9/21/2017

1

Is it Relevant? Alignment of Mission, Universe, and Reporting in Higher Education

Michael C. BowersAssociate Director, Information Technology and Campus Audit ServicesMassachusetts Institute of Technology

ACUA Annual Conference, Phoenix ArizonaTuesday 3:10 to 4:50 (100 minutes til’ the day is done!) 1

Is it Relevant? Alignment of Mission, Universe and Reporting in Higher Education

Through a case study of MIT’s Audit Universe, this session will explore how the alignment of culture to audit standards can facilitate relevant reporting that is in agreement with the culture, spirit and goals of the Institute.

After this session, participants will be able to:

❂ Build an audit universe that facilitates the conduct of credible engagements.

❂ Integrate enterprise (risk) frameworks with audit risk frameworks.

❂ Align reporting with the expectations of stakeholders.

What do you want from today?

2

9/21/2017

2

An intro to MIT, which of these statement is untrue

1. A “Smoot” is an acceptable unit of length for bridge measurement of approximately 5’ 7” each

2. Tony Stark, and Iron Man is real, was able to receive a bachelors degree from MIT “summa cum laude”, as rumored

3. MIT admits it class each year on Pi Day at “Tau Time” … March 14 @ 6:28 PM

3I like pie!

The mission of MIT is to advance knowledge and educate students in science, technology, and other areas of scholarship that will best serve the nation

and the world in the 21st century.

The Institute is committed to generating, disseminating, and preserving knowledge, and

to working with others to bring this knowledge to bear on the world’s great challenges. MIT is

dedicated to providing its students with an education that combines rigorous academic study

and the excitement of discovery with the support and intellectual stimulation of a diverse campus

community. We seek to develop in each member of the MIT community the ability and passion to work

wisely, creatively, and effectively for the betterment of humankind.

Mens et manus

Mind and Hand

4

9/21/2017

3

MIT by some of the Numbers

$1.5B Research Expenditures

(44%)

12,109 employees, 1,036 Faculty, 11,379 students (6,852 graduate / 60%)

Worldwide affiliations and

operations30% Int’l Students

168 acres in Cambridge include 100

public art works, a book press, and a nuclear reactor

87 Nobel Laureates,

(current and former

community members)

$3.3B Operating Expenditures

$14.8B Endowment 5

A disseminated control environment with …

The Audit Division is responsible for delivering audit services Institute-wide through a risk-based program of audit coverage, including compliance assessments and financial, operational, and information technology reviews and audits. In addition, the Audit Division provides Risk and Audit Committee with counsel and information regarding activities reviewed to assist them in fulfilling their responsibilities.

17 People 20 Professional Certifications 6 Advanced Degrees Diverse Undergraduate & Professional

Profiles

Executive Vice President & Treasurer

Risk & Audit Committee

Institute Auditor

Lincoln Laboratory

Audit ServicesCampus Audit

Services 6

Administrative Functional

MIT Audit DivisionWho we are and how are we organized

9/21/2017

4

Stakeholder Perception

As part of a Quality Assurance Review, an independent third party conducted interviews of

stakeholders across the Institute to gain an

understanding of how they see or perceived the Audit Division

These are their comments

Campus Audit Services is committed to improve on this

base of excellence

7Note: The relative size of the words correlates to their occurrence/use by interviewees.

RelevanceThe quality or state of being closely connected or appropriate.

Setting the Case

8

9/21/2017

5

“Internal Audit must be engaged, better prepared and more informedabout the resources used and the reasonable needs of its stakeholders”

- Anton Van Wyk, IIA Global Chairman (Internal Auditor, November 2014)

30%35%40%45%50%55%60%65%70%75%80%

CAE SeniorManagement

BoardMember

IDENTIFYING THEMATIC ISSUES THE ORGANIZATION

IS FACING

Expectation Performance

30%35%40%45%50%55%60%65%70%75%80%

CAE SeniorManagement

BoardMember

PROMOTING QUALITY IMPROVEMENT AND

INNOVATION

Expectation Performance

2014 State of the Internal Audit Profession study, PwC 9

PwC 2017 State of Internal Audit“Staying the Course toward True North

Despite strong ambition from CAEs to grow their value to the organization, PwC’s 2017 State of the Internal Audit Profession study shows Internal Audit is losing ground in trying to keep pace with stakeholder expectations. In the five years we’ve been tracking this sentiment, 2017 represented the LOWEST stakeholder perception of Internal Audit value.

Stakeholders, however, remain committed to wanting Internal Audit to play a greater and more value-added role. While few (7%) consider IA to be a trusted advisor today, nearly half (48%) want Internal Audit to be a trusted advisor to the business within the next five years.”

10

9/21/2017

6

11

Internal Audit Value

“The internal audit function’s position within a company is unique. It provides its principal stakeholders (audit committee members and management) valuable and objective assurance on governance, risk management and control processes, as well as consulting services to improve operations.”

- Knowledge Leader (Protivity), Internal Audit’s Performance – Raising the Bar, March 2014 Insight

• Catalyst • Analyses• Assessments

Assurance

• Governance • Risk• Control

Objectivity

• Integrity• Accountability• Independence

12

Institute of Internal Auditors Value Proposition

9/21/2017

7

UniverseBuild an audit universe that facilitates the conduct of credible engagements.

13

Audit Plan Equation

Universe / Resources

Time1

14

Audit Plan =

9/21/2017

8

Audit Universe

External Threats

Institute Risks

Limited Structure Initiatives

Auditable Processes (Entity)

The audit universe is the sandbox in which internal auditors play. It represents all things (lines of business, subsidiaries, alliances, and processes) that are considered “auditable” by internal audit teams.

- COSO.org “Kiko’s World”

• For MIT’s purposes, we may identify the context of our universe as: Areas that represent mature, auditable

processes Excludes areas or engagements

considered to be advisory Generally focuses on operations risk

rather than strategic risks Does not limit the scope of the Audit

Division, but rather defines processes that can be effectively audited

15

Design Core of the Audit Universe

Community

ResearchAcademics “Advance Knowledge”“Educate Students”

“Serve the Nation and the World”

16

9/21/2017

9

Design Core of the Audit Universe

Support

FacultyStudents “Advance Knowledge”“Educate Students”

“Serve the Nation and the World”

17

Design Core of the Audit Universe

Gifts & Other

Sponsored ResearchTuition “Advance Knowledge”“Educate Students”

“Serve the Nation and the World”

18

9/21/2017

10

Audit Universe: Current ConstructConceptual Design of Universe • Based on the processes established by

management in support of Institute mission L1 - Functions represent the mission

activities of the Institute (L1) L2 - Objectives Processes represent activities

and objective of engagements (audits) L3 - Scope Processes are the management

line objectives and scope of the engagement

Hierarchy of DLCs and Offices are a identifier for reporting or aggregation for reporting Implies that the long term Audit Plan

approach is vertical Short term may appear horizontal

What we do & Where we do it 19

L1 Function 1 Function 2

L2 Objective Process A

ObjectiveProcess B

Objective Process C

L3 Scope Proc. W

Scope Proc. X

Scope Process Y

Scope Process Z

DLC 1 Exists Exists

DLC 2 Exists Exists Exists Exists

DLC 3 Exists

Office A Exists Exists Exists

Office B Exists Exists

W h a t

Wh

er

e

DLC = Department, Laboratory or Center

Audit Universe: Current ConstructConceptual Design of Universe

Implied Vertical Audit Approach

Engagements may be one or many auditable entities

(entity can be seen as a box)

String engagements together or split scopes to provide systemic

coverage balanced with resources

Accepts Some Audit Risk

20

WhatW

here

9/21/2017

11

Audit Universe: Functions [What L1]

Primary operational objectives

• Governance & Communication

• Academic & Research

• Student & Campus

• Treasury & Investment

• Administration

• Alumni & Development

• Legal & Compliance

Each Function (primary process) is comprised of a family of Institute business objectives

Resources are recruited with an eye to provide for coverage of Functions

Individual engagement line items and audit objectives are aligned with next level in Universe:

Objective Processes

21

Internal Audit Approach

Audit Universe: Objective Processes [What L2]

Governance Communications Fraud & Abuse Sponsored Research Institute Initiatives and

International Engagement

Academic Programs & IP Libraries, Arts and

Institute Equity Education of

Undergraduates Student Life Graduate Education Digital Learning Financial Management

Internal audit approach

Represents Audit Objective Announced to Stakeholders

Represents basis for Global Risk Assessment (Annual Planning)

Assessment frameworks: Management inputs and outreach Institute risk management reports of

factors Historical coverage or perceived

weakness in control Scope of audit (engagement letter) is

aligned with next level:

Scope Processes 22

◦ Information Technology Human Resources

◦ Physical Infrastructure◦ Campus Health &

Safety◦ Environmental, Health

and Safety◦ Other Administrative

Processes◦ Credit and Long Term

Debt◦ Investments and Cash

Management◦ Alumni Relations and

Gift Revenues◦ Risk Management &

Insurance◦ Legal & Compliance

Process Areas

9/21/2017

12

Audit Universe: Scope Processes [What L3]

Scope Processes Example

• Financial Management (L2) Assets & Revenues Liabilities & Expenditures Budget & Financial analysis Financial Systems and Reporting Other Financial Management DLC Financial Management

Internal Audit Approach

Represents the Scope of the Audit Test plan individually designed each audit Test plan derived from control activities in

place to manage risks identified for each Scope Objective

Scope finalized after planning is compete

Each Scope Process will be risk assessed at the audit level (Likelihood / Impact format)

We express an opinion for each scope objective

23

As Applicable

Scope Objectives

• “Where” the mission is met

• Senior Management represents the de facto shared risk owners

• Institute has established structures, guidelines and process in place to achieve its mission

• Our use of the hierarchy places a “face” to the management of risk

• We audit process not people

24

Massachusetts Institute of Technology

This is the also the legacy Audit Universe

9/21/2017

13

RiskIntegrate enterprise (risk) frameworks with audit risk frameworks.

25

Revolutionary Risk Assessment Foundation

Medium Risk

High Risk

Low Risk

Medium Risk

26

Lik

elih

ood

of

real

izin

g th

e R

isk

Incr

easi

ng

Impact of Risk on Institute if RealizedIncreasing

Risks are assessed as to “likelihood” and

“impact”

9/21/2017

14

Risk @ MIT

MIT seeks to push beyond existing boundaries and to seize opportunities in support of its mission. We strive to create an exemplary risk-oversight framework that assists Institute personnel in taking informed risks, built on law, regulations, policy, and best practices, while respecting MIT’s decentralized, collaborative, and entrepreneurial culture.

- MIT Risk Management & Compliance Services

Executive Vice President

Risk & Audit Committee

Audit Division

Risk Management &

Compliance Services

General

Counsel

Respecting the Past, Protecting the Future, Taking Informed Risks

27

Risk @ MIT: Risk TypesRisk is the effect (positive or negative) of uncertainty on the Institute's mission and goals. Generally, risks at MIT are grouped into five categories: Safety, Operational, Behavior, Financial, Compliance. Additionally, Reputation is another risk type that could result from risks in any of these five categories.

28

9/21/2017

15

Risk @ MIT: Context

Student Safety

COI

Research

AR15.03 Procurement process is adequate to ensure costs charged to an award have a direct benefit to the award,

Procurement decisions are not sufficient to ensure costs charged to an award have a direct benefit to the award.

Spending of Sponsored Research funds is not in accordance with Sponsor requirements, Federal Compliance Guidelines, or MIT policies and procedures.

Around 28 ERM Style Risks

RMCS shows risk like … Audit normally see risk as …

29

Risk @ MIT: Environment

Emerging Risks

Operational Risks

30

Enterprise Risk

Management

Internal Audit

Relevancy & Opportunity

9/21/2017

16

Risk @ MIT: Universe Level

31

Receive Data• Outreach• Environmental• Changes• Institute Risks

Evaluate• Goals/Themes• Coverage• Prior Results• External

Threats

Create Plan

• Audit• Advisory• Other

Professional Judgement

Risk @ MIT: Universe Level - Results

32

46%

24%

20%

6%

4%

201x Plan Audit Effort by Primary Risk Category

Operational Financial

Compliance Safety

Behavior

0% 5% 10% 15% 20% 25% 30%

Other

Human Resources

Student Life

EHS

Financial

Research - Campus

Investments and Gifts

Information Technology

Research - Lincoln

201x Plan by Institute Function

% of Planned Audit Effort

9/21/2017

17

Risk @ MIT: Audit Engagement Execution

33

• Business objective of area being reviewed

• The goals of the area

Objective

• What prevents the achievement of the Objective

• Institute relativity

Risks• Activities designed

to manage Risks• Links to control

frameworks• Drives test plan

Controls

Wit

hin

Au

dita

ble

En

tity

Audit Execution Risk - Conceptual

34

Business Process Objective:

Operational Risk(s)

Compliance Risk(s)

Financial Risk(s)

Safety Risks(s)

Behavioral Risk(s)

Management provides control to administer each risk to an acceptable level.

It is at this point we can apply frameworks such as COSO

We ultimately test controls, However, the goal of the audit may be interpreted as the effectiveness of management of risks, rather than controls are operating

Reputation is incorporated into the five identified categories

9/21/2017

18

ReportingAlign reporting with the expectations of stakeholders.

35

Fundamentals of a Report

Three parts of the audit report that make it relevant The audit opinion or theme: overall message

Positive or confirming statements: what is done well

Issues and recommendations: opportunities for improvement

At all times the Report must be convincing Clear and concise Maintain a positive tone No auditor jargon Factually correct with sound analysis

Align with Organizational Objectives

Relevancy in Design of Audit Reporting

36

9/21/2017

19

Is Brand Relevant?

37

Your Brand is what other people say about your when your are not in the room

- Jeff Bezos, Amazon

• Clarity – What do you stand for? Your Values.

• Commitment – Are you committed? Understand.

• Protection – Do you defend you Brand?

• Responsiveness – Do you respond to change?

• Relevance – Do you know what your Customer Wants? What their needs and desires?

• Differentiation – What make your message different?

• Consistency – Are you consistent in its implementation? Does the customer know what to expect?

• Presence – Do they talk about you when you are out of the room?

Interbrand Framework

Think on how the message is delivered Culture Matters

38

9/21/2017

20

Starting Point – The Report Template• Structure of the MIT Issued Report

• Page 1: Summary – Included background information

and our opinions on the business process area reviewed

• Page 2: Audit Findings – Finding Recommendation and

Management Action Plan with each one being weighted for overall risk to the Institute’s mission.

• Page 3: Advisory Observations – Items identified an

communicated to management that are not necessarily control weakness of deficiencies.

39

Starting Point – The Report Template

• Overall opinion links to Results Matrix

• Result Matrix is comprised of Scope Objectives taken from a standard Library tied to the Audit Universe

• Universe is tied to Institute Risks

Each Report becomes a Data Point to be drawn upon in evaluating the Institute’s control environment

40

9/21/2017

21

Focus in on Opinion Matrix

Scope of Process/Area Tested

Design and Implementation of Controls

Related Audit Findings

Scope Process #1

Scope Process #1 Opinion

Finding Title And Statement

Scope Process #1

Scope Process #1 Opinion

Finding Title And Statement

Audit Scope Process– Locally relevant– Links Report & Entity

Entity Scope Process– Compare across entities– Senior mgmt. relevant– Links Entity & Universe

Universe Scope Process– Ties to Institute mission– R&AC relevant– Links Universe & Risk 41

Ernst & Young’s Value Risk Approach

0

10

20

30

40

50

60

0 1 2 3 4 5 6

Lik

elih

ood

of r

eali

zati

on

Velocity/ Urgency of Risk

Likelihood / Probability / Impact• Provide insight into the importance of the

business’s activity within the organization or the levels of risk it may pose;

• Give insight whether management knew about the identified audit issues and what they are doing to fix it.

• Performance level (“Satisfactory”, “Needs improvement”, “Unsatisfactory”) of the control environment of an auditable entity.

Data Analytics? …

but we do not have time for that!

42

9/21/2017

22

Michael C. Bowersmbowers@mit.eduThank you 43