand IT risk areas and findings Identify good internal controls and techniques Understand fraud indicators and reporting methods

About The Office of Audit, Risk and Compliance (OARC) performs independent internal audits, plans and oversees the university’s risk assessment process and oversees the institutional compliance program. OARC’s purpose is to support the mission of MSU by: Providing an independent and objective process for monitoring and evaluating the reliability and integrity of financial and operating information to add value and improve MSU’s operations through internal audits and assurance services. Providing oversight of the risk assessment process by creating and maintaining a framework to effectively identify, assess, and manage risk. Promoting a university-wide culture of compliance and ethics through an effective Compliance Program that includes monitoring, education and investigation activities to prevent, detect, and resolve noncompliance with associated laws and regulations.

Organizational Chart

What is a Compliance Program? An effective compliance program prevents and detects violations of law or policy. Defines expectations for employees for ethical and proper behaviors when conducting business. Demonstrates the organization’s commitment to “doing the right thing”. Encourages problems to be reported. Provides a mechanism for monitoring.

Elements of a Compliance Program 1. 2. 3. 4. 5. 6. 7. Organizational Leadership, Culture and Governance Standards and Procedures Right People, Right Roles Education and Awareness Program Evaluation and Guidance Consistent Enforcement of Standards and Discipline Response and Prevention

Internal Auditor Approach We act as an independent objective internal assurance and consulting function designed to add value and improve the University’s operations. We are here to assist you and help protect our University as a whole. We try to view audit projects as a partnership with you and your department maintaining a relationship characterized by respect, helpfulness and collaboration. We attempt to be as “transparent” as possible.

Roles of OARC & Management University Management Develops and enforces effective internal controls. OARC - Internal Audit Responsible for monitoring compliance with federal, state or applicable laws. Evaluates and provides reasonable assurance that internal controls are functioning as intended. Responsible for setting policies and procedures. Evaluates compliance with federal, state or other applicable laws. RESPONSIBLE FOR MAKING MANAGEMENT DECISIONS. Evaluates compliance with MSU internal policies. CANNOT MAKE MANAGEMENT DECISIONS.

Audit Plan Development/Approval “C’mon, why us?” University-wide risk assessment Annual risk discussions – existing/emerging issues Special Project Time – investigations/special requests Cyclical Audits – inherent risks of your business o Likelihood (probability of occurrence) o Impact (effect on MSU/your unit) Approval President Audit, Risk and Compliance Committee

Audit Process

Stage 1 - Planning Audit engagement Engagement letter Preliminary information request Opening meeting Project overview given to the management group Designate a primary contact person Official project start date Inquiry of management & staff Interviews & Internal Control Questionnaires (ICQ) Tours Scope definition Risk assessment Twelve-month “snap-shot”

Stage 2 – Fieldwork & Documentation Observations of processes & procedures Observing critical processes or activities Sampling & testing Select specific transactions, events or activities for testing Collaboration with unit staff Verification of statements made Sample of the verbal statements made during the planning process to verify accuracy

Stage 3 – Issue Discovery & Validation Risk exposure discover & evaluation Risk identification process based on ICQs & fieldwork Risk validation & mitigating controls discussion with personnel Risk exposure presentation to management Discussion with management regarding identified risk & potential mitigating controls Management solution development Risk mitigation vs. risk acceptance Risk considerations in strategic planning

Stage 4 – Reporting Draft report development & distribution Based on levels of identified risk Report rating assignment is discussed Closing meeting discussion Limited draft distribution Management response opportunity Due 30 days from issuance of draft report Short description of management’s action plan and timeline to address identified risk Final report distribution Standard executive distribution list with additional unit requests Management responses included

Stage 5 – Issue Tracking Post audit review & follow-up Three (3) to six (6) months after final report is issued Review status of management response Written status report issued to final audit report distribution list Periodic status updates Potential second post audit review Otherwise, we may request periodic progress updates

Common Audit Areas & Findings

Common Audit Areas Understanding internal controls Segregation of duties; reviews; reconciliations Testing significant activity including: Cash receipts/Accounts receivable Expenditures (including payroll, travel, endowments/scholarships) Procurement Cards Grant activity including effort reporting Equipment inventory Resale inventory Significant contracts Sensitive data Conflict of Interest/Outside work for pay

Common Findings Non-compliance with: MSU Manual of Business Procedures (MBP) Federal/State regulations Lack of segregation of duties – payroll, expenditures, receipting – fiscal officer role/HR roles Procurement cards not used or reconciled according to the Purchasing Card (Pcard) Users Manual Travel not authorized appropriately Travel voucher not completed according to Section 70 of the MBP

Common Findings Continued Contracts signed by someone without signature authority Record retention – sensitive data stored in department Conflict of Interest not disclosed Outside Work for Pay policy not followed Timeline of cash deposits

Information Technology Auditing

Formal Definition Information Technology (IT) Auditing: Defined as any audit that encompasses the review and evaluation of all aspects (or any portion) of automated information processing systems, including related non-automated processes, and the interfaces between them.

In-Formal Definition Information Technology (IT) Auditing: Defined as any audit that encompasses the review and evaluation of all Say What?!?! aspects (or any portion) of automated information processing systems, including related non-automated processes, and the interfaces between them. Basically, a review of the flow of data through an IT infrastructure and the evaluation of the controls that help protect it

“C.I.A.” Core Control Concept Confidentiality Keeping sensitive data a secret from those without a need-to-know. Opposing Force: Disclosure (fines, legal action, loss of public trust) Integrity Protecting data against unauthorized modifications. Opposing Force: Alteration (inaccurate info, financial loss, waste of resources) Availability Ensuring data is readily accessible by authorized users. Opposing Force: Destruction (waste of resources, financial loss) DATA Confidentiality T h e C . I . A . Tr i a d

IT Risks IT Risk Areas: Sensitive information Electronic monetary transaction processes (PCI, ACH, etc.) System access restrictions and enforcement Weak password policies Overall baseline security controls

Typical IT Audit Findings Data Backup Procedures Business Continuity Plan Disaster Recovery Plan Access Controls MSU Baseline Security Practices IT Asset Inventory

IT Audit Sensitive Data Focus Identified as a key risk to the University Examples: SSN, Payment Card Data, Student Information, Medical Records, etc. Liabilities of Disclosure: Financial loss, Legal Action, Loss of Public Trust, etc. MSU Institutional Data Policy (IDP) Defines minimum requirements for securing University institutional data Applies to all University business and academic units and all MSU employees Visit the MSU Information Security Webpage for more information

How to Reduce Risk

Characteristics of a Good Internal Control Environment Tone at the Top Management’s clear commitment to a culture of ethics, integrity and compliance Adequate management oversight Proper authorization of transactions and activities Adequate documents and records – original receipts scanned Physical safeguards – restricted access Segregation of duties Account activity is reviewed monthly and support for transactions is maintained

Fraud Indicators Pressure Opportunity Rationalization Pressure T h e F r a u d Tr i a n g l e

Pressures High personal debt Poor credit Unexpected financial needs Addictions (gambling, drugs) Other pressures

Opportunity Lack of circumvention of internal controls Past failure to discipline embezzlers Management apathy Ignorance or incapacity to detect fraud Lack of an audit trail

Rationalization The organization owes it to me I am only borrowing the money They can afford it I deserve more It’s for a good purpose

Methods of Reporting Misconduct MSU Misconduct Hotline Phone or Online reporting Concerns reported include: o Conflict of Interest o Fiscal o Theft or misappropriation of funds, supplies, property, or other University resources o Medical/HIPAA o Privacy o Research o Safety o Any other compliance issue Direct contact with Internal Audit, MSU Police, HR, etc. Key links: OARC Website – http://www.oarc.msu.edu Misconduct Hotline Website – http://misconduct.msu.edu

MSU Misconduct Hotline Poster

Summary of Topics Compliance program overview Internal audit overview Audit process Common audit areas and findings IT risks and findings Internal controls Fraud detection and prevention

Key Points for New Administrator Supervision – support fiscal officer – be involved Assignment of roles – review annually Conflict of interest – employment/vendor/time commitment Outside work for pay Good internal controls – common sense Segregation of duties Approvals Reconciliations – Pcards/general ledger/review transactions monthly Travel requirements/authorizations (section 70 of the Manual of Business Procedures) Professional Service Contracts Ethical decisions Maintain adequate documentation – scanned documents Compensation time – policy/documentation Address performance issues timely

Questions?

Thank You! Marilyn K. Tarrant Chief Audit, Risk and Compliance Officer Email: [email protected] Office of Audit, Risk and Compliance Phone: (517) 355-5030 OARC Website: http://oarc.msu.edu MSU Misconduct Hotline Phone: 1-800-763-0764 Misconduct Hotline Website: http://misconduct .msu.edu