In Brief
Strategies for Maintaining Critical Controls During Staffing Uncertainties
American universities and colleges were able to pivot swiftly when confronted by the pandemic in 2020, implementing operational and organizational changes to protect student health and safety, continue delivering instruction, fulfill research goals and maintain cash flows. Institutions now have a greater understanding of the importance of having resilient, adaptable systems and processes in place. While COVID-19 was considered by some to be a black swan event, it will not be the only disruption that higher education encounters in the coming years. As universities and colleges navigate these transformative and challenging times, certain foundational elements can help balance efficiency and cost-containment measures with maintaining the infrastructure necessary to limit institutional risk.
The Ripple Effect of Undervaluing Back-Office Work
When faced with severe resource constraints, institutions by necessity prioritize work that visibly impacts operations, working to maintain staffing levels and services in academics, research and student-facing positions. Tasks without an immediate or visible impact are often deferred or discontinued altogether. President Eisenhower famously said, “I have two kinds of problems: the urgent and the important. The urgent are not important, and the important are never urgent.” It is common to focus on what is considered urgent work and de-emphasize duties that are not as time sensitive as others but may be more important.
Forgoing certain work is sometimes necessary due to furloughs, early retirements or downsizing and often does not initially impact daily operations or service levels. The effects of unintentional neglect begin to surface over time, though, particularly if the de-prioritized work affects compliance and financial or data controls. A door may inadvertently be opened for potential fraud when staff shortages result in the elimination of checks and balances. It is, therefore, critical for leaders to ensure that a robust system of controls is maintained to mitigate risk.
Considerations for Prioritizing Financial & Compliance Controls
The best internal monitoring systems are well documented, with key control procedures highlighted to ensure continuity of performance. Someone in a position of authority “owns” the documentation, takes responsibility for updates and advocates for maintaining critical duties even in times of resource constraints, such as when new systems and processes are implemented or when staff turnover occurs.
Several frameworks contribute to the body of knowledge and provide guidance regarding the assessment and mitigation of the risk of noncompliance and financial misstatement. These include standards established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the Standards for Internal Control in the Federal Government (otherwise known as the Green Book), the Uniform Guidance and Compliance Supplement, and the American Institute of Certified Public Accountants (AICPA). Considering the breadth and scope of guidance, implementing it requires a systematic approach.
Steps for Implementing an Effective Internal Control System
- Pay special attention to key controls.
Universities and colleges perform many financial and compliance processes; it is, therefore, critical to document both distributed and centralized controls. Process documentation should clearly identify items considered key controls, which are steps performed specifically to ensure the accuracy, validity and completeness of financial data, as well as compliance with significant nonfinancial requirements.
Key controls contribute significantly to the integrity of both financial data and operations. They usually take the form of an independent review or a verification of other control procedures’ performance. Procedural documentation that includes an emphasis on key controls provides a road map for the continuity of risk mitigation activities and ensures that the most important work continues uninterrupted in times of change or disruption. - Harness the benefits of technology.
Maintaining control while following policies and procedures that are not administratively burdensome requires a delicate balance, but it can be achieved with proper planning. For instance, during the COVID-19 crisis of 2020, universities and colleges had to implement remote work very rapidly. Gaps in business processes were laid bare when institutions discovered their outsize reliance on manual processes. When staffing must be reduced or on-site presence is no longer possible, automation and exception reports can be extremely valuable. Flagging high-risk transactions to identify potential noncompliance contributes to an effective system of controls even when significant changes disrupt traditional risk management processes.
When implementing new software solutions to achieve compliance and efficiency, institutions should develop a comprehensive plan that incorporates enhanced security roles, compliance checks and approval hierarchies to automate control procedures. Implementing transaction approvals through the use of automated workflows helps ensure that information, reviews and approvals are communicated and acted on promptly. With any change to business processes or personnel, it is also critical to establish automated business rules to limit staff members’ ability to act beyond their authority. - Review roles and responsibilities.
Institutional leaders can reduce the risk of noncompliance or fraud by clearly defining financial and compliance roles. Establishing clearly documented roles contributes to the continued functioning of key reviews and approvals even when staffing changes occur. Thus, it is important to maintain updated control documentation as well as regularly update system access controls to reflect personnel changes.
Roles should be reviewed not only for effectiveness but also efficiency. Streamlining operations while maintaining critical review procedures can be challenging. For example, performing a risk-based review of transactions (rather than a 100% audit) is efficient but should not be overly permissive. In reviewing roles and responsibilities, care should be taken to segregate staff members’ access to assets from the duty of accounting for those assets. Confirming that adequate reviews are in place for cash and other items subject to misappropriation also reduces the opportunity for fraud and undetected errors. - Establish a monitoring program.
Establishing an effective control system without monitoring it is like installing home security alarms but forgetting to arm the system. A critical element in any control system is ongoing verification that procedures are still performed as documented, especially in times of staff turnover, reductions in force and systems conversions.
A well-documented system of internal controls that addresses practices in central offices as well as distributed accountable units is essential to mitigating financial and compliance risk. A good first step includes assessing the current status of financial and compliance controls, ensuring that key control processes are in fact occurring as expected. - Achieving Controls Thoughtfully
As people, processes and technology change over time, colleges and universities can mitigate compliance and financial risk by maintaining critical controls. Control documentation must be frequently updated and procedures improved to meet changing needs — incorporating new technology as needed. Leaders should also ensure that roles and responsibilities are aligned to both maximize effectiveness and efficiency, and continually monitor processes and progress.
KEY TAKEAWAYS
-
Think differently.
Examine the activities of your people, processes and technology: Does your system of controls adequately mitigate the risks of noncompliance, unauthorized data access, financial misstatement and fraud? -
Plan differently.
Determine the changes needed to develop robust controls and the infrastructure needed to implement and maintain your risk mitigation strategy. Prioritize work that mitigates risk, as the investment may prevent unexpected future costs. -
Act differently.
Document and implement control policies, processes and procedures. Ensure that a monitoring program provides management with ongoing assurance that control objectives are met even in the face of changes to staffing, systems and business operations.