Audit & Advisory Services - Winter 2022 Newsletter

AUDIT & ADVISORY SERVICES

Newsletter - Winter 2022

In this issue:

Operational – Internal Controls
IT Security – SOC 2 Reports
Fiscal Year 2021-2022 Audit Plan
USC Integrity Line – Expense Reimbursement Fraud
News Links
Contact Information

Operational - Internal Controls

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.”

The following are the five key components of internal control:

Control Environment - a set of standards, structures, and processes providing the foundation for executing internal control across the organization
Risk Assessment - forms the basis for determining how risks will be managed
Control Activities - actions that assist management in mitigating the risks associated with the achievement of objectives
Information and Communication - the distribution of information needed to perform control activities and to understand internal control responsibilities to personnel internal and external to the entity
Monitoring Activities - ongoing evaluations of the implementation and operation of the five components of internal control

For departments that rely heavily on specific employees to perform internal control processes, the following steps should be taken to provide coverage against key employee turnover:

Document control systems - Identify key tasks and document the expectations for performing those tasks in a checklist, desk procedure, flow chart, or narrative.
Cross-train staff - Implement cross-training and duty rotations for employees performing key processes. The staff in training should follow the documented procedures to complete the tasks and provide feedback to identify potential improvements.
Documentation repositories - Organize and store procedure documentation in a centralized repository to allow for ease of reference during a transition.

The University has established an Internal Control Policy to provide the internal control objectives of the Board of Trustees to the University community.

IT Security – SOC 2 Reports

The American Institute of Certified Public Accountants created System and Organizational Control (SOC) reports in 2011 to provide assurance to user organizations and stakeholders that a particular service is being provided securely. In accordance with the current SOC audit framework, SOC reports must be conducted and issued by CPA firms. There are three types of SOC reports:

SOC 1 reports are used as assurance that financial information provided to customers is accurate.
SOC 2 reports provide assurance that service providers are protecting sensitive data and minimizing risk for their customers.
SOC 3 reports are similar to SOC 1 and SOC 2 but are generated for public distribution for marketing purposes. These reports are typically used by enterprise-level service providers.

A SOC 2 report provides assurance that the service is being provided in a secure and reliable manner by addressing one or more of the following Trust Services Criteria:

Criteria	Description
Security	Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives.
Availability	Information and systems are available for operation and use to meet the entity’s objectives.
Confidentiality	Information designated as confidential is protected to meet the entity’s objectives.
Processing Integrity	System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Privacy	Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.

The rise in cloud computing and outsourcing has created an increased need for user organizations to utilize SOC 2 reviews to assess and address the risks associated with third party technology services. University personnel should obtain and thoroughly review SOC 2 reports prior to engaging third party service providers. As controls may change over time, periodic reviews of the service provider during the engagement should also be performed.

Fiscal Year 2021-2022 Audit Plan

Each year, we complete a University-wide risk assessment to identify key risks. Based on the results of this assessment, we determine what areas shoud be audited to provide the greatest value to the University. Below is the Audit Plan for the 2021-22 Fiscal Year, as approved by the Board of Trustees.

Academics/Student Support

Carolina Online Management – Admissions Processes

Athletics

Name, Image, Likeness

Financial

University Stress Testing

Operational

Data Integrity – Institutional Data Reporting
Campus Project Management – Campus Village
CARES Act Compliance – HEERF
Deferred Maintenance
IT Intrusion Detection/Incident Management
IT Asset Management
Information Security Program Compliance
PeopleSoft – Strategic Sourcing
Research Computing Infrastructure Security
Server Security

Operational (continued)

Student Athletes’ Medical Records Privacy
Succession Planning
USC Upstate Business Operations
IT Vulnerability Management – Comprehensive Universities/Palmetto Colleges

Research

Foreign Influence – Affiliate Appointments
Research Compliance – Late Cost Transfers

Safety

Campus Safety – Comprehensive Universities/Palmetto College Campuses
Chemical and Biological Safety
Title IX - Advisory

USC Integrity Line - Expense Reimbursement Fraud

The Association of Certified Fraud Examiners (ACFE) defines expense reimbursement fraud as “a fraudulent disbursement scheme in which an employee makes a claim for the reimbursement of fictitious or inflated business expenses. According to the 2020 Report to the Nations on Occupational Fraud and Abuse, published by the ACFE, employee reimbursement fraud existed in 14% of all asset misappropriation cases reported, which resulted in a median cost of approximately $33,000 per incident with a median detection time of 24 months.

Expense fraud can fall into the following four major categories:

I. Mischaracterized expenses: an employee claims a personal expense for reimbursement as a business expense.

Red Flags

Items that don’t seem to have a business connection
Meals and entertainment when employees aren’t working/travelling or on weekends or holidays
Items or meals for children, or from
Establishments in the employee’s neighborhood

II. Overstated (or inflated) expenses: an employee submits a claim for a legitimate expense but increases the amount.

Red Flags

Incomplete or inadequate expense report
Supporting documents such as receipts that are suspicious and/or show signs of fabrication (e.g. inconsistent font, color, visible correcting fluid/tape, pixelation, scratched out information)

III. Fictitious expenses: an employee submits a fake expense and/or false receipts for reimbursement.

Red Flags

Multiple expense reports submitted close together from the same company, from the same employee
Taxi, hotel, flight, or other travel-related receipts for dates and times the employee was known to NOT be on company business
Receipt amounts that are significantly higher than similar reports submitted by other employees
Expenses that were not pre-approved

IV. Multiple reimbursements: an employee submits the same expenses and receipts more than once for reimbursement.

* * *

USC Integrity Line Reporting

You can report your concern anonymously to the USC Integrity Line:

By phone: (844) 890-0006
Online: http://www.lighthouse-services.com/sc

Reports are shared with a select group of three individuals:

Chair of the Audit, Compliance and Risk Committee of the Board of Trustees
Chief Audit Executive
General Counsel

These individuals determine the appropriate path forward for investigating your report.

Click here for more information on the USC Integrity Line

Relevant University Policies:

University employees are expected to report any concerns regarding possible noncompliance with laws, regulations, and policies.

News Links

Fraud/Ethics

San Mateo community college vice chancellor charged in wide-ranging corruption case

Lawyer on university faculty is charged with insider trading

Former SLU official admits $518k fraud

Information Technology

Ransomware attack on FinalSite still disrupting email services at thousands of schools

Fired U of U researcher exposes breaches in student data

Growing Cyberthreats, Surging Insurance Costs

Foreign Influence

Harvard professor found guilty of hiding ties to China

Former UA Professor Pleads Guilty to Lying to FBI About Ties to China

U.S. drops criminal case against MIT professor over China ties

Title IX

Federal Court Finds Educational Institutions Can Be Held Liable Under Title IX for Actions of Non-Students

LSU Athletics exec who filed $50 million Title IX lawsuit has been fired, attorney says

'A Serial Abuser and Strangler'

Contact Audit & Advisory Services

1600 Hampton St.

Suite 610

Columbia, SC 29208

Website: sc.edu/audit

Email: AAServcs@mailbox.sc.edu
Phone: 803-777-2752

Have suggestions or requests for future newsletter topics? Send us an email.

Archived Newsletters

October 2021 Newsletter

June 2021 Newsletter

March 2021 Newsletter

October 2020 Newsletter

July 2020 Newsletter

April 2020 Newsletter

Campus photos (from top to bottom): USC Upstate, USC Lancaster, USC Salkehatchie, USC Columbia, USC Aiken

View this email in your browser
You are receiving this email because of your relationship with Audit and Advisory Services. Please reconfirm your interest in receiving emails from us. If you do not wish to receive any more emails, you can unsubscribe here.

1600 Hampton St., Columbia, SC, 29208