Recently, a former administrator at a Boston law school admitted that he used a school computer to embezzle more than $173,000. As the former controller, he accessed the school’s accounting system, creating false checks, which he deposited into his personal bank account. As part of his scheme, the former controller used the signature stamps of other employees to sign the checks without their approval and issued reimbursement checks to himself and his wife for false expenses. This case is not unique. Recent revelations include an Iona College vice president who fraudulently misappropriated over $1.2 million from the institution over a 10-year period, Wesleyan University’s former chief investment officer who was sued for $3 million for fraud and breach of contract, and a former Cornell University faculty member who was found guilty of submitting false claims to the National Institutes of Health on a research grant.
When we hear the term risk, we usually think of the financial institutions whose mismanagement of risk was instrumental in causing the 2008 financial crash. But all organizations, including colleges and universities, face various types and levels of risk, which threaten to harm the institutions and their ability to fulfill their missions. Today, as higher education institutions face increasing levels of scrutiny and competition for students, donor dollars and government funding, it is imperative that they focus more on assessing, preventing and managing the risks they face. Issues such as fraud or intentional or unintentional loss of nonpublic personal information can reverberate quickly, especially in an age of social media and networks, and harm the reputation of an institution.
Enterprise Risk Management (ERM), which is a process for identifying, analyzing, responding to, and monitoring risks, has been widely adopted in the financial world. ERM is designed to help complex organizations identify a broad spectrum of potential threats, assess those threats—both in terms of their likelihood and impact of their occurrence—and design responses to those risks. Financial risks are one facet of this approach. However, by involving multiple stakeholders in the process, ERM is designed to capture a wider array of issues that could disrupt business, lead to the loss of valuable assets and harm the reputation of the organization. ERM is also intended to be aligned with the strategic goals and plans of the organization. As a result, risk management needs to be viewed as an inclusive, ongoing and iterative process, which is constantly evolving to meet new challenges.
ERM is slowly penetrating the consciousness of higher education institutions. Colleges and universities are beginning to integrate these kinds of risk management processes into their operations. This is a trend that higher education leaders should encourage and support. From fraud and misappropriations to IT and growing threats of data breach, higher education managers have grown more aware of an ever-increasing number of risks in recent years. News of problems can travel far in a very short period of time; damage to the brand of a college or university can be nearly instantaneous.
ERM allows managers to identify and focus on those risks that have the most significant reputational and financial impacts on their institutions and which can lead to a negative impact on the bottom line. In this process of orienting a campus toward greater awareness of risk, internal auditors can play an important role in facilitating these ERM discussions and helping to identify those areas of increased risk. A sampling of a recent internal audit plan performed for a medium-sized college suggests the range of expanded risks that higher education institutions confront:
- Disbursements and accounts payable: Colleges and universities should have controls in place over processing purchase orders, receiving purchased goods, processing vendor invoices, and processing disbursements, including employee expense reimbursements. Monthly accounts payable reconciliations should be performed.
- IT: Higher education institutions need to have effective intrusion-prevention systems, firewall rule settings and anti-virus controls in place. Institutions should review their offsite backup data storage and assess controls they have around employees copying files from the institution’s network to laptops or flash drives. All colleges and universities should have a social media policy in place for managing employee use of institutional Facebook, Twitter and blogs.
- Research: The institution should have systems in place to prevent research fraud by faculty, including falsification of data and misreporting of research methodologies and results. The recent case of prominent Harvard professor Marc Hauser, who was found by an internal investigation of reporting false data in eight papers, indicates how scientific misconduct can damage the reputation of an institution.
- Safeguarding of assets: Colleges and universities need to have controls at the many points at which cash is collected, including not just the bursar’s office but also the student union, fundraising/development office, and the bookstore.
- Physical security: Student safety is paramount today. Colleges should have internal controls over access to residence halls and procedures for communicating with the campus in a lockdown situation.
- Disaster recovery: As we have seen too often in recent years, colleges and universities can face serious consequences if they do not have contingency plans in place to deal with impacts from violent storms and other natural disasters, such as the tornadoes and hurricanes that have struck Massachusetts institutions.
- Employee benefits: Colleges and universities should also institute new internal procedures to accommodate their expanded fiduciary responsibilities for 403(b) employee retirement plans.
- Health services: Institutions need to take precautions by safeguarding access to drugs, especially those like OxyContin that are highly addictive and valuable. Controls also need to be put in place to protect the privacy of confidential student health information in compliance with HIPAA.
Higher education administrators should recognize that implementing a more formal risk-based approach takes time, and many institutions have had success by taking an incremental approach. ERM also requires that auditors reorient their own audit plans to concentrate on areas posing the greatest risk. As the Institute of Internal Auditors (IIA) recently stated, “changes to the audit plan will also require internal auditing to consider the skills and tools (and I might add expertise) it needs to keep pace with these maturing [risk] processes.”
Lisa M. Wills, CPA, is a principal in the firm of Wolf & Company, PC, providing assurance services to educational institutions.