Spring 2013 -Audit Connection

The Audit Connection Collaborating for Enterprise Excellence

Internal Audit Staff

1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Ask the Auditor! We invite you to send your questions to [email protected], and we may feature it in future issues.

The Office of Internal Audit's purpose is to support the mission and vision of the Georgia Regents Enterprise by: providing independent and objective management evaluations; identifying actual and potential problems; providing corrective guidance; developing management recommendations; and providing consultative services in accordance with professional internal auditing standards and compliance review guidelines.

We are here to help you!

706-721-2661

gru.edu/audits

Clay Sprouse…………………..CAO

Kathleen Boyd ..... Assoc. Director

Crystal Corey ......... Audit Manager

Vernon Walters ...... Senior Auditor

Will Barnes ............. Senior Auditor

Sheryl Brown ............... I.T. Auditor

Lisa Kedigh ........... Admin. Asst. III

Jessica Brown ........... Audit Intern

Inside this issue:

What is Internal Audit? 1

Hitting the Century Mark: Celebrating 100 Years of Audit Experience & Certifications

1

Interview with Jim Rush,

JD, Chief Integrity Officer

3

Time Theft Can Lead To Jail Time

6

Do You Know What’s Being Charged To Your Departmental Budget?

7

Auditors Serving the Community….….One Step At A Time

8

What Is Internal Audit? Clay Sprouse, Chief Audit Officer The Office of Internal Audit has a unique organizational reporting structure. Because we are an enterprise office, we support both Georgia Regents University and Georgia Regents Health System.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

The first tenet of the definition of internal auditing above is that the department and its auditors must be independent and objective. The Office of Internal Audit is able to maintain its independence and objectivity by reporting to the President and CEO as well as being responsible for reporting to the Audit, Compliance and Enterprise Risk Management (ERM) Committees.

The President and CEO as well as the committees are responsible for ensuring sound governance practices exist. This is done by approving the annual audit work plans for Audit, Compliance and Risk Management, ensuring significant items are reported and that findings are addressed in a timely manner. The committees also maintain a good working relationship with the Office of Internal Audit and Compliance and Enterprise Risk Management Office by meeting regularly and working closely with management. To learn more about internal audit please click on following link:

acua.org/movie

Hitting the Century Mark: Celebrating 100 Years of Audit Experience and Certifications Crystal Corey, Audit Manager With audit backgrounds in federal and state governments, higher education, healthcare, retail, communications, manufacturing, employee concerns, and taxes, the GR Internal Audit (OIA) team has hit the century mark with 100+ years of collective audit experience!

(Continued on page 2)

Spring 2013, Issue No. 3

Page 2 The Audit Connection

1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Ask the Auditor! We invite you to send your questions to [email protected], and we may feature it in future issues.

Part of the measure of an internal audit department is the qualifications of the personnel. In addition to continually expanding on the 100+ years of audit experience, the OIA team has expanded its portfolio of credentials by earning three advanced degrees and 11 professional certifications through various institutions such as the Institute of Internal Auditors (IIA).

Our Chief Audit Officer, with over 25 years of audit experience, has earned his Master of Business Administration (MBA), as well as Certified Public Accountant (CPA), Certified Internal Auditor (CIA), and Certified Information Systems Auditor (CISA) designations. He has audited extensive environments from retail to communications, including federal government.

Earning an MBA from Santa Clara University in California, our Associate Director has over five years auditing experience. She developed the audit function for Augusta State University and served as their Audit Director prior to the consolidation. Part of her responsibilities included the management of the Ethics Hotline. She is completing the final part of the CIA designation.

The Certification in Control Self-Assessment (CCSA) is another designation in our team’s portfolio, earned by our Audit Manager. Our audit manager is also completing the final part of the CIA and has 14 plus years in higher education auditing.

In addition to being a CISA, our Information Technology auditor has earned certifications in Risk and Information Systems Controls (CRISC), Governance of Enterprise Information Technology (CGEIT), and Data Processing (CDP). She has more than seven years of audit experience in health care and IT.

Our Senior Auditor with extensive experience investigating employee concerns holds both the CIA and CISA designation as well as having earned his MBA. He has more than 14 years of audit experience including the federal government.

With 35 years auditing experience, including 30 in tax auditing for the South Carolina Department of Revenue, our other Senior Auditor holds the Certified Public Manager designation.

With additional education efforts and certifications in our sights, as well as the continuing professional education required to maintain these certifications each year, expanding our competencies is an on-going effort. This development and growth allows our team to provide quality assurance and consulting services to senior management and stakeholders.

What is Internal Audit? 1

Hitting the Century Mark: Celebrating 100 Years of Audit Experience & Certifications

1

Interview with Jim Rush,

JD, Chief Integrity Officer

3

Time Theft Can Lead To Jail Time

6

Do You Know What’s Being Charged To Your Departmental Budget?

7

Auditors Serving the Community….….One Step At A Time

8

Page 3 The Audit Connection

1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Ask the Auditor! We invite you to send your questions to [email protected], and we may feature it in future issues.

Interview with Jim Rush, JD Chief Integrity Officer Kathleen Boyd, Associate Audit Director

The risk landscape for Academic Health Centers is ever evolving. The Associate Director of Internal Audit had a recent conversation about risk management with Jim Rush - Chief Integrity Officer, Office of Compliance and Enterprise Risk Management.

As the Chief Integrity Officer you have overall responsibility for the Enterprise’s compliance, ethics, and enterprise risk management. Is this a shared responsibility?

My office takes the lead in this endeavor coordinating with many other facets of the enterprise.

Managers have a responsibility for maintaining effective internal control procedures on a day to day basis, identifying breakdowns and inadequate processes and fixing whatever problems they find. They are also expected to stay ahead of changes in the regulatory environment.

Employees often do not realize that they bear a large part of the responsibility for risk management themselves. There is the expectation that employees will “do the right thing” and when they see something that is not right, there is the obligation to speak up.

COMPLIANCE and ERM

The OIA uses a risk based approach in developing its audit plan. The Compliance Office has the primary role in enterprise risk management. How does your office evaluate risk?

The Compliance and Risk Team Steering Committee plays a key role in identifying areas of risk and tagging those of “high priority.” We take into consideration many factors including likelihood and impact, with concern for risks that could impact safety, reputation, funding or have the potential to impede progress in achieving strategic objectives.

The Chief Audit Officer (CAO), Clay Sprouse is a part of this committee, as are representatives from legal, human resources, research and the Children’s Hospital. Clay and I also have a standing weekly meeting and this helps us to keep each other informed of emerging risks. The OIA considers these risks as it develops its annual audit plan. The idea is to expend audit resources wisely. By evaluating a situation on an ongoing basis, management can adapt its processes, controls and procedures where needed to increase operational efficiencies, and ensure compliance with policies.

(Continued on page 4)

Inside this issue:

What is Internal Audit? 1

Hitting the Century Mark: Celebrating 100 Years of Audit Experience & Certifications

1

Interview with Jim Rush,

JD, Chief Integrity Officer

3

Time Theft Can Lead To Jail Time

6

Do You Know What’s Being Charged To Your Departmental Budget?

7

Auditors Serving the Community….….One Step At A Time

8

Page 4 The Audit Connection

1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Ask the Auditor! We invite you to send your questions to [email protected], and we may feature it in future issues.

How does an organization of this size identify who within the Enterprise owns identified risks and is accountable for managing them?

The variety and complexity of risks is rising, due in part to increased regulation, but also because of the integration and consolidation efforts within our enterprise. We recognized the need to ensure that “somebody” in the organization is looking out for each compliance area. In response, our office has taken the initiative to develop a compliance matrix. Within the matrix each separate department is identified with the individual within the department who has the responsibility and accountability for managing the risk.

How do we measure the effectiveness of controls that are in place to control risks and drive continuous improvement based on that information?

There are many ways to measure the effectiveness of controls. Every day we are in business is one basic measure. The internal audit function plays a critical role in evaluating and assessing that controls are effective and working as intended. It is an ongoing cycle of continuous audit, reassessment, and realignment.

TONE AT THE TOP

In what ways does your office communicate the institution’s ethics policy to employees? How do you keep this message fresh?

Mandatory annual training serves as the primary method to remind employees of management’s expectations for ethical conduct in the workplace. As the Chief Integrity Officer, I have asked the OIA to publish a standing column in their newsletter from our office. The objective is to keep employees informed of new policies, regulations, and compliance issues.

COMPLIANCE/ETHICS HOTLINE

How does a compliance hotline reinforce an organization’s ethics policy?

The hotline provides another avenue for an employee, who might otherwise fear retaliation, to voice a concern “safely.”

The Compliance Office and the OIA work together to investigate concerns reported through the ethics hotline. Each case is taken seriously and investigated to its natural conclusion.

(Continued on page 5)

Inside this issue:

What is Internal Audit? 1

Hitting the Century Mark: Celebrating 100 Years of Audit Experience & Certifications

1

Interview with Jim Rush,

JD, Chief Integrity Officer

3

Time Theft Can Lead To Jail Time

6

Do You Know What’s Being Charged To Your Departmental Budget?

7

Auditors Serving the Community….….One Step At A Time

8

“The Compliance

Office and the OIA

work together to

investigate concerns

reported through the

ethics hotline. Each

case is taken seriously

and investigated to its

natural conclusion.”

Page 5 The Audit Connection

1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Ask the Auditor! We invite you to send your questions to [email protected], and we may feature it in future issues.

Are there any changes to the hotline that employees should know about as a result of the consolidation?

We will have a new hotline vendor soon, but the transition should be seamless. Employees will report an issue in the same way they have in the past, by contacting the “hotline.” There will be an awareness campaign to alert employees. You will see posters displayed similar to what is in place now.

What types of concerns should be reported to the hotline? What, if anything, should NOT be reported?

We want to hear all concerns that someone has about the Enterprise. Of course, you should always go through the chain of command first, to try to resolve an issue. Sometimes your concern might be redirected to another office depending upon the nature of the complaint.

Cartoon used with permission from baloocartoons.com

Inside this issue:

What is Internal Audit? 1

Hitting the Century Mark: Celebrating 100 Years of Audit Experience & Certifications

1

Interview with Jim Rush,

JD, Chief Integrity Officer

3

Time Theft Can Lead To Jail Time

6

Do You Know What’s Being Charged To Your Departmental Budget?

7

Auditors Serving the Community….….One Step At A Time

8

Page 6 The Audit Connection

1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Ask the Auditor! We invite you to send your questions to [email protected], and we may feature it in future issues.

Time Theft Can Lead to Jail Time Will Barnes, Senior Auditor Ever hear of someone falsifying a time sheet, manually adjusting the time worked, clocking in for a friend who isn’t at work, or have you ever asked someone else to clock in for you? You might want to think again as some former employees recently learned the hard way and are now doing hard time!

Late in 2009, an internal investigation was initiated following a whistleblower complaint directed toward a single employee.

As the investigation unfolded, it became evident that others were involved in a scheme to defraud the state of money by manipulating TimeWare, the time and attendance system. The further the internal auditors investigated, they discovered a fraud that exceeded $100,000. More questions surfaced: How could this have happened? Were any controls in place? How were the controls circumvented? All good questions, ones that needed answers and solutions to make sure this could not happen again.

Were there controls? Yes, but they were weak. The controls were circumvented by a trusted employee. Human nature is to trust, however, when dealing with state/company assets, we can trust but we must also verify.

The trusted employee discovered a way to add time to TimeWare and provided the other employees with unearned compensation. The manager, who should have seen and questioned the excessive time, was not receiving nor reviewing the reports (that manager is no longer employed with GRU). When upper management looked at the budget as a whole, no red flags or alarms were raised because expenditures were still within operating parameters.

Did the system fail? Yes. Could the fraud have been prevented? Yes. Was the rest of the system reviewed to see if this fraud was occurring elsewhere? Yes. Have changes been made to keep it from happening again? Yes. New, stronger procedures were developed to ensure abuse of time would not go undetected in the future. Additionally, a new time and attendance system is now being implemented.

What happened to the employees that took part in the scheme? In cases being prosecuted by the Attorney General of Georgia, the four former employees have been indicted for racketeering and theft by taking for their role in submitting fraudulent time information and receiving unearned compensation. Two are currently in jail, one sentenced to

(Continued on page 7)

Inside this issue:

What is Internal Audit? 1

Hitting the Century Mark: Celebrating 100 Years of Audit Experience & Certifications

1

Interview with Jim Rush,

JD, Chief Integrity Officer

3

Time Theft Can Lead To Jail Time

6

Do You Know What’s Being Charged To Your Departmental Budget?

7

Auditors Serving the Community….….One Step At A Time

8

Page 7 The Audit Connection

1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Ask the Auditor! We invite you to send your questions to [email protected], and we may feature it in future issues.

10 years, serving two; the other sentenced to five years, serving one. They also have to make restitution. The remaining two former employees are awaiting trial and/or sentencing:

If you want to read more, click on these links to the press releases:

Three Indicted

Former Employee Sentenced

Former Employee Jailed

Fourth Indictment

Remember – Trust, but Verify!

Do You Know What’s Charged To Your Departmental Budget? Monitoring Financial Transactions Sheryl Brown, I.T. Auditor When was the last time you looked at the details of your department’s monthly expenditures? Do you monitor your department’s reports monthly for reasonableness, accuracy, and appropriateness? Could your account be incurring charges that are no longer applicable? In a real life example of this, the Office of Internal Audit recently learned that our business phone charges were incorrect: we were being charged for a land line for a former employee of Internal Audit and voice mail service for former employees of other departments. In light of the changes that have accompanied the creation of enterprise and consolidated offices, it is possible that the charges for the phone lines did not get appropriately changed to reflect current staffing. The process of tracking your department’s telecommunication charges can be tricky, but we have excellent resources on our Unified Communications Services (Information Technology Services) team to assist in identifying the charges for you to validate. The reports and tools for monitoring financial transactions may differ across university and corporate units. Medical Center managers should check their FRX reports monthly and question charges that seem unusual or unexpected. University managers should monitor their PeopleSoft reports: Comprehensive Financial Report, Budget Transaction Detail Report, and Revenue Estimate Budget Status Report.

(Continued on page 8)

Inside this issue:

“The reports and

tools for monitoring

financial

transactions may

differ across

university and

corporate units.”

What is Internal Audit? 1

Hitting the Century Mark: Celebrating 100 Years of Audit Experience & Certifications

1

Interview with Jim Rush,

JD, Chief Integrity Officer

3

Time Theft Can Lead To Jail Time

6

Do You Know What’s Being Charged To Your Departmental Budget?

7

Auditors Serving the Community….….One Step At A Time

8

Page 8 The Audit Connection

1120 15th Street, Augusta, GA 30912 | Phone: 706-721-2661 | Fax: 706-721-9094

Ask the Auditor! We invite you to send your questions to [email protected], and we may feature it in future issues.

Remember that it’s up to the manager of each budget unit to review actual charges each month AND to initiate changes to the budget in a timely manner as they occur. It’s important to be good stewards of state allocations for the academic enterprise and of corporate expenditures for the clinical enterprise. One way to “watch the pennies” is to pay only for services we use. To assist with sound budgeting, you should identify and validate the charges against your department’s accounts. This is especially appropriate if your department has consolidated, integrated, or experienced a change in leadership or employees. Auditors Serving the Community … One Step at a Time Lisa M. Kedigh, Administrative Assistant

Internal Audit believes it is important to give back to the community and help people on their path to better health and overall well-being. We try to make an impact through volunteering, fundraising and offering our time and effort to some very important causes and organizations within the CSRA. It is also important that we give back to the community because of the many people who volunteer to help our department, University and Hospital.

Recently, we participated in the CSRA Heart Walk for the American Heart Association, where we exceeded our participation goal and far exceeded our fundraising goal! Some members of the team also participated in the grueling 10K run at the GRU Augusta Half Marathon which took place on February 24th. We have also been heavily involved in the College of Nursing Healthy Grandparenting Program. This program assists grandparents and other non-parent caregivers of young children. Each year donations from GRU and the community allow each child to receive a gift from Santa at the annual Christmas party. Our audit team “adopts” four children each year and provides them with gifts. We also participated in GRU’s Day of Service, volunteering our time at different locations around the CSRA such as the Ronald McDonald House, the CSRA Humane Society, the Aiken Animal Shelter, and the Golden Harvest Foodbank.

When we share our time and talents we:

Solve Problems

Strengthen Communities

Improve Lives

Connect to Others

Transform Our Own Lives

Get involved and start making a difference, we did!

Inside this issue:

What is Internal Audit? 1

Hitting the Century Mark: Celebrating 100 Years of Audit Experience & Certifications

1

Interview with Jim Rush,

JD, Chief Integrity Officer

3

Time Theft Can Lead To Jail Time

6

Do You Know What’s Being Charged To Your Departmental Budget?

7

Auditors Serving the Community….….One Step At A Time

8