Internal Controls

Through its management structure, governance practices and organizational culture, Iowa State University strives to follow best practices in all aspects of institutional management. As defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the objectives of internal control and risk management practices are to provide reasonable assurance that the organization: (1) meets it strategic objectives; (2) is effective and efficient in its operations (3) complies with applicable laws and regulations and (4) provides accurate and reliable reports to both internal and external stakeholders. Management practices related to achieving strategic objectives are discussed in other sections of this document. This section will focus on internal control and risk management practices that achieve the latter three objectives.

The fundamental components of internal control and risk management approach at Iowa State University are:

• Clear articulation of sound policies

• Pervasive access and awareness of policies

• Creation of a culture of compliance

Management’s role in each area will be discussed and specific examples presented.

As a public institution, Iowa State University conducts its business in a highly visible, closely scrutinized environment. State law and Board of Regents policy provide the framework for policy development. Within this framework, the University develops and articulates policies that govern daily operations. Policy development is decentralized according to function and responsibility, but centralized for approval and dissemination. All new policies and policy revisions are reviewed for consistency with existing policies and regulations. Policies affecting academic issues and faculty personnel issues are reviewed and approved through the appropriate faculty governance processes. A concerted effort is made to expedite implementation of procedural changes while maintaining careful oversight and control of policy changes and additions. Significant policy changes and additions are submitted to the President, who seeks advice from relevant constituencies and the members of President’s Cabinet before policy approval. Minor policy changes and additions may be reviewed and approved at the vice president level. The University has responded to the increasingly complex legal and regulatory environment by creating a Policy Administrator position in the Office of the President to strengthen the oversight and coordination of the policy review process and to assist the University community in understanding and interpreting policy.

Unfettered access to and awareness of University policies are essential components of effective internal control. Fortunately, modern technologies now offer significant opportunities to streamline distribution and enhance awareness of policies. Iowa State University is taking advantage of the Internet to publish policies and to provide easy access to training.

A number of essential policy documents have been compiled in the Iowa State University Policy Library. This single web site contains the most important policies of general applicability from across the university. In 2003 this web site became the official source of policy guidance; the site continues to expand and improve. The website is easily located, accessible to all faculty, staff, and students, and searchable. It contains only current policies and provides links from policies to related procedures that help to promote compliance.

A variety of mechanisms are used to ensure that the University community is aware of and updated on policies. E−mail networks such as the Controller’s Information Network, and administrative staff groups such as the Academic Fiscal Officer’s Roundtable and the Grant Coordinators Forum, are important resources in developing and disseminating policy. Active training and informational programs are maintained on a variety of policy issues (e.g. Iowa State University Controller’s Department Resources, Environmental Health & Safety’s Online Training Center, Human Resource Services’ Training & Development).

The Board of Regents, State of Iowa, expects compliance with applicable policies and procedures and has a number of mechanisms in place to monitor and ensure compliance. The Board’s Audit and Compliance Committee meets four times annually, and publicly receives and reviews all internal audit reports and meets with external auditors at least annually.

A staff of three internal auditors serves Iowa State University. Under the supervision of the Regent’s Director of Internal Audit, an annual audit plan based on a comprehensive risk assessment is developed and submitted to the Board of Regents for approval. University management is required to prepare a response to internal audit findings, and internal auditors later follow up on management’s corrective actions and report back to the Board. Audits are closed only when the internal auditors and the Board are satisfied that corrective actions have been completed or are substantially underway. Internal audits encompass systems issues, policy compliance, and sound business practices. Recommendations are directed at improving efficiency and effectiveness, as well as ensuring compliance with policies and procedures.

By Iowa Code, Iowa State University is audited by the Auditor of State, who is an elected official. The current Auditor of State and the audit managers are certified public accountants. The University prepares an annual financial report in conformance with generally accepted accounting principles (ISU Financial Accounting And Reporting Homepage) and has received an unqualified audit opinion. The University also contracts with the Auditor of State for audits of thirteen bonded entities and for the required Federal compliance audit under OMB Circular A−133.

Although the internal and external audits are important components of the compliance culture, the most important factors in creating a culture of compliance are management's commitment to high standards of ethical behavior, high−level attention to compliance issues, and swift response to violations of policy and internal control weaknesses. These characteristics describe the culture at Iowa State University. Following are some examples that illustrate the way compliance issues are handled at Iowa State University:

• One of President Geoffroy’s early initiatives was to create a faculty committee that was charged to examine policies and practices related to the stewardship of gifts and endowments. Supported by the Director of Internal Audit and the Controller, the faculty committee conducted a thorough review of our practices and made recommendations to strengthen our policies and practices. The recommendations, which were accepted and implemented, included clearer definition of the responsibilities of University managers for expending gift funds in accordance with donor restrictions, changes to the accounting practices to provide for greater University oversight of endowment expenditures, and a training program for all managers and support staff involved in administering gift funds.

• The University created a committee composed of the Controller and Associate Controller, the University Counsel, the Director of Internal Audit and the Research Compliance Officer to study the voluntary application Sarbanes−Oxley Act corporate responsibility provision in our setting. As a result of that committee’s work, the university has launched the ISU Confidential Hotline, articulated a Code of Business and Fiduciary Conduct, and implemented additional management certifications related to financial reporting.

• The Offices of Sponsored Programs Administration and Sponsored Programs Accounting partner to provide compliance information and guidance on the administration of sponsored programs through quarterly training sessions that address current issues and questions.

• The Office of the Provost has initiated an ongoing series of training sessions for department chairs that includes such topics as fiscal responsibility and using university policies.