Risk Management•Internal Audit•Internal Controls•Management Oversight•Ethics•Conflicts of Interest•FERPA/HIPAA

Internal Audit

Who We Are

What We Do

How We Can Help

Charter

Our mission is to assist the University in the accomplishment of its goals. We do this by providing a systematic, disciplined, approach to evaluating, advising, and improving the processes of resource application, risk management, control and governance throughout the University.

Organization & Reporting

ISU Internal Audit Office consists of three employees: director, senior auditor, and staff auditor. Also utilize two student auditors when funding is available.

Director reports functionally to the State Board of Education Audit Committee and administratively to the University President.

Staff are ISU employees. Internal Audit reports are submitted to the President

and in summary form to the Audit Committee.

Objectives

Appraise the economy and efficiency of operations Identify and evaluate significant risk exposures Verify the existence of and control over University

assets Ascertain compliance with policies, regulations, and

laws Provide guidance for new policies, procedures,

processes, and systems Investigate fiscal misconduct, fraud, conflicts of

interest, waste, and abuse Act as a liaison with external audit organizations

Services We Provide

Risk-based operational audits Compliance audits Special request reviews Investigations Purchase card audits Verification of assets Consultative services Assistance to external auditors

How We Help

We are a constructive link between policy-making and operational levels of the University

Early warning system to identify financial or other risks

Identify opportunities for fiscal and operational improvement

An independent, internal entity for employees and students to address concerns or present ideas for improvement

Where is Internal Audit?

We are located in the Continuing Education Building - 1001 N. 7th Ave, Suite 202

ISU Stop 8093

282-3182

Internal Controls

What They Are &

Why I Should Care

What are Internal Controls?

Internal controls are processes designed to provide reasonable assurance regarding the achievement of an organization’s objects related to:Effectiveness and efficiency of operationsReliability of financial reportingCompliance with applicable laws, regulations and policies

What is Risk?

Risk can be defined simply as anything that could prevent an organization from accomplishing its goals and objectives.

Internal Controls are Designed to Minimize Risk by:

Protecting assets. Ensuring records are accurate. Promoting operational efficiency. Encouraging adherence to policies, rules,

regulations, and laws. Reducing the opportunity for fraudulent

activity.

Components of Internal Control – COSO Model

Control Environment Control Activities Risk Assessment Information and Communication Monitoring

Control Environment

Sets the tone for an organization – “Tone at the Top”. Establishes the organizational culture.

Provides discipline and structure. Is the foundation of the organization’s control system. Key factors include:

– Integrity and ethical values.– Competence of institutional personnel.– Leadership philosophy and management style.– How management assigns authority & responsibility

and organizes and develops its people.

Control Activities

Policies and procedures established to ensure management directives are carried out.

Actions taken to address risk. Include a range of activities:

– Authorizations– Verifications (e.g. physical inventory)– Reconciliations– Physical security of assets– Access limitations– Segregation of duties

Risk Assessment

Identification and analysis of relevant risks (e.g. operational, financial, and compliance).

After risks have been identified they must be evaluated using a formal/informal process which includes:

– Estimating the significance of a risk.– Assessing the likelihood (or frequency) of the risk

occurring.– Assess the actions that could be taken to manage risk

and their associated costs. Is an on-going process.

Information and Communication

Information systems produce reports containing operational, financial and compliance-related information.

Information must flow down, across and up within in the organization.

The effectiveness of information systems depends on many factors:

– Information systems must be based on a strategic plan.– Adequate resources must be allocated to the system.– Information must reach the right people.– Information must be in sufficient detail and be timely.– Reports must be accurate and provide necessary information.

Information and Communication

The effectiveness of communication systems also depends on many factors:

– Employees’ duties and control responsibilities must be effectively communicated.

– Channels of communication must exist for employees to report suspected improprieties.

– Management should be receptive to employee suggestions for improvement.

– Communication must be effective across departmental lines.– Communication must be timely and sufficient for individuals to

effectively discharge their responsibilities.– Outside parties should be made aware of the institution’s standards.– Their must be timely and appropriate follow-up to information

feedback.

Monitoring

Monitoring is a process that assesses the quality of the internal control system through on-going monitoring activities and separate evaluations.

On-going monitoring activities include:– Review of operating and financial reports to identify significant

inaccuracies or exceptions.– Investigation of information received from external parties.– Organizational structure and supervisory activities.– Comparison of data recorded in the information system to physical

assets. Periodic confirmations by personnel that they understand and are complying with the institution’s code of conduct.

Separate evaluations can be conducted by management or by internal and external auditors.

Internal Control Objectives

A good system of internal controls will accomplish the following objectives:Authorization: All transactions are approved by responsible personnel.Completeness: All valid transactions are included in the accounting records.Accuracy: All valid transactions are accurate, consistent with the originating transaction data, and information is recorded in a timely manner.Validity: All recorded transactions fairly represent the economic events that actually occurred, are lawful in nature, and have been executed in accordance with management’s general authorization.

Internal Control Objectives

Physical Safeguards and Security: Access to physical assets and information systems are controlled and properly restricted to authorized personnel.

Error Handling: Errors detected at any stage of processing receive prompt corrective action and are reported to the appropriate level of management.

Segregation of Duties: Duties are assigned to individuals in a manner that ensures that no one individual can control both the recording function and the procedures relative to processing a transaction.

Who is responsible for internal control?

Management:The President provides leadership and direction to senior administrators.Vice presidents provide direction to senior administrators responsible for major functional areas.Deans and department heads have line responsibility for designing and implementing control systems at detailed levels.

Who else is responsible?

All employees should:Read and understand the policies and procedures which affect their jobs.Evaluate the propriety of transactions (legal and ethical?)Safeguard assets.Evaluate the economy and efficiency of operations.Follow the established internal controls.Notify management when internal controls are not effective or are being circumvented.

Limitations of Internal Control

Internal controls, no matter how well designed and executed, can only provide reasonable assurance regarding the achievement of objects. Limitations include:Judgment – Decisions must be made constrained by available time, information at hand and under the pressures of getting a job done.Breakdowns – Employees may misunderstand instructions. Errors may occur from new technology or due to complex systems.Management override – High level personnel may be able to overrule controls for personal gain or advantage.Collusion – Two or more individuals may work together to bypass controls. No internal control system is immune from collusion!

Is cost of control consideration?

Yes! In determining whether a particular control should be established, the risk of failure and the potential effect must be considered along with the cost of establishing the control.

Excessive control is costly and counterproductive.

Too little control presents undue risk.

There should be a conscious effort made to strike an appropriate balance.

Management Oversight

The Key to Control & Risk Management

Management – The buck stops here!

As a manager, you are responsible for:Establishing the “tone at the top” and promoting an ethical business environment by providing structure, feedback, and discipline.Assessing risks specific to your operations and developing a control system to address risks that could prevent achieving established goals (see handouts).Establishing and maintaining control activities such as reconciliations, approvals, and review of operating activities.Ensuring appropriate access to and use of University information and systems.Monitoring control system and activities to identify and correct breakdowns timely.

Management – Best Practices

1. Read all requests to spend University funds before approving them.2. Develop written procedures for critical operations.3. Develop measurable departmental goals based on strategic plans.

Create an action plan that is communicated to all employees.4. Ensure every transaction involves at least two people.5. Review departmental transactions monthly and investigate concerns.6. Deposit funds daily (properly secure cash, check and CC info).7. Review processes on a continuous basis (a better way?).8. Ensure all expenditures have a clear business purpose.9. Maintain good supporting documentation for all expenditures.10. Make sure time sheets are reviewed and approved by a supervisor

who is familiar with the employee’s work hours.

Propriety of University Expenditures

University expenditures will be considered proper if they meet all of the following seven tests:1.Are in the best interest of the University and for official business only.2.Comply with all applicable federal and state laws, and University regulations, policies and procedures.3.Do not appear to or actually provide a personal benefit to employees.4.Are within approved budgets.5.Are necessary to accomplish University business.6.Are reasonable. Quality and quantity are sufficient to meet but not exceed identified need.7.Approved by the appropriate level of management.

Ethics

The Foundation

What Does Ethics Mean to You?

Sociologist Raymond Baumhart asked some business people this question. Replies included:"Ethics has to do with what my feelings tell me is right or wrong.”"Ethics has to do with my religious beliefs.”"Being ethical is doing what the law requires.”"Ethics consists of the standards of behavior our society accepts.”"I don't know what the word means."

What is Ethics?

Simply stated, ethics refers to the standards of behavior that tell us how human beings ought to act in many situations in which they find themselves as friends, parents, children, citizens, employees, teachers, professionals, etc.

What Ethics is Not

Ethics is not:

The same as feelingsReligionJust following the lawFollowing culturally accepted social normsScience

Why is Identifying Ethical Standards Difficult?

Two fundamental problems:

On what do we base our ethical standards? How do those standards get applied to specific situations?

Framework for Ethical Decision Making

Recognize an Ethical Issue Get the Facts Evaluate Alternative Actions Make a Decision and Test It Act and Reflect on the Outcome

Recognize an Ethical Issue

Could this decision or situation be damaging to someone or to some group?

Does this decision involve a choice between a good and bad alternative; between two “goods”; or between two “bads”?

Is this issue about more than about what is legal or what is most efficient. If so, how?

Get the Facts

What are the relevant facts of the situation? What facts are not known? Do I have enough information to make a decision? What individuals and groups have an important

stake in the outcome? Are some concerns more important? Why? What are the options for acting? Have I identified creative options?

Evaluate Alternative Actions

Ask yourself the following questions: Which option will produce the most good and do the least

harm (Utilitarian Approach)? Which option best respects the right of all who have a

stake (Rights Approach)? Which option treats people equally (Justice Approach)? Which option best serves the community as a whole

(Common Good Approach)? Which option leads me to act as the sort of person I want

to be (Virtue Approach)?

Make a Decision and Test It

Considering all these approaches, which option best addresses the situation?

Would I make the same decision if I knew it would be public—in a newspaper article or on a TV news report (newspaper test)?

Would mom approve? Could I rationally and honestly defend my decision? If a colleague made the same decision, would I support him

or her? Are there laws, policies, rules or directives governing or

restricting my decision?

Act and Reflect on the Outcome

How can my decision be implemented with the greatest care and attention to the concerns of all stakeholders?

Reflect on how the decision turned out and what you learned from the situation.

Be willing to reassess your decision if more facts become available.

Obstacles to Ethical Decision Making

Rationalizations: If it’s necessary, it’s ethical If it’s legal and permissible, it’s proper It’s just part of the job It’s all for a good cause I was just doing it for you I’m fighting fire with fire It doesn’t hurt anyone Everyone’s doing it It’s okay if I don’t gain personally I’ve got it coming It’s just politics

Ethical Rules Pertaining to ISU

ISU currently does not have a comprehensive code of conduct or ethical policy. Have individual policies that need to be updated.

State Board of Education Conflict of Interest and Ethical Conduct policy (Section II, Subsection Q).

Idaho Statutes:– Bribery and Corrupt Practices Act (Title 18, Chapter 13)– Prohibitions Against Contracts with Officers (Title 59, Chapter 2)– Ethics in Government Act (Title 59, Chapter 7)

State Board of Education Compliance Program policy (not finalized yet). Institutions must establish:– A code of ethics that applies to all employees.– A published list of all major compliance areas categorized by risk.– A mechanism for coordinating compliance oversight, monitoring, and

enforcement.– A means of assuring institutional policies are regularly reviewed for

compliance with federal and state laws and regulations and Board policies.

SBoE – Ethical Conduct

All employees of the institutions and agencies shall: Not hold financial interests that are in conflict with the conscientious performance of their

official duties and responsibilities; Not engage in any financial transaction in order to further any private interest; Put forth honest effort in the performance of their duties; Make no unauthorized commitments or promises of any kind purporting to bind the Board or

any Board-governed entity; Not use their public offices for private gain; Act impartially and not give preferential treatment to any private or public organization or

individual; Protect and conserve public property and shall not use it for other than authorized activities; Not engage in outside employment or activities, including seeking or negotiating for

employment, that conflicts with official duties and responsibilities; Promptly disclose to their chief executive officer waste, fraud, abuse, or corruption; Endeavor to avoid any actions that would create the appearance that they are violating the law

or the ethical standards of the Board or the relevant Board-governed entity; k. shall disclose potential conflicts of and avoid conflicts of interest, potential conflicts of

interest, and circumstances giving rise to the appearance of a conflict of interest.

Current ISU Policies

Academic Freedom/Faculty Ethics Employment of Relatives/Nepotism Faculty/Student Relationships Outside Employment Private Consulting Outside the University Sexual Harassment Misconduct in Research and Scholarship Research Conflict of Interest Financial Interest Disclosure Form

How do you create an ethical work environment?

Establish an enforceable code of conduct Ensure executive modeling – tone at the top Provide initial and on-going training Encourage regular communication Maintain an anonymous hotline Take action – hold individuals accountable Reward employees that maintain an ethical work

environment Implement equitable policies that are communicated Provide fair compensation and reasonable working

conditions.

Code of Ethical Conduct

Driven by the University’s mission of teaching, research and public service:Sets expectation of highest standards of ethical conduct.Commits to upholding the reputation of the University.Encourages compliance with applicable laws, regulations, and University policies.Does not condone retaliation for any good faith report of improper activity.Be honest, ethical, truthful.Obey the law.Follow University policies and procedures.

What is Fraud?

A dishonest and deliberate course of action that results in the obtaining of money, property or an advantage to which the person committing the action would not normally be entitled. Intentional misleading or deceitful conduct that deprives another of his/her resources or rights. Fraud always involves intent and some violation of trust.

What is Waste?

Waste occurs when someone makes careless or extravagant expenditures, incurs unnecessary expenses, or grossly mismanages resources. This activity results in unnecessary costs. It may or may not provide the person with personal gain. Waste is almost always the result of poor management decisions and practices or poor accounting controls.

What is Abuse?

Abuse most often involves an employee exploiting “loopholes” in policies and procedures for personal benefit. Abuse is very close to fraud, but often is not prosecutable as such. Abuse includes, but is not limited to the misuse or destruction of resources, using the powers of an official position inappropriately, or any other seriously improper practice that cannot be prosecuted as a fraud or other illegal act.

Examples of Fraud, Waste and Abuse

An employee purchases a meal for a meeting which has a valid business purpose. The meal meets University policy, all receipts are provided and the proper form is completed. (Acceptable)

The employee has a meeting with a valid business purpose. A meal is purchased, receipts are provided and required forms are completed. However, the meeting could have taken place without a meal. (Waste)

The employee purchases a meal over a casual meeting with colleagues. The business purpose and necessity of the meeting is questionable. (Abuse)

The employee purchases lunch for himself/herself and friends using University funds. (Fraud)

How Costly is Fraud?

Association of Certified Fraud Examiners (ACFE) 2010 Report to the Nations concluded:The typical organization is estimated to lose 5% of its annual revenues to fraud.Applied to the estimated 2009 Gross World Product, this translates to a potential total fraud loss of $2.9 trillion worldwide.

What Other Costs of Fraud?

Damages to the University go beyond dollars & cents:ReputationLoss of public confidenceDetrimental to attracting new potential donors & volunteersDamage to relationshipsSagging staff moraleDistraction from the mission

The Fraud Triangle

There are three factors that must be present in order for an ordinary person to commit fraud:PressurePerceived opportunityRationalization

How Can Fraud be Prevented?

An effective fraud deterrence and prevention program should address the fraud triangle by: Reducing pressures on employees that might push them into committing fraud.Reducing perceived opportunities to commit fraud – strong internal controls.Dispelling rationalizations for engaging in fraudulent conduct.Create a sense of honesty and ethics in your area.Report fraud, waste, and abuse when it is detected.

What are Potential Red Flags?

Although this list is not exhaustive, the following conditions may be indicators of fraud:Accounts not reconciled and reviewed in a timely mannerContinuous or unusual account transfersEmployee wanting to control too much of a given process or procedureFrequent or unusual related party transactionsLack of interest in compliance with policiesUnrecorded transactions or missing recordsAltered or counterfeit documentsExcessive voids, credits, over-ringsUnexpected results, i.e., revenue decreasing & attendance increasingInadequate screening of new employeesEmployee with lifestyle beyond their meansEmployee refusing to take time off and/or unwilling to share duties with co-workersEmployee in close relationship with suppliers

How Do I Report Concerns?

The following options for reporting fraud, waste, abuse and non-compliance are available for ISU employees:Share your concern with your supervisor.Contact ISU Internal Audit.Utilize ISU’s anonymous hotline:

– Call MySafeCampus at 800-716-9007– Utilize www.MySafeCampus.com, 24 hours a day, seven

days a week.– Confidential reports go to me and Brad Hall.– Can communicate anonymously though online tool.

How Can I Be Protected from Retribution?

The “Idaho Protection of Public Employees Act” (Title 6, Chapter 21) provides protections from “adverse action” for state employees who, in good faith, provide information concerning the waste of public funds, resources or manpower or who report potential violations of laws and regulations (both state and federal).

Conflicts of Interest

Perception is Reality

What is a Conflict of Interest?

The State Board of Education policy (Section II, Q) states:

A conflict of interest occurs when a person's private interests compete with his or her professional obligations to the Board-governed entity to a degree that an independent observer might reasonably question whether the person's professional actions or decisions are materially affected by personal considerations, including but not limited to personal gain, financial or otherwise.

Examples of Conflicts of Interest?

Let’s discuss: Perceived Potential Actual

Potential Costs of Conflicts

If conflicts of interest are not managed: Protection of human subjects may be compromised. Integrity of research may be at risk. The public may lose trust in the University and its research findings. The investigator/faculty member may lose the respect of the academic

community. May violate terms of research grants and contracts (including failure to

disclose COI) and federal regulations. Potential loss of research funding. University may lose public support and funding. Students may be negatively impacted: inability to pursue their research

interests. University resources may be improperly used. Increased government regulations may result. Scandals or negative media attention may occur..

Applicable Policies & Regulations

ISU Policies (need to be updated):– Employment of Relatives/Nepotism– Outside Employment– Private Consulting Outside the University– Research Conflict of Interest– Financial Disclosure Form– Academic Freedom/Faculty Ethics

State Board Policies:– Conflicts of Interest and Ethical Conduct – All Employees (Section II, Q)– Conflict of Interest (Section I, G)

State of Idaho Statutes:– Ethics in Government Act– Bribery and Corrupt Practices Act

Applicable Federal Regulations:– Example: New NIH regulations

How to Handle Conflicts?

Conflicts of interest must be:– Disclosed – Reviewed– Managed

How to Manage Conflicts of Interest?

Management plans may include: Avoidance Public disclosure Balance-third party interest participation Mediation-oversight by immediate supervisor Abstention-employee recuse him or herself Divestiture-employee forfeits outside interests Prohibition

FERPA/HIPAA

Must Protect Information

What is FERPA?

FERPA (Family Education Rights and Privacy Act) was enacted in 1974. It is a set of regulations that applies to those institutions that receive funding from the Department of Education. FERPA was written specifically for students and guarantees them the right to inspect and review their education records, the right to seek to amend education records, and the right to have some control over the disclosure of information from those education records.

What is an Educational Record?

An education record is defined as any record that directly identifies a student and is maintained by the institution or educational agency or by a party acting for the institution or educational agency. A key distinction of education records is that education records are shared. Education records can exist in any medium including the following: handwritten, typed, computer generated, videotape, audiotape, film, microfilm, microfiche, e-mail, and others.

FERPA – Public Information

The following is referred to as directory information (can be shared without the student’s consent – unless specifically blocked):–Name –Address –Telephone number –E-mail address –Enrollment status –Major –Degrees & awards received –Most recent previous school attended

FERPA – Protected Information

The following student information can not be shared without the student’s written authorization:–Student number –Grades/Exam Scores –Grade Point Average –Social Security Number –Parent Address/Phone –Detail of Registration Information (i.e., courses, times) –Race, Ethnicity, or Nationality –Gender –Date of Birth –Total Credits –Number of Credits Enrolled in a Quarter –Emergency Contact

FERPA – Information at ISU

Detailed information is available from the Registrar’s Office at http://www.isu.edu/areg/ferpafacts.shtml including:–General FERPA information–ISU Student Rights–ISU Faculty/Staff & FERPA–FERPA General Guidance for Students – available from the U.S. Department of Education

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. A major component of HIPAA addresses the privacy of individuals’ health information by establishing a nation-wide federal standard concerning the privacy of health information and how it can be used and disclosed. This federal standard will generally preempt all state privacy laws except for those that establish stronger protections. The HIPAA privacy laws are effective April 14, 2003.

HIPAA at ISU

ISU maintains “individually identifiable health information” in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (45 CFR Parts 160, 162, and 164). According to HIPAA, ISU is a “Hybrid Entity” which means it has specific areas, i.e., ISU health care clinics, designated to comply with the Rule. Other ISU units may have access to and/or receive certain health information and also have responsibilities under HIPAA, (for example, those units performing research and education).

HIPAA at ISU

The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” The Security Rule calls this information “electronic protected health information (EPHI).” The Security Rule also extends to individual remote use of EPHI such as: (1) the use of portable media/devices (such as USB flash drives) that store EPHI; and (2) offsite access or transport of EPHI via laptops, personal digital assistants (PDAs), home computers, or other non corporate equipment. “Individually identifiable health information” is information, including demographic data, that relates to:The individual’s past, present or future physical or mental health or condition,The provision of health care to the individual, orThe past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

HIPAA Resources at ISU

Please refer to the following information available at isu.edu:–Summary of the HIPAA Privacy Rule – General Counsel–ISU Statement of HIPAA – General Counsel–Health Programs Guide – General Counsel–Other information at: http://www.isu.edu/ucounsel/hipaa.shtml–Privacy Practice Notice (HIPAA) – Student Health Center–HIPAA training – available from Workforce Training – CoT

Contact Sandi Rich – ISU HIPAA Privacy & Security Officer