Governance and Controls in Higher Education
Education institutions and businesses were defrauded by more than $3.6 billion in 2021, according to the 2022 ACFE Report to Nations. No industry or sector is immune from fraud, and the education sector is no exception. Higher education organizations are some of the largest organizations in the world, employing more than 3 million staff members in the U.S.
However, a lack of internal controls in higher education institutions leads to increased fraud. Many universities battle the complexity of managing their control environments due to overlapping processes and procedures. Further compounding the problem are siloed reporting structures, a lack of qualified security staff, a weak internal control environment, financial pressures, and an extensive technology landscape.
Fraud is using one's employment for personal enrichment through the deliberate misuse or misapplication of the employing institution's resources or assets.
AFCE's 3 main categories of occupational fraud
- Corruption schemes (schemes involving bribery or conflicts of interest)
- Financial statement fraud schemes (recording fictitious revenues and understating reported expenses)
- Asset misappropriation schemes (theft of company cash, false billing schedule, false or inflated expense reports)
Asset misappropriation makes up over 86% of all cases reported (2022 AFCE Report to Nations)
Average median losses by category
- Asset misappropriation = $100,000
- Corruption = $150,000
- Financial Statement Fraud = $593,000
Fraud loss vs. Reputational Damage
The most significant risk of fraud in higher education is possibly the reputational damage sustained from the fraud.
- Institutions receiving negative publicity (news broadcasts, newspapers, rating agencies, etc.)
- The potential drop in future enrollment
- The potential drop in future advancement and development contributions, and
- The potential drop in future research grant funding
A strict system of internal controls, with the right balance of preventive, deterrent, and detective controls, can significantly reduce a university's vulnerability to fraud.
What is an internal control framework?
A control framework is a basis for developing an organization's internal controls. Internal controls aim to minimize risk by using practices and procedures in a coordinated method. The best-known control framework is the Integrated Framework developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. The COSO framework defines internal control as a process designed to provide reasonable assurance of the achievement of the following objectives:
- The efficiency and effectiveness of the organization's operations
- The reliability of an organization's financial reporting, and
- The compliance of the organization with applicable laws and regulations
Five principles of the COSO internal controls framework
In an effective system of controls, the five components below help an organization fulfill its goals and mission and better reach its defined objectives. These objectives are various lines of defense that your institution can use to defend against risk.
Every institution faces risks that prevent it from reaching its objectives. Those risks are identified through a risk assessment to ensure that the organization only allows acceptable risks. However, risk assessments in higher education are particularly challenging because most lack internal audit resources and centralized controls to conduct the assessments appropriately.
A risk assessment may uncover areas where more controls are needed, in which case management may elect to implement additional control activities.
Control activities are those policies and procedures used to ensure that an organization carries out the guidelines of the management team. Control activities aim to embed your business objectives into your operations. There are many control activities, including segregation of duties (SoD) requiring that multiple people are involved in transactions to reduce the risk of misuse or misappropriation of resources.
Another example is supplier onboarding in the procure-to-pay cycle. This control activity is implemented to identify unapproved or illegal suppliers. Or suppose your control objective is to capture all discounts when paying invoices or maintain correct bank accounts to avoid the risk of changes to a supplier's bank account, enabling the payment to be made to a staff member instead of the supplier. When control activities are not being performed correctly, it creates the opportunity for fraud.
Information and Communications
Communication is a daily occurrence in every institution. And information communication is necessary for the institution to carry out internal control responsibilities to support the achievement of objectives. To support the function of control activities, management develops and utilizes quality information from internal and external sources.
This aspect of the framework addresses the appropriate methods for reporting incidents. Specifically, all staff know how to report an incident, who to report it to, and where to report it. These channels must be pre-established, in place, and tested - just like all other aspects of your control framework - to ensure they operate effectively.
Disclosure of control failure to your stakeholders is often an obligation written into grant contracts. If your information and communications controls are ineffective, you could be placing a large portion of the institutions funding at risk.
COSO defines the Control Environment as the "set of standards, processes, and structures that provide the basis for carrying out internal controls across the organization." The control environment includes:
- Tone at the top of the organization
- Communication concerning ethical behavior and internal control with all staff, and
- Overall integrity and values of the organization
These components provide the overall basis for a successful system of internal control.
Monitoring internal controls is vital to ensure controls are operating effectively. Monitoring involves internal and external audit evaluations of the controls to identify and communicate any issues that need corrective action.
This ongoing evaluation of internal controls gathers information used in external audits to verify the organization's financial statements, reduce fraud risk, and provide confidence to markets and investors.
How controls can help mitigate risk
Many educational institutions have inadequate internal control programs because their controls don't adequately consider risk. These institutions are only focused on testing their controls and not sufficiently evaluating the effectiveness of controls when conducting a self–assessment or preparing for the annual SOX audit.
However, implementing a risk-based controls approach that correctly leverages resources can reduce the overall cost of an internal controls program and ensure that the control adequately mitigates the risk. Risk-based controls focus on the critical controls that minimize risk within business processes. Failing to take a risk-based approach may result in placing more controls than the operation needs. The operation may wrongly focus on perceived key controls that do not adequately address the inherent risks for specific business processes.
Solutions for enhanced access governance
Policies: Policy-based access control is the foundation of context-driven access control models, essential to developing achievable, dynamic strategies to manage risk across dispersed departments and systems. Policy-based access is particularly beneficial for institutions because of its flexibility and manageability. Policy-based access controls are the most effective solution for complex change-rich environments.
SoD analysis: The main objective of SoD policies is preventing conflicts of interest between staff, duties, or areas within the institution. The prevention of conflict is guided by access policies, enabling the identification of the individual responsible for each process. To ensure a thorough analysis of SoD conflicts, it is essential to identify SoD conflicts across all institutional groups and applications with rules repositories that function at a granular level and offer detailed SoD conflict management.
For example, if your payroll SoD policy is that each department should designate a different staff member to perform each payroll function;
- Time approver
- Time coordinator
- Review and reconciliation of payroll expenses, and
- Creating payments
Then an SoD analysis solution would enforce this policy and identify areas where the policy is in conflict. If a department lacks sufficient staff to segregate the responsibilities, alternative controls would need to be implemented.
Automated user provisioning: Prevents users from acquiring conflicting access by performing real-time policy analysis at the time of fulfillment. Analyzing SoD conflict risk at the time of fulfillment ensures that future risks are not introduced into your systems.
Once you’ve clearly defined your SoD processes to separate duties into multiple tasks, it is imperative to have an effective way of ensuring that separation remains consistent and enforced. And a strong segregation of duties monitoring solution is critical in strengthening fraud prevention.
Emergency access management: Emergency access management is a secure process for controlling super-user access across multiple systems with an independent system of record to provide an audit trail for privileged user access. Automating the process of granting one-time privileged access with activity tracking will dramatically reduce risk exposure to the institution.
User access certification: User access certification is an essential part of compliance. Unfortunately, access certifications are often seen as a hassle. However, modern solutions can initiate certifications based on specific conditions such as application, department, and business unit. Increasing the ease of use and the granularity of visibility into privilege access certifications can be effective while avoiding approver fatigue.
Due to the distributed and siloed nature of university systems coupled with a vast IT landscape performing user access certifications is particularly important. The probability that a user could be innocuously given a toxic combination of roles is higher than in other business sectors.
Transaction monitoring: Educational institutions can monitor targeted transactions and events by requiring approvals and notifications when key risk fields are modified. Examples include requiring approvals and reasons for changes to supplier bank accounts and preventing the posting of GL entries into a closed period without consent from the Controller.
Depending on the size of your institution, you might be reviewing transactions manually, but if you have multiple locations, an automated solution can provide a deeper level of protection against suspicious transactions and fraud.
Higher education institutions are complex. They operate in a decentralized environment in a highly regulated industry, and not all managers have finance experience. This means that having a solid internal controls framework and enforcement system is essential to their viability. Fortunately, resources and solutions are available to assist you in reducing risk to manageable levels.
Higher education case study
A leading teaching and research institution on the United States West Coast.
SafePaaS was enlisted to assist the University with its internal controls. The University was struggling with:
- Manual processes to review access control violations
- No solution to review access controls for their third-party cash receipt application
- No method to detect and track key application setup controls and master data changes
- Not able to monitor transaction data related to funds for grants and programs, and
- No means of monitoring privileged access
Additionally, the University handled large amounts of cash from students and struggled with how its cash management system integrated into its accounting system. Their IT staff had privileged access to fix issues, but the University had no means of tracking the changes the IT department made. The university’s internal audit team was testing changes by reviewing screenshots, but they could not look at changes impacting their processes and control activities, which made the control ineffective.
With AccessPaaS™, SafePaaS devised a solution to set up an automated approach to identify risks in their ERP and higher ed systems managing student cash inflows, grants, and other endowments. AccessPaaS can also help them track how money is allocated to project billing and costing.
By working with SafePaaS, the University was able to apply some of the COSO control framework techniques to become more proactive. They are also experiencing increased savings and ROI on all the details they can now detect. The University now performs periodic access reviews faster because it is 100% automated. They review user access from the abstract role level to the attribute level.
SafePaaS also cross-linked their provisioning systems, IAM system, ITSM system and applications, allowing them to complete all certifications promptly and accurately.
Additionally, they can identify risks in the cash entry system, correcting over or underpayment, and changes to configurations are now encoded in workflows that are routed to the department head to verify the request when changes occur. These changes are also tied to their ticketing system.
Reconciliation time has decreased, and errors, misuse, and fraud risks have reduced significantly. They also gained the ability to look at supplier bank account setups, approvals, and hierarchies when managing grants and donations.
Many colleges within the University are very powerful and do not tend to share from college to college and department to department. SafePaaS broke down those barriers and implemented safeguards that otherwise would be hard to accomplish. The University can now easily demonstrate compliance with big donors and the government for grant funds and assure confidence in their funding sources regarding their due diligence processes. The University benefits by having the necessary time to tackle productive work and not waste as much time on audits while decreasing audit fatigue.
Contact us to learn more about our Higher Education solutions.