RISKS | CONTROLS | COMPLIANCE ALERT
IN THIS ISSUE
- Ensure that your contingency plans are well-documented and current
- FIU fared well based on the State of Florida Auditor General report
- New BOG regulation to make us fraud conscious
Recent internal audits have uncovered the need for university units to have well-documented plans in place for responding to disruption to critical functions. The onset of the COVID-19 pandemic and the rapid change to FIU’s operations highlighted that major disruptions could occur at any time. Situated in South Florida, we typically plan for disruptions related to hurricanes. However, human-crafted events such as cyberattacks could likewise happen unexpectedly. Units could mitigate the adverse impact of such events by having well-documented contingency plans in place.
There are various inter-related contingency planning documents that the University requires each unit to maintain. The Division of Information Technology’s IT Security Plan requires all units within the University to have a business continuity plan (BCP) and a disaster recovery plan (DRP). The BCP, which is business/mission-focused, details how the unit will respond to incidents and disruptions to continue operations of critical business processes at an acceptable level. The DRP, which is information system-focused, is designed to allow for the restoration of critical data and applications that enable the unit to operate normally. Per FIU Policy 1910.005, each Network/System Administrator is responsible for maintaining the DRP. Also, the FIU Comprehensive Emergency Management Plan (CEMP) requires each university unit to develop and annually update (May 1) a continuity of operations plan (COOP). According to the CEMP, an effective COOP should address the following areas:
- Protect human life.
- Identify and prioritize critical functions that must continue regardless of the disruption.
- Create plans and procedures that will mitigate against disruptions to maintain operations.
- Protect critical equipment, records, and other essential assets.
- Identify alternate work locations.
- Identify succession in unit leadership; delegations of authority.
- Reduce the time it takes to recover and restore full operations.
- Training, testing, and validation of plan.
FIU utilizes FIU Ready, an online COOP planning tool designed specifically for universities to facilitate this process. The COOP, as implemented by FIU, in significant ways, may mirror the BCP.
All FIU units are encouraged to develop, implement, and periodically update and test these plans as required.
In March 2021, the State of Florida Auditor General issued her report on the State of Florida Compliance and Internal Controls Over Financial Reporting and Federal Awards – Report No. 2021-182. The report opined on the State of Florida’s basic financial statements for the fiscal year ended June 30, 2020, and reported material weaknesses, significant deficiencies, and additional matters related to internal control over financial reporting and its operation. Also, she reported on state agencies and universities’ compliance with the requirements of major Federal award programs. Although the report listed 24 state universities and colleges as having one or more findings, FIU was not on the list. The CFO and all who worked to achieve this outcome deserve commendation for a job well done. Congratulations!
NEW BOARD OF GOVERNORS REGULATION AND FRAUD AWARENESS
On March 23, 2021, the Florida State University System Board of Governors (BOG) issued Regulation 3.003 Fraud Prevention and Detection. The regulation defined fraud and required university board of trustees to adopt a regulation establishing criteria related to appropriate institutional controls and risk management framework that provide reasonable assurance that fraudulent activities within the university’s areas of responsibility are prevented, detected, reported, and investigated.
The regulation is timely because while disasters have showcased the benevolence and humanity of many individuals and entities, sadly, they have also unveiled the darker side of some by creating circumstances for fraud. The COVID-19 pandemic has created such conditions, and organizations of all kinds are reminded of the need to be fraud-conscious. Adding to this risk, the series of coronavirus-related acts Congress passed to provide financial assistance and relief in response to COVID-19 permitted government agencies to waive the usual purchasing rules for competitive solicitation.
FIU unit heads and contract managers must remain conscious and vigilant to fraud. They must ensure that business partner screening is done, especially for new suppliers. Writing on the subject, Cecilia Locati cautioned against terminating sanction checks, adverse media screening, ownership structure analysis, and know-your-customer procedures. (Journal of Accountancy, March 2021) Even if you are unable to perform an in-person visit to the third-party premises, you could complete a virtual tour and interview instead. Things to consider:
- Have a fully executed, legally vetted agreement before authorizing any work.
- Ensure agreement has all terms, including price, and no unfilled blank spaces.
- Be cautious of suppliers who try to rush you to purchase goods/services.
- Be suspicious of suppliers who are not transparent with providing information or are reluctant to comply with University purchasing requirements.
- Scrutinize suppliers with names that are derivatives (particularly abbreviated form) of well-known suppliers.
- Be suspicious of suppliers who request to be paid upfront.
- Obtain two or more quotes or bids, accordingly.
- Avoid approval via email or signature on scanned documents.
- Ensure proper segregation of duties; (the initiation, approval, and reconciliation of a transaction should not be done by the same person).
- Have a well-developed business continuity plan that includes mitigation controls and response strategies for external, internal, and cyber-initiated fraud.
OTHER RESOURCES
- Need to report fraud, waste, and abuse? You may do so at: compliance.fiu.edu/hotline/(hotline) or auditors@fiu.edu
- Need to report a Whistle-blower complaint? You must do so in writing to the OIA (auditors@fiu.edu) or call us at the following number : 305-348-2107
- State University System of Florida Board of Governors’ Regulations: flbog.edu
ABOUT US
The FIU Office of Internal Audit serves as an independent appraisal function for the University. Our audits of the University’s colleges and departments evaluate financial processes, internal controls, and compliance with laws, rules, and regulations with a view towards ensuring that services are appropriately delivered in the most efficient and economic manner possible. Our Office is also responsible for conducting investigations for all allegations of fraud, waste, abuse, and whistleblower complaints.