full audit reports - index - public.azregents.edu documents/2016-11-16_abor-audit...full audit...
TRANSCRIPT
FULL AUDIT REPORTS INDEX
Following are the full and complete audit reports for which summaries have been included in the November 16, 2016 Arizona Board of Regents Audit Committee Agenda Book. Agenda Book Tab# Report Title 02.C AudGen Theft and Misuse of Public Monies at NAU
04.A1 ASU Athletics 2016 Summer Financial Aid
04-A2 ASU Athletics 2016 Student Athlete Eligibility
04-A3 ASU Capital Project-Psychology Bldg Renovation
04-B1 NAU Summer Camps and Conferences
04-B2 NAU Student Employment
04-B3 NAU IT General Controls
04-B4 NAU Aquatic and Tennis Center
04-B5 NAU Accounts Payable
04-C1 UA SPEED Defd Maint & Bldg Renewal
04-C2 UA Health Sciences Education Bldg Finish Shell Space
This page left blank intentionally.
Northern Arizona University Theft and Misuse of Public Monies
Debra K. Davenport Auditor General
Special Investigation
October 2016Report 16-405
A Report to the Arizona Legislature
The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators and five representatives. Her mission is to provide independent and impartial information and specific recommendations to improve the operations of state and local government entities. To this end, she provides financial audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits and special reviews of school districts, state agencies, and the programs they administer.
The Joint Legislative Audit Committee
Representative John Allen, Chair Senator Judy Burges, Vice Chair
Representative Regina Cobb Senator Nancy Barto
Representative Debbie McCune Davis Senator Lupe Contreras
Representative Rebecca Rios Senator David Farnsworth
Representative Kelly Townsend Senator Lynne Pancrazi
Representative David Gowan (ex officio) Senator Andy Biggs (ex officio)
Audit Staff
Lindsey Perry, Manager and Contact Person
Contact Information Arizona Office of the Auditor General 2910 N. 44th St. Ste. 410 Phoenix, AZ 85018
(602) 553-0333
www.azauditor.gov
2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051
MELANIE M. CHESNEY
DEPUTY AUDITOR GENERAL
DEBRA K. DAVENPORT, CPA
AUDITOR GENERAL
STATE OF ARIZONA
OFFICE OF THE
AUDITOR GENERAL
October 24, 2016
Members of the Arizona Legislature
The Honorable Doug Ducey, Governor
The Arizona Board of Regents
Rita Cheng, President Northern Arizona University
The Honorable David W. Rozema, Coconino County Attorney
The Office of the Auditor General (Office) has conducted a special investigation of Northern Arizona University (University) for the period July 1997 through January 2013. The Office performed the investigation to determine the amount of public monies misused, if any, during that period and the extent to which those monies were misused.
The investigation consisted primarily of inquiries and examination of selected financial records and other documentation. Therefore, the investigation was substantially less in scope than an audit conducted in accordance with generally accepted auditing standards. Accordingly, the Office does not express an opinion on the adequacy of the University’s financial records or internal controls. The Office also does not ensure that all matters involving the University’s internal controls, which might be material weaknesses under standards established by the American Institute of Certified Public Accountants or other conditions that may require correction or improvement, have been disclosed.
The Special Investigative Report describes the Office’s findings and recommendations as a result of this special investigation.
Sincerely,
Debbie Davenport Auditor General
Attachment
REPORT HIGHLIGHTSSpecial Investigation
October 2016
Mr. Talley embezzled $354,902 of university monies by orchestrating two fictitious vendor schemesDuring this 15½-year period, Mr. Talley may have violated state laws related to theft, misuse of public monies, fraudulent schemes, and money laundering when he caused the University to issue 245 checks and make 12 purchasing card payments totaling $354,902 to two fictitious vendors he created. The majority of these checks were fraudulently endorsed and deposited in a credit union account he jointly held with another person, and monies were generally withdrawn or transferred to one of Mr. Talley’s separately held bank and credit union accounts within a few weeks. The purchasing card payments were directly credited to another of Mr. Talley’s bank accounts. All of the embezzled monies were commingled with other monies and spent by Mr. Talley for his personal purposes. To orchestrate and help conceal his schemes, Mr. Talley falsified information in the University’s accounting software, submitted fictitious invoices, and fabricated purchasing card records.
Former university officials failed to safeguard and control university moniesMr. Talley embezzled this money by abusing his authority as university postal services manager, a position he held for over 36 years. He also took advantage of former university officials’ poor oversight of his activities. In particular, management did not monitor or take steps to ensure employees were appropriately following policies and procedures designed to protect public monies. Accordingly, management was unaware that employees falsely verified the receipt of postal supplies never received and improperly shared their accounting software login credentials. Additionally, management did not adequately train employees to investigate invoice anomalies or reconcile purchasing card reports to bank software, either of which actions could have revealed Mr. Talley’s fraud scheme.
Northern Arizona University Theft and Misuse of Public Monies CONCLUSION: As part of its responsibility to prevent and detect fraud, Northern Arizona University (University) management took appropriate action by reporting a fraud allegation to both its police department and the Office of the Auditor General (Office). The university police department subsequently requested our Office to investigate the allegations of financial misconduct by Edwin Talley, former university postal services manager, and we determined that from July 1997 through January 2013, Mr. Talley used fraud schemes to embezzle public monies totaling $354,902. The embezzled monies came from university revenues that consisted primarily of state appropriations and students’ tuition and fee payments, and should have been used to pay for services provided to university students. We have submitted our report to the Coconino County Attorney’s Office, which has taken criminal action against Mr. Talley resulting in his indictment on six felony counts.
Investigation highlights
Former Northern Arizona University postal services manager Edwin Talley:
• Embezzled $345,902 by paying himself through fictitious vendors.
• Falsified computer data and purchasing card records, and submitted fictitious invoices in order to conceal his embezzlement.
Although the University took corrective measures, university officials can take additional actions to improve control over public monies and help deter and detect fraudWith the 2012 implementation of new accounting software, university officials improved certain internal controls which, when combined with a university-wide review of purchasing card activity, led to their discovery of Mr. Talley’s fraud schemes. In addition, in the time since the Office’s investigation began, management reported that they implemented other improvements to controls over university monies such as adding purchasing card software that disallows purchasing card users from manipulating activity statements. Management also implemented a new conduct, ethics, reporting, and transparency program, which outlines employees’ legal and ethical obligations to the University. Finally, management also conducted an employee training regarding internal controls and financial transactions, and mandated that employees not share their login credentials.
RecommendationsAlthough the University took corrective measures and no internal control system can completely prevent dishonest behavior such as Mr. Talley’s, the following recommendations are additional actions university officials can take to improve control over public monies and help deter and detect fraud. Specifically, university officials should:
• Perform periodic reviews on a random and unannounced basis to ensure that invoiced goods marked as received in the accounting software are actually physically located and accounted for.
• Continue to require employees to sign statements acknowledging their understanding and acceptance of university policies concerning employment. Additionally, consider requiring all employees to separately acknowledge their understanding and acceptance of the university policy that prohibits the sharing of login credentials and outlines employees’ responsibilities for protecting and locking their computer or work stations when not in use.
• Periodically assess whether controls over the University’s purchasing process are functioning effectively and as designed, and continue to provide training to those employees responsible for making and authorizing purchases. Likewise, ensure that the University continues providing training to employees involved in the purchasing process. That training should include guidance on how to review vendor invoices for accuracy and appropriateness, as well as for anomalies that should be investigated. Additionally, university officials should consider including criteria in these employees’ performance evaluations regarding their adherence to university purchasing procedures.
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
A copy of the full report is available at: www.azauditor.gov | Contact person: Lindsey Perry (602) 553-0333
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE i
1
3
3
4
7
9
11
Introduction and Background
Finding 1: Mr. Talley embezzled $354,902 of university monies by orchestrating two fictitious vendor schemes
Mr. Talley caused the University to issue 245 checks to his fictitious company, Flag Mailing Products
Mr. Talley caused the University to make 12 purchasing card payments to his fictitious company, Omega Supplies
Finding 2: Former university officials failed to safeguard and control university monies
Recommendations
Conclusion
Table
1 Public monies Mr. Talley embezzled July 1997 through January 2013 3
TABLE OF CONTENTS
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE ii
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 1
Northern Arizona University (University), located in Flagstaff, is one of three fully accredited public universities governed by the Arizona Board of Regents. During fiscal year 2015, the University received revenues of nearly $524 million to provide educational services to nearly 28,000 students. The university postal services department oversees the entire university mail operation, including distributing incoming and outgoing mail according to local, state, and federal laws, and coordinates with external postal agencies for mail delivery.
In addition to his university employment, Mr. Talley operated Talley Security, an online personal security businessMr. Talley had postal services responsibilities for over 36 years beginning in August 1976 and ending with his termination in January 2013. During his tenure Mr. Talley supervised about six employees and managed all university postal and shipping services, including purchasing supplies and preparing annual postal services budgets. Since at least 1999, Mr. Talley was assigned a university purchasing card for business purposes such as postal supplies and travel-related expenditures.
Starting in 1998 and continuing throughout his employment with the University, Mr. Talley operated an online business called Talley Security, sometimes also using derivatives of the same name such as Talley Personal Security Products or Talley Auto Alarms and Security. He sold various items such as stun guns, mace/repellent spray, security systems, cameras, and safety lights. In addition to check and money orders, he later accepted credit card payments, which were processed through a merchant services company and deposited in his business bank account.1
Mr. Talley’s other purported companies, Flag Mailing Products and Omega Supplies, existed in name onlyAs described on pages 3 and 4, the University paid Flag Mailing Products and Omega Supplies $354,902 for postal supplies, the majority of which was deposited to Mr. Talley’s credit union or business bank accounts. Aside from receiving monies from the University, Flag Mailing Products and Omega Supplies existed in name only. In fact, neither Flag Mailing Products nor Omega Supplies had a real business address or phone number, or even a web presence in which actual goods such as postal supplies were offered for sale. Additionally, neither company was registered with the Arizona Corporation Commission or Arizona Secretary of State, and neither had a Flagstaff business license to collect sales tax.
University officials discovered payments associated with Talley SecurityIn November 2012, Mr. Talley prepared a conflict-of-interest form disclosing his business ownership of Talley Security to the University. University officials were also aware of his business association through their general
1 Although no university payments to Talley Security were noted during our investigation, as described on pages 4 and 5, Mr. Talley used his Talley Security merchant services company and business bank account to process university purchasing card payments to his fictitious company, Omega Supplies.
INTRODUCTION AND BACKGROUND
Mr. Talley had university postal services responsibilities for over 36 years.
knowledge. As a result, during a university-wide review of purchasing card activity in January 2013, a university employee discovered $12,287 of charges made with Mr. Talley’s university purchasing card in a 6-month period that were associated with his Talley Security business. In particular, she conducted research, and in addition to other discrepancies she determined that while the charges and associated payments were made to a company named Omega Supplies, the listed phone number matched the Talley Security phone number. Consequently, university officials conducted an inquiry, determined that Mr. Talley had violated several university policies, contacted university police and our Office, and terminated Mr. Talley’s employment.
Mr. Talley made several admissions and paid $12,287 to the UniversityMr. Talley made several admissions to university officials during their inquiry of his misconduct, although he did not concede that the two vendors he paid himself through were fictitious companies.2 Specifically, he apologized for his actions, accepted responsibility for misusing the purchasing card to make $12,287 charges to Omega Supplies, and said he made a bad decision. Later, he admitted to university officials that there were other university payments made to one of his companies called Flag Mailing Products and he had deposited these checks to his credit union account.
On January 23, 2013, the University withheld $4,668 from his final paycheck, which included his accumulated vacation pay. A week later, Mr. Talley repaid the remaining portion of Omega Supplies charges through a $7,619 cashier’s check payable to the University.
2 Mr. Talley declined to interview with Auditor General staff.
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 2
Mr. Talley admitted to university officials that he:
• Misused the university purchasing card by paying $12,287 to his company Omega Supplies.
• Deposited to his credit union account university check payments issued to another of his companies, Flag Mailing Products.
A university employee determined that $12,287 of Mr. Talley’s purchasing card charges were associated with his business, Talley Security.
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 3
Mr. Talley embezzled $354,902 of university monies by orchestrating two fictitious vendor schemesFrom July 1997 through January 2013, Mr. Talley, former Northern Arizona University (University) postal services manager, embezzled $354,902 of public monies when he orchestrated two fictitious vendor schemes and falsified purchasing card records to help conceal his embezzlement. The embezzled monies came from university revenues that consisted primarily of state appropriations and students’ tuition and fee payments, and should have been used to pay for services provided to university students. As shown in Table 1 below, for over 15 years Mr. Talley caused the University to issue 245 checks and make 12 purchasing card payments to his fictitious companies, Flag Mailing Products and Omega Supplies, respectively. Neither of these companies had a real business address or even a web presence in which actual goods such as postal supplies were offered for sale. To help orchestrate and conceal his schemes, Mr. Talley falsified information in the University’s accounting software, submitted fictitious invoices, and fabricated university purchasing card records.
FINDING 1
Table 1Public monies Mr. Talley embezzled July 1997 through January 2013
Source: Auditor General staff analysis of university and bank records, and interviews with university representatives.
Description Number of payments Amount
Check payments to fictitious vendor, Flag Mailing Products 245 $342,615
Purchasing card payments to fictitious vendor, Omega Supplies 12 12,287
Total embezzled 257 $354,902
Mr. Talley caused the University to issue 245 checks to his fictitious company, Flag Mailing ProductsFrom July 1997 through May 2012, Mr. Talley caused the University to issue 245 checks totaling $342,615 to his fictitious company, Flag Mailing Products, for postal supplies the University never requested nor received. Specifically, although certain records were not available for the entire embezzlement period, Mr. Talley’s university accounting software login credentials, or those he had access to, were used to authorize the majority of the supposed purchase of goods from Flag Mailing Products.3 In addition, the receipt of these goods was falsely marked as verified in the accounting software mostly by these same users’ credentials. The remaining purchase authorizations and receipt of goods verifications were made by other employees who admitted to Auditor General staff that although they should have inspected the goods, they never physically verified any items were actually
3 As further described in Finding 2 on page 7, one of Mr. Talley’s subordinates shared with him her university accounting software login credentials.
received. Additionally, many of the invoiced items were for extraneous products, such as wooden nesting bins that were not used by postal services or for mailbox doors and locks that were donated by another organization.
Likewise, 29 Flag Mailing Products’ invoices for these supposed items were fabricated to match the false purchase information in the accounting software.4 Still, these invoices included certain anomalies that university employees should have noticed and investigated. For instance, invoices often had math and spelling errors, were missing amounts and dates, and were missing invoice numbers or had invoice numbers that were contrived from the date. Invoices were generally submitted to the finance department one to three times a month and ranged from $444.62 to $2,472.57. As a result, the University issued 245 checks totaling $342,615 payable to Flag Mailing Products. Although records are not available for all 245 checks, 179 of these checks were sent to either Mr. Talley’s personal residence or to a mailbox he rented from a retail postal services store.
Although not all checks were available and some endorsements were illegible, 216 of the 245 checks payable to Flag Mailing Products were fraudulently endorsed with the name of Mr. Talley’s friend. This false endorsement was sometimes combined with “Flag Mailing Products” and then deposited into a credit union account that Mr. Talley and his friend held jointly. Although Mr. Talley declined to interview with Auditor General staff, he provided through his attorney a sworn statement declaring that this friend “. . . had no involvement whatsoever in any misconduct involving Northern Arizona University (NAU) funds.” Similarly, Mr. Talley’s friend reported to Auditor General staff that she had never heard of Flag Mailing Products and did not deposit or endorse any of these checks. Within a few weeks after the checks were deposited, the monies were generally withdrawn or transferred to Mr. Talley’s other bank and credit union accounts and used for his personal expenses.
Mr. Talley caused the University to make 12 purchasing card payments to his fictitious company, Omega SuppliesFrom July 2012 through January 2013, Mr. Talley caused the University to make 12 purchasing card payments totaling $12,287 to his fictitious company, Omega Supplies, for postal supplies the University never requested nor received and falsified purchasing card records to help conceal his embezzlement. Specifically, after the University implemented new accounting software in July 2012 and required all vendors to provide a new W-9 form–Request for Taxpayer Identification Number and Certification, Mr. Talley ceased submitting Flag Mailing Products invoices and began using his university purchasing card to purportedly buy supplies from a different fictitious company, Omega Supplies. These university purchasing card payments were processed through the same merchant services company Mr. Talley used for his legitimate business of selling personal security devices described on page 1, Talley Security, and deposited in his business bank account.
The 12 university purchasing card payments were processed electronically and deposited in Mr. Talley’s business bank account—To obtain these university purchasing card payments electronically, Mr. Talley accessed the credit card processing service he used for Talley Security. Specifically, the University’s purchasing card information was processed through the merchant service company’s remote terminal, which Mr. Talley ordered in Omega Supplies’ name and linked to his business bank account. After charging the university purchasing card, payments were directly credited to Mr. Talley’s business bank account generally within 4 days, commingled with other deposits, and used for his personal and business expenses.
4 Flag Mailing Products’ invoices submitted prior to July 2007 were not available.
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 4
Flag Mailing Products fictitious invoices often:
• Contained math and spelling errors.
• Were missing amounts and dates.
• Were missing invoice numbers or had invoice numbers that were contrived from the date.
Mr. Talley submitted fictitious Omega Supplies’ invoices and fabricated purchasing card records to help orchestrate and conceal his scheme—Although Mr. Talley typically charged these fictitious Omega Supplies’ purchases ranging from $670 to $1,104 twice a month, he did not always submit an invoice to the finance department. The eight invoices he did submit were fictitious and had anomalies similar to Flag Mailing Products invoices. For instance, they often had math errors, used nonexistent addresses, always had even dollar amounts, were missing amounts, and had invoice numbers that were contrived from the date. Additionally, the invoiced items were mostly for extraneous products, such as mailbox locks, which another organization donated.
Mr. Talley did not submit any invoices for the remaining four Omega Supplies charges. Rather, Mr. Talley fabricated records by removing these amounts from the bank purchasing-card-activity statements and omitting the same charges from his purchasing-card logs, which he submitted monthly to a university finance department employee for approval. Nevertheless, Mr. Talley was not able to fully conceal his theft by this omission as he did not alter the bank software, which recorded all 12 of the Omega Supplies’ purchasing card charges. Consequently, as described on page 1, university staff were able to find all $12,287 of Mr. Talley’s purchasing card charges that he made with Omega Supplies.
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 5
Omega Supplies fictitious invoices often:
• Contained math errors.
• Used nonexistent addresses.
• Always had even dollar amounts.
• Were missing amounts.
• Had invoice numbers that were contrived from the date.
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 6
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 7
Former university officials failed to safeguard and control university moniesFormer Northern Arizona University (University) officials failed to properly protect and control university monies by not always providing adequate oversight of the postal services department, thus affording Mr. Talley the opportunity to abuse his position and circumvent controls. Specifically, university officials failed to ensure policies and procedures designed to safeguard public monies were being appropriately abided by, as follows:
• Receipt of postal supplies not verified—Although university policy required an employee independent of ordering postal supplies to inspect the goods and verify the actual receipt of them prior to any payment, none of the reported postal supplies from Flag Mailing Products were ever verified as having been physically received. Two employees whose login credentials showed that they had verified the receipt of these supplies admitted to Auditor General staff that they had not physically verified that any of the items were in fact received. A third employee was unaware that her credentials were used to verify the receipt of these items in the accounting software and denied that she approved these purchases, but admitted she had shared her login credentials with her supervisor, Mr. Talley.
• Accounting software login credentials improperly shared—As described above, one of Mr. Talley’s subordinates improperly shared her login credentials with him, thus allowing him access and ability to override existing controls within the accounting software. Moreover, it came to our attention that several other employees were also improperly sharing their login credentials despite university policy prohibiting such action.
• Invoice anomalies not investigated—All available invoices from Flag Mailing Products and Omega Supplies contained at least one anomaly, and most of these invoices included several more unusual aspects that an employee should have investigated. Although an employee independent of ordering postal supplies reviewed invoices and compared them to information recorded in the accounting software prior to payment, the reviewer failed to notice and pursue unusual aspects such as math and spelling errors, missing amounts and dates, even dollar amounts, and missing or nonsequential invoice numbers. A further study would have also revealed nonexistent addresses and could have stopped Mr. Talley’s fraud scheme.
• Purchasing card reports not reconciled to bank software—Mr. Talley’s supervisors reviewed only the purchasing card logs and activity statements he submitted to them and did not reconcile or compare these reports to the bank software. This reconciliation would have revealed the Omega Supplies charges Mr. Talley had omitted from his reports and could have stopped his fraud scheme.
FINDING 2
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 8
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 9
Although the University took corrective measures, university officials can take additional actions to improve control over public monies and help deter and detect fraudIn the time since the Office of the Auditor General’s investigation began, university officials reported that they instituted new procedures and implemented improvements to controls over university purchasing practices such as adding new purchasing card software that disallows purchasing card users from manipulating activity statements. University officials also implemented a new conduct, ethics, reporting, and transparency program that outlines employees’ legal and ethical obligations to the University. Finally, university officials conducted a training for employees regarding internal controls and financial transactions, and mandated that employees not share their login credentials.
RecommendationsAlthough the University took these corrective measures and no internal control system can completely prevent dishonest behavior such as Mr. Talley’s, the following recommendations are additional actions university officials can take to improve control over public monies and help deter and detect fraud. Specifically, university officials should:
1. Perform periodic reviews on a random and unannounced basis to ensure that invoiced goods marked as received in the accounting software are actually physically located and accounted for.
2. Continue to require employees to sign statements acknowledging their understanding and acceptance of university policies concerning employment. Additionally, consider requiring all employees to separately acknowledge their understanding and acceptance of the university policy that prohibits the sharing of login credentials and outlines employees’ responsibilities for protecting and locking their computer or work stations when not in use.
3. Periodically assess whether controls over the University’s purchasing process are functioning effectively as designed and explore ways to strengthen them. Likewise, ensure that the University continues providing training to employees involved in the purchasing process. That training should include guidance on how to review vendor invoices for accuracy and appropriateness, as well as for anomalies that should be investigated. Additionally, university officials should consider including criteria in these employees’ performance evaluations regarding their adherence to university purchasing procedures.
RECOMMENDATIONS
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 10
Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General
PAGE 11
On October 20, 2016, the Coconino County Attorney’s Office presented evidence to the Coconino County Grand Jury. This action resulted in Mr. Talley’s indictment on six felony counts related to theft, misuse of public monies, fraudulent schemes, and money laundering.
CONCLUSION
Arizona State University Sun Devil Athletics
2016 Summer Financial Aid Audit August 17, 2016
This page left blank intentionally.
Arizona State University Sun Devil Athletics
2016 Summer Financial Aid Audit August 17, 2016
Page 1 of 7
Summary The Sun Devil Athletics (SDA) – 2016 Summer Financial Aid audit was included in the Arizona State University (ASU) annual audit plan for Fiscal Year 2017. This audit is historically completed on an annual basis, and is deemed to be of strategic importance given the reputational risk posed to the University for non-compliance with National Collegiate Athletic Association (NCAA) regulations and bylaws. Background: Approximately five hundred fifty student-athletes at ASU compete in ten men’s programs and thirteen women’s programs in one of the most competitive conferences in the country, the Pac-12. Men compete in baseball, basketball, football, golf, swimming & diving, indoor track & field, outdoor track & field, cross country, wrestling, and ice hockey; women compete in basketball, golf, gymnastics, soccer, softball, swimming & diving, tennis, indoor track & field, outdoor track & field, cross country, volleyball, beach volleyball, and water polo. The University’s Athletics Compliance Office (Athletics Compliance) is responsible for administering and monitoring sports program compliance with NCAA regulations and bylaws. The major institutional risks the University seeks to mitigate include regulatory and reputational risk. Audit Objectives: The objectives of the engagement were to evaluate the effectiveness of the Sun Devil Athletics and Athletics Compliance processes to ensure compliance with NCAA bylaws regarding student-athlete financial aid and pertinent Arizona Board of Regents and Arizona State University policies and procedures. Scope: The scope of this engagement was to review and evaluate the University’s compliance with the NCAA rules and bylaws pertaining to summer 2016 Financial Aid. The summer 2016 period for all twenty-three Sun Devil Athletics sponsored teams was reviewed at the request of Athletics Compliance, which is responsible for administering and monitoring sports program compliance with NCAA regulations and bylaws. Methodology: University Audit evaluated supporting documentation provided by Athletics Compliance for the sports programs under review, and assessed the effectiveness of processes governing the administration and monitoring of the Financial Aid process, as well as compliance with applicable NCAA bylaws and pertinent policies and procedures. Athletics Compliance provided a list of student-athletes who were scheduled to take summer session classes. A random sample of student-athletes was selected, and this information was then reconciled to the individual student-athlete accounts in PeopleSoft for the selected student-athletes. All twenty-three of the ASU sponsored teams were included in the scope of the audit, and a sample size of twenty-five percent of the student-athletes was selected from eighteen
Arizona State University Sun Devil Athletics
2016 Summer Financial Aid Audit August 17, 2016
Page 2 of 7
sponsored teams for inclusion in the audit test work. The women’s beach volleyball team, women’s golf, and men’s cross country teams did not have any specific members request athletic financial aid for summer 2016. The student-athletes received athletic financial aid to attend school during summer sessions. Student athletes are counted once even if receiving summer financial aid for multiple sessions of summer school. The breakdown of the audit sample by sport is as follows:
Sport Number of Student-Athletes Receiving Athletic Financial Aid
Number of Students Sampled Women’s Basketball 16 4 Women’s Beach Volleyball 0 0 Women’s Cross Country 1 1 Women’s Golf 0 0 Women’s Gymnastics 7 2 Women’s Soccer 17 5 Softball 4 1 Women’s Swimming 6 2 Women’s Tennis 1 1 Women’s Track, Indoor and Outdoor 3 1 Women’s Volleyball 15 4 Women’s Water Polo 3 1 Baseball 13 4 Men’s Basketball 11 3 Men’s Cross Country 0 0 Football 83 21 Men’s Golf 3 1 Men’s Ice Hockey 9 3
Arizona State University Sun Devil Athletics
2016 Summer Financial Aid Audit August 17, 2016
Page 3 of 7
Men’s Swimming 7 2 Men’s Track, Indoor and Outdoor 1 1 Men’s Wrestling 8 2 Total 208 59 Conclusion: Based on the audit test work performed, University Audit noted no instances of non-compliance with the NCAA bylaws under review related to Summer Financial Aid. For the current 2016 Summer Financial Aid Audit, the student-athlete book reconciliation was completed in a timely manner prior to the start of the Fall 2016 semester. This is a direct result of Athletics Compliance and the SDA Office of Student-Athletic Development working with the Sun Devil Stores manager, Follett Higher Education Group, Inc., to streamline the process involving student-athlete books so the reconciliation could be completed efficiently and in a timely manner. The NCAA Bylaws reviewed are listed in Appendix A, while the NCAA Compliance rules are listed in Appendix B. The control standards University Audit considered during this audit and the status of the related control environment are provided in the following table:
General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Finding No.
Page No.
Reliability and Integrity of Financial and Operational Information Not Applicable N/A N/A Effectiveness and Efficiency of Operations Not Applicable N/A N/A Safeguarding of Assets Not Applicable N/A N/A Compliance with Laws and Regulations Reasonable to Strong
Controls in Place N/A N/A
We appreciate the assistance of Athletics Compliance and the Student Business Services office staff during the audit.
________________________________
____________________________
Kim Prendergast, CPA, CIA, CFE Internal Auditor Senior
Lisa Grace, CPA, CIA, CISA, CISSP Chief Audit Executive
Arizona State University Sun Devil Athletics
2016 Summer Financial Aid Audit August 17, 2016
Page 4 of 7
Distribution: Audit Committee, Arizona Board of Regents Michael M. Crow, President Mark S. Searle, Interim University Provost Morgan R. Olsen, Executive Vice President, Treasurer and Chief Financial Officer José A. Cárdenas, Senior Vice President and General Counsel Christine K. Wilkinson, Senior Vice President and Secretary of the University Joanne Wamsley, Vice President for Finance Ray Anderson, Vice President for University Athletics and Athletic Director Jeffrey Wilson, Faculty Athletic Representative Cynthia Jewett, Senior Associate General Counsel Stephen T. Webb, Executive Director Athletic Compliance Melissa Pizzo, Executive Director, Financial Aid and Scholarship Services Justin Pollnow, Director of Athletic Compliance Internal Audit Review Board
Arizona State University Sun Devil Athletics
2016 Summer Financial Aid Audit August 17, 2016
Page 5 of 7
Appendix A – NCAA Bylaws Reviewed The following NCAA Bylaws were selected for inclusion in the SDA –2016 Summer Financial Aid audit: 15.2.3 Books. A member institution may provide a student-athlete financial aid that covers the actual cost of required course-related books. [R] (Revised: 4/24/03 effective 8/1/03) 15.2.8 Summer Financial Aid. Summer financial aid may be awarded only to attend the awarding institution’s summer term, summer school or summer-orientation program, provided the following conditions are met: (Revised: 1/10/90, 1/10/92) (a) The student has been in residence a minimum of one term during the regular academic year; (b) The student is attending a summer term, summer school or summer-orientation program and financial aid is administered pursuant to Bylaw 15.2.8.1.2, 15.2.8.1.3 or 15.2.8.1.4; or (c) The student is a two-year or a four-year college transfer student and is receiving aid to attend the awarding institution’s summer-orientation program. 15.2.8.1 General Stipulations. A student-athlete who is eligible for institutional financial aid during the summer is not required to be enrolled in a minimum full-time program of studies. However, the student-athlete may not receive financial aid that exceeds the cost of attendance in that summer term. A student-athlete may receive institutional financial aid based on athletics ability (per Bylaw 15.02.4.1 and 15.02.4.2), and any other financial aid up to the value of his or her cost of attendance. (See Bylaws 15.01.6.1, 16.3, 16.4 and 16.12.) (Revised: 4/29/04 effective 8/1/04, 5/26/09, 1/15/11 effective 8/1/11, 1/17/15 effective 8/1/15) 15.2.8.1.1 Exception for Pell Grant. A student-athlete who receives a Pell Grant may receive financial aid equivalent to the limitation set forth in Bylaw 15.2.8.1 or the value of a full grant-in-aid plus the Pell Grant, whichever is greater. (Adopted: 4/29/04 effective 8/1/04)
15.2.8.1.2 Enrolled Student-Athletes. After initial full-time enrollment during a regular academic year, a student-athlete shall not receive athletically related financial aid to attend the certifying institution’s summer term or summer school unless the student-athlete received such athletically related aid from the certifying institution during the student-athlete’s previous academic year at that institution. (Adopted: 1/10/90 effective 8/1/90, Revised: 1/10/91, 1/10/92, 11/12/97, 4/26/12, 4/28/16) 15.2.8.1.2.1 Attendance during Only One Term of Previous Academic Year. A student-athlete who attended the institution on a full-time basis for only one regular term during the previous academic year may receive financial aid during the following summer term (Adopted: 1/10/92, Revised: 04/28/16)
15.2.8.1.2.2 Exception for Nonqualifiers. A nonqualifier may receive athletically related financial aid to attend an institution’s summer term or summer school after the first academic year in residence under the following conditions: (Adopted: 1/10/92, Revised: 1/14/97 effective 8/1/97, 4/28/16) (a) The student-athlete has satisfied progress-toward-degree requirements and, thus, would be eligible for competition for the succeeding year (the student-athlete must have successfully satisfied the applicable requirements of Bylaw 14.4.3 and be in good academic standing at the institution); and (b) The student-athlete has been awarded athletically related financial aid for the succeeding academic year. 15.2.8.1.2.3 Exception for First-Time Recipient in the Next Academic Year. A student-athlete who has not received athletically related aid from the certifying institution during a previous academic year may receive athletically related financial aid to attend the institution’s summer term or summer school, provided he or she has been awarded athletically related financial aid for the following academic year. (Adopted: 1/15/11, Revised: 4/28/16)
Arizona State University Sun Devil Athletics
2016 Summer Financial Aid Audit August 17, 2016
Page 6 of 7
15.2.8.1.3 Prior to Initial, Full-Time Collegiate Enrollment—Institutional Nonathletics Aid. The following conditions apply to the awarding of institutional nonathletics financial aid to a prospective student-athlete to attend an institution in the summer prior to the prospective student-athlete’s initial, full-time collegiate enrollment: [D] (Adopted: 1/10/90, Revised: 1/10/92, 4/26/01, 3/10/04, 4/29/04, 1/10/05, effective 5/1/05, 3/14/05, 1/15/11 effective 8/1/11, 1/14/12, 1/18/14 effective 8/1/14) (a) The recipient shall be admitted to the awarding member institution in accordance with regular, published entrance requirements; (b) The recipient, if recruited (per Bylaw 15.02.8), is subject to NCAA transfer provisions pursuant to Bylaw 14.5.2-(h); (c) During the summer term or orientation period, the recipient shall not engage in any countable athletically related activities except for those activities specifically permitted in Bylaws 13 and 17 (see Bylaws 13.11.3.9, 17.1.1 and 17.1.1.1). 15.2.8.1.4 Prior to Initial Full-Time Enrollment at the Certifying Institution—Athletics Aid. The following conditions apply to the awarding of athletically related financial aid to a prospective student-athlete (including a prospective student-athlete not certified by the NCAA Eligibility Center as a qualifier) to attend an institution in the summer prior to the prospective student’s initial, full-time enrollment at the certifying institution (see also Bylaw 13.02.12.1): (Adopted: 4/27/00 effective 8/1/00, Revised: 9/6/00, 4/26/01, 3/10/04, 4/29/04, 1/10/05 effective 5/1/05, 3/14/05, 5/9/07, 1/15/11 effective 8/1/11, 1/14/12) (a) The recipient shall be admitted to the awarding member institution in accordance with regular, published entrance requirements; (b) The recipient is enrolled in a minimum of six hours of academic course work (other than physical education activity courses) that is acceptable degree credit toward any of the institution’s degree programs. Remedial, tutorial and noncredit courses may be used to satisfy the minimum six-hour requirement, provided the courses are considered by the institution to be prerequisites for specific courses acceptable for any degree program and are given the same academic weight as other courses offered by the institution; (c) The recipient, if recruited (per Bylaw 15.02.8), is subject to NCAA transfer provisions pursuant to Bylaw 14.5.2-(h), unless admission to the institution as a full-time student is denied; (d) During the summer term or orientation period, the recipient shall not engage in any countable athletically related activities except for those activities specifically permitted in Bylaws 13 and 17; and (e) Summer coursework is not used for the purpose of completing initial-eligibility or continuing-eligibility (transfer eligibility, progress-toward-degree) requirements. However, the hours earned during the summer prior to initial full-time enrollment at the certifying institution may be used to satisfy the applicable progress-toward-degree requirements in following years (see Bylaw 14.4.3). 15.2.8.2 Branch School. An institution may not provide a student-athlete with financial aid to attend a summer session at a branch campus of the institution.
Arizona State University Sun Devil Athletics
2016 Summer Financial Aid Audit August 17, 2016
Page 7 of 7
Appendix B – NCAA Compliance 2.1 The Principle of Institutional Control and Responsibility. [*] 2.1.1 Responsibility for Control. [*] It is the responsibility of each member institution to control its intercollegiate athletics program in compliance with the rules and regulations of the Association. The institution’s president or chancellor is responsible for the administration of all aspects of the athletics program, including approval of the budget and audit of all expenditures. (Revised: 3/8/06) 2.1.2 Scope of Responsibility. [*] The institution’s responsibility for the conduct of its intercollegiate athletics program includes responsibility for the actions of its staff members and for the actions of any other individual or organization engaged in activities promoting the athletics interests of the institution. 2.8 The Principle of Rules Compliance. [*] 2.8.1 Responsibility of Institution. [*] Each institution shall comply with all applicable rules and regulations of the Association in the conduct of its intercollegiate athletics programs. It shall monitor its programs to assure compliance and to identify and report to the Association instances in which compliance has not been achieved. In any such instance, the institution shall cooperate fully with the Association and shall take appropriate corrective actions. Members of an institution’s staff, student-athletes, and other individuals and groups representing the institution’s athletics interests shall comply with the applicable Association rules, and the member institution shall be responsible for such compliance. 2.8.2 Responsibility of Association. [*] The Association shall assist the institution in its efforts to achieve full compliance with all rules and regulations and shall afford the institution, its staff and student-athletes fair procedures in the consideration of an identified or alleged failure in compliance. 2.8.3 Penalty for Noncompliance. [*] An institution found to have violated the Association’s rules shall be subject to such disciplinary and corrective actions as may be determined by the Association.
This page left blank intentionally.
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
This page left blank intentionally.
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 1 of 9
Summary The Sun Devil Athletics (SDA) 2016 Student-Athlete Eligibility audit was included in the Arizona State University (ASU) annual audit plan for Fiscal Year (FY) 2016. This audit is completed on a cyclical basis, and is deemed to be of strategic importance given the reputational risk posed to the University for non-compliance with NCAA regulations and bylaws. Background: Approximately five hundred fifty student-athletes at ASU compete in ten men’s programs and thirteen women’s programs in one of the most competitive conferences in the country, the Pac-12. Men compete in baseball, basketball, football, golf, swimming & diving, indoor track & field, outdoor track & field, cross country, wrestling, and ice hockey; women compete in basketball, golf, gymnastics, soccer, softball, swimming & diving, tennis, indoor track & field, outdoor track & field, cross country, volleyball, beach volleyball, and water polo. The University’s Athletics Compliance Office (Athletics Compliance) is responsible for administering and monitoring sports program compliance with National Collegiate Athletic Association (NCAA) regulations and bylaws. The major institutional risks the University seeks to mitigate include regulatory and reputational risk. The Faculty Athletic Representative (FAR) is responsible for ensuring that student-athletes meet all NCAA, conference and institutional requirements for eligibility for practice, financial aid and intercollegiate competition. This should include continuing academic eligibility requirements for both freshmen and transfer student-athletes. These certifications should be performed by the FAR, performed under the direction of the FAR or, at a minimum, periodically reviewed and audited by the FAR. Initial eligibility certification is completed by the NCAA Eligibility Center. Academic eligibility certifications should be performed by persons outside of SDA. Audit Objectives: The objectives of the engagement were to evaluate the effectiveness of the Sun Devil Athletics, Athletics Compliance, and FAR processes to ensure compliance with NCAA bylaws regarding Student-Athlete Eligibility and pertinent Arizona Board of Regents and Arizona State University policies and procedures. Scope: The scope of this engagement was to review and evaluate the University’s compliance with the NCAA rules and bylaws pertaining to Student-Athlete Eligibility for academic year 2016. This audit was conducted at the request of Athletics Compliance, which is responsible for administering and monitoring sports program compliance with NCAA regulations and bylaws.
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 2 of 9
Methodology: University Audit assessed Athletics Compliance, individual team, and FAR compliance with applicable NCAA bylaws, Arizona Board of Regents, and Arizona State University policies and procedures. Supporting documentation was provided by Athletics Compliance and the FAR Office for the sports programs under review. All twenty-three of the ASU sponsored teams were included in the scope of the audit, and University Audit selected a sample size of twenty-five percent of the sponsored teams for inclusion in the audit test work. Student-athletes were selected from squad lists which may include students participating in multiple sports or student-athletes who are not currently active team participants. The breakdown of the audit sample by sponsored team is as follows:
Sport Number of Student-Athletes Included on Squad List
Number of Student-Athletes Sampled
Baseball 38 10 Football 133 34 Men’s Basketball 16 4 Men’s Cross Country 20 5 Men’s Golf 9 3 Men’s Ice Hockey 33 9 Men’s Swimming 30 8 Men’s Track, Indoor 51 13 Men’s Track, Outdoor 52 13 Men’s Wrestling 48 12 Women’s Basketball 15 4 Women’s Cross Country 20 5 Women’s Golf 9 3 Women’s Gymnastics 14 4 Women’s Beach Volleyball 24 6 Women’s Soccer 34 9 Softball 27 7 Women’s Swimming 19 5 Women’s Tennis 9 3 Women’s Track, Indoor 49 13 Women’s Track, Outdoor 50 13 Women’s Volleyball 20 5 Women’s Water Polo 22 6
Total 742 194
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 3 of 9
Conclusion: Based on the audit test work performed, University Audit noted no instances of non-compliance with the NCAA bylaws and Arizona State University policies and procedures related to Student-Athlete Eligibility. The NCAA Bylaws reviewed are listed in Appendix A, while the NCAA Compliance rules are listed in Appendix B. The control standards University Audit considered during this audit and the status of the related control environment are provided in the following table. General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Finding No.
Page No.
Reliability and Integrity of Financial and Operational Information
Not Applicable Effectiveness and Efficiency of Operations Not Applicable
Safeguarding of Assets Not Applicable Compliance with Laws and Regulations
Compliance with NCAA Bylaws, ABOR and ASU Policies and Procedures
Reasonable to Strong Controls in Place
We appreciate the assistance of the Athletics Compliance and the Faculty Athletic Representative staff during the audit.
________________________________
____________________________
Kim Prendergast, CPA, CIA, CFE Internal Auditor Senior
Lisa Grace, CPA, CIA, CISA, CISSP Chief Audit Executive
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 4 of 9
Distribution: Audit Committee, Arizona Board of Regents Michael M. Crow, President Mark S. Searle, Interim University Provost Morgan R. Olsen, Executive Vice President, Treasurer and Chief Financial Officer José A. Cárdenas, Senior Vice President and General Counsel Christine K. Wilkinson, Senior Vice President and Secretary of the University Joanne Wamsley, Vice President for Finance Ray Anderson, Vice President for University Athletics and Athletic Director Jeffrey Wilson, Faculty Athletic Representative Cynthia Jewett, Senior Associate General Counsel Stephen T. Webb, Executive Director Athletic Compliance Lori Briese, Assistant to the Senior Vice President and Secretary of the University Internal Audit Review Board
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 5 of 9
Appendix A – NCAA Bylaws Reviewed The following NCAA Bylaws were selected for inclusion in the SDA – 2016 Student-Athlete Eligibility audit: 12.7.2.1 Content and Purpose. Prior to participation in intercollegiate competition each academic year, a student-athlete shall sign a statement in a form prescribed by the Council in which the student-athlete submits information related to eligibility, recruitment, financial aid, amateur status, previous positive-drug tests administered by any other athletics organization and involvement in organized gambling activities related to intercollegiate or professional athletics competition under the Association’s governing legislation. Failure to complete and sign the statement shall result in the student-athlete’s ineligibility for participation in all intercollegiate competition. Violations of this bylaw do not affect a student-athlete’s eligibility if the violation occurred due to an institutional administrative error or oversight, and the student-athlete subsequently signs the form; however, the violation shall be considered an institutional violation per Constitution 2.8.1. (Revised: 1/10/92 effective 8/1/92, 1/14/97, 2/19/97, 4/24/03, 11/1/07 effective 8/1/08, 7/31/14, 8/7/14) 12.7.2.2 Administration. The following procedures shall be used in administering the form: (Revised: 8/4/89, 1/9/06 effective 8/1/06, 7/30/10, 7/31/14) (a) The statement shall be administered individually to each student-athlete by the athletics director or the athletics director’s designee prior to the student’s participation in intercollegiate competition each academic year; and (b) The statement shall be kept on file by the athletics director and shall be available for examination upon request by an authorized representative of the NCAA. 12.7.2.3 Institutional Responsibility—Notification of Positive Test. The institution shall promptly notify the NCAA’s chief medical officer, in writing, regarding a student-athlete’s disclosure of a previous positive test for banned substances administered by any other athletics organization. (Adopted: 1/14/97 effective 8/1/97, Revised: 7/31/14) 12.7.3.1 Content and Purpose. Each academic year, a student-athlete shall sign a form maintained by the Committee on Competitive Safeguards and Medical Aspects of Sports and approved by the Council in which the student consents to be tested for the use of drugs prohibited by NCAA legislation. Failure to complete and sign the consent form prior to practice or competition, or before the Monday of the fourth week of classes (whichever occurs first) shall result in the student-athlete’s ineligibility for participation (practice and competition) in all intercollegiate athletics. (Adopted: 1/10/92 effective 8/1/92, Revised: 1/16/93, 1/10/95 effective 8/1/95, 1/14/97, 4/24/03, 8/5/04, 11/1/07 effective 8/1/08, 7/30/10, 7/31/14, 8/7/14) 12.7.3.2 Administration. The following procedures shall be used in administering the form (see Constitution 3.2.4.7): (Adopted: 1/10/92 effective 8/1/92, Revised: 4/27/00, 7/30/10, 7/31/14) (a) The consent form shall be administered individually to each student-athlete by the athletics director or the athletics director’s designee each academic year; (b) The athletics director or the athletics director’s designee shall disseminate the list of banned drug classes to all student-athletes and educate them about products that might contain banned drugs. All student-athletes are to be notified that the list may change during the academic year,
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 6 of 9
that updates may be found on the NCAA website (www.ncaa.org) and informed of the appropriate athletics department procedures for disseminating updates to the list; and (c) The consent form shall be kept on file by the athletics director and shall be available for examination upon request by an authorized representative of the NCAA. 12.7.3.3 Exception—14-Day Grace Period. A student-athlete who is “trying out” for a team is not required to complete the form until 14 days from the first date the student-athlete engages in countable athletically related activities or before the student-athlete participates in a competition, whichever occurs earlier. (Adopted: 4/27/06 effective 8/1/06, Revised: 7/31/14) 12.7.3.4 Effect of Violation. A violation of Bylaw 12.7.3 or its subsections shall be considered institutional violations per Constitution 2.8.1; however, a violation shall not affect the student-athlete’s eligibility, provided the student-athlete signs the consent form. (Revised: 4/28/05 effective 8/1/05, 7/30/10, 7/31/14) 12.7.5 Eligibility Requirements for Male Students to Practice With Women’s Teams. Male students may engage in practice sessions with women’s teams under the following conditions: (Revised: 5/12/05, 5/29/08, 7/31/14) (a) Male students who practice with an institution’s women’s team on an occasional basis must be verified as eligible for practice in accordance with Bylaw 14.2.1 and must have eligibility remaining under the five-year rule (see Bylaw 12.8.1); (b) Male students who practice with an institution’s women’s teams on a regular basis must be certified as eligible for practice in accordance with all applicable NCAA eligibility regulations (e.g., must be enrolled in a minimum full-time program of studies, must sign a drug-testing consent form, must be included on the institution’s squad list); (c) It is not permissible for an institution to provide male students financial assistance (room and board, tuition and fees, and books) in return for practicing with a women’s team. A male student who is receiving financial aid or any compensation for serving in any position in the athletics department may not practice with a women’s team. A male student-athlete who is a counter in a men’s sport may not engage in practice sessions with an institution’s women’s team in any sport; (d) It is not permissible for an institution to provide male students room and board to remain on campus during a vacation period to participate in practice sessions with a women’s team; (e) It is not permissible for a male student-athlete who is serving an academic year of residence as a nonqualifier to participate in practice sessions with a women’s team; and (f ) It is permissible for an institution to provide practice apparel to male students for the purpose of practicing with a women’s team. 12.8 Seasons of Competition: Five-Year Rule. A student-athlete shall not engage in more than four seasons of intercollegiate competition in any one sport (see Bylaws 17.02.8 and 14.3.3). An institution shall not permit a student-athlete to represent it in intercollegiate competition unless the individual completes all of his or her seasons of participation in all sports within the time periods specified below: (Revised: 7/31/14) 12.8.1 Five-Year Rule. A student-athlete shall complete his or her seasons of participation within five calendar years from the beginning of the semester or quarter in which the student-athlete first registered for a minimum full-time program of studies in a collegiate institution, with
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 7 of 9
time spent in the armed services, on official religious missions or with recognized foreign aid services of the U.S. government being excepted. For international students, service in the armed forces or on an official religious mission of the student’s home country is considered equivalent to such service in the United States. (Revised: 4/2/10, 7/31/14) 14.2.2.1.3 Final Semester/Quarter. A student-athlete may compete while enrolled in less than a minimum full-time program of studies, provided the student is enrolled in the final semester or quarter of the baccalaureate program and the institution certifies that the student is carrying (for credit) the courses necessary to complete degree requirements. The student granted eligibility under this provision shall be eligible for any postseason event that begins within 60 days following said semester or quarter, provided the student has not exhausted the five years for completion of the individual’s maximum permissible number of seasons of eligibility (see Bylaw 12.8). Thereafter, the student shall forfeit eligibility in all sports, unless the student completes all degree requirements during that semester or quarter and is eligible to receive the baccalaureate diploma on the institution’s next degree-granting date. (Revised: 1/10/92, 1/16/93, 1/10/95, 2/1/05, 11/1/07 effective 8/1/08, 1/14/12, 8/21/12) 14.2.2.1.4 Graduate Program. A student may compete while enrolled in a full-time graduate program as defined by the institution (see Bylaw 14.6). (Revised: 1/9/06 effective 8/1/06) 14.3.1 Eligibility for Financial Aid, Practice and Competition. A student-athlete who enrolls in a member institution as an entering freshman with no previous full-time college attendance shall meet the following academic requirements, as certified by the NCAA Eligibility Center, as approved by the Board of Governors, and any applicable institutional and conference regulations, to be considered a qualifier and thus be eligible for financial aid, practice and competition during the first academic year in residence. (Revised: 1/16/93 effective 8/1/94, 1/9/96 effective 8/1/97, 3/22/06, 5/9/07, 10/30/14) Delayed effective date. See specific date below. 14.3.1 Eligibility for Financial Aid, Practice and Competition. A student-athlete who enrolls in a member institution as an entering freshman with no previous full-time college attendance shall meet the following academic requirements, as certified by the NCAA Eligibility Center, as approved by the Board of Governors, and any applicable institutional and conference regulations, to be considered a qualifier or an academic redshirt. (Revised: 1/16/93 effective 8/1/94, 1/9/96 effective 8/1/97, 3/22/06, 5/9/07, 10/27/11, 4/26/12 effective 8/1/16; for student-athletes initially enrolling full time in a collegiate institution on or after 8/1/16, 10/30/14) 14.4.1 Progress-Toward-Degree Requirements. To be eligible to represent an institution in intercollegiate athletics competition, a student-athlete shall maintain progress toward a baccalaureate or equivalent degree at that institution as determined by the regulations of that institution subject to controlling legislation of the conference(s) or similar association of which the institution is a member and applicable NCAA legislation. (See Constitution 3.2.4.13 regarding the obligations of members to publish their progress-toward-degree requirements for student-athletes.) (Revised: 5/29/08, 4/15/09)
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 8 of 9
14.4.3.1 Fulfillment of Credit-Hour Requirements. Eligibility for competition shall be determined based on satisfactory completion of at least: (Revised: 1/10/92, 10/31/02 effective 8/1/03, 3/10/04, 4/28/05) (a) Twenty-four semester or 36 quarter hours of academic credit prior to the start of the student-athlete’s second year of collegiate enrollment (third semester, fourth quarter); (b) Eighteen semester or 27 quarter hours of academic credit since the beginning of the previous fall term or since the beginning of the certifying institution’s preceding regular two semesters or three quarters (hours earned during the summer may not be used to fulfill this requirement) (see Bylaw 14.4.3.1.4); and (c) Six semester or six quarter hours of academic credit during the preceding regular academic term (e.g., fall semester, winter quarter) in which the student-athlete has been enrolled full time at any collegiate institution (see Bylaw 14.4.3.4 for postseason certification). 14.4.3.2 Fulfillment of Percentage of Degree Requirements. A student-athlete who is entering his or her third year of collegiate enrollment shall have completed successfully at least 40 percent of the course requirements in the student’s specific degree program. A student-athlete who is entering his or her fourth year of collegiate enrollment shall have completed successfully at least 60 percent of the course requirements in the student’s specific degree program. A student-athlete who is entering his or her fifth year of collegiate enrollment shall have completed successfully at least 80 percent of the course requirements in the student’s specific degree program. The course requirements must be in the student’s specific degree program (as opposed to the student’s major). (Adopted: 1/10/92 effective 8/1/92, Revised: 1/9/96, 10/31/02 effective 8/1/03)
Arizona State University Sun Devil Athletics
Student-Athlete Eligibility Audit September 13, 2016
Page 9 of 9
Appendix B – NCAA Compliance 2.1 The Principle of Institutional Control and Responsibility. [*] 2.1.1 Responsibility for Control. [*] It is the responsibility of each member institution to control its intercollegiate athletics program in compliance with the rules and regulations of the Association. The institution’s president or chancellor is responsible for the administration of all aspects of the athletics program, including approval of the budget and audit of all expenditures. (Revised: 3/8/06) 2.1.2 Scope of Responsibility. [*] The institution’s responsibility for the conduct of its intercollegiate athletics program includes responsibility for the actions of its staff members and for the actions of any other individual or organization engaged in activities promoting the athletics interests of the institution. 2.8 The Principle of Rules Compliance. [*] 2.8.1 Responsibility of Institution. [*] Each institution shall comply with all applicable rules and regulations of the Association in the conduct of its intercollegiate athletics programs. It shall monitor its programs to assure compliance and to identify and report to the Association instances in which compliance has not been achieved. In any such instance, the institution shall cooperate fully with the Association and shall take appropriate corrective actions. Members of an institution’s staff, student-athletes, and other individuals and groups representing the institution’s athletics interests shall comply with the applicable Association rules, and the member institution shall be responsible for such compliance. 2.8.2 Responsibility of Association. [*] The Association shall assist the institution in its efforts to achieve full compliance with all rules and regulations and shall afford the institution, its staff and student-athletes fair procedures in the consideration of an identified or alleged failure in compliance. 2.8.3 Penalty for Noncompliance. [*] An institution found to have violated the Association’s rules shall be subject to such disciplinary and corrective actions as may be determined by the Association.
This page left blank intentionally.
Arizona State University 2016 Capital Project Audit Report Psychology Building Renovation
October 24, 2016
This page left blank intentionally.
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 1 of 11
Summary The 2016 Capital Project Audit was included on the Arizona State University (ASU) FY 2017 audit plan approved by the Arizona Board of Regents (ABOR) Audit Committee and ASU senior leadership. The audit focused on the Psychology Building renovation and reviewed the adequacy of controls over the process, focusing on contract administration and due diligence as well as assessing if billings were adequately supported and in accordance with contract provisions. Background: The Psychology Building was originally constructed in 1972 and is a three-story, 81,000 gross square foot structure. The building required upgrades to all building infrastructure systems to meet program requirements and current building and life safety codes. The original project budget was approved at $22.7, million which was later reduced to $20.5 million primarily due to estimate reductions in construction costs and reduction in design/construction contingency requirements. Renovation work included asbestos remediation, new interior finishes, major upgrades to mechanical, electrical and plumbing systems, exterior building repairs, and new audio visual systems and Furniture and Fixed Equipment (FF&E). The project was completed in September 2015. The project was completed using the Construction Manager at Risk (CM@Risk) project delivery method, which provides for early involvement of the construction manager during the design phase, and completion of the construction under a Guaranteed Maximum Price (GMP). The CM@Risk was Holder Construction Group, as chosen by the Selection Committee. The Design Professional was SmithGroup JJR. Other major vendors included Native Environmental (remediation/demolition), Target Interiors (FF&E), and CenturyLink (communications). Holder Construction Group completed the construction portion of the project under a GMP of $14.1Million. Audit Objectives: The objectives of the engagement were to assess the Capital Programs Management Group (CPMG) controls around management and execution of the Psychology Building Renovation Project. Scope: The scope of this engagement was to review and assess the adequacy of controls over the process, focusing on contract administration and due diligence as well as to validate that the contractor billings and reporting were adequately supported and in accordance with contract provisions. Methodology: University Audit, supported by Protiviti, conducted walkthroughs of the CPMG processes used to manage the project including the following areas:
Project Approval Bidding, Procurement, and Contracting Change Management
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 2 of 11
Project Accounting Project Management and Reporting.
In addition, applicable policies and procedures related to the capital project processes were reviewed and assessed for adequacy and compliance. Project documentation also was evaluated to test for compliance with agreed upon contract terms and conditions covering monthly billing, schedule management, change order management, subcontractor management, insurance/risk management and materials and equipment. Conclusion: Based on the audit test work performed, University Audit noted that the Psychology Building Renovation project was completed within the allocated budget. In addition, it was noted that CPMG has effective processes in place to monitor and assess performance of capital management activities, including the following areas:
Policies and procedures to govern project management activities Management and approval of project changes Invoice review processes requiring review from a technical project manager and design professional, including requiring adequate supporting documentation Centralized procurement group to manage contracting, procurement and bidding process for direct contractors, and Processes to monitor and track CM@Risk lien wavers.
Although reasonable to strong controls in these areas were found to be in place, from an overall program management prospective, CPMG would achieve increased benefits and efficiencies from enhancements to certain processes and controls in place around compliance management and project reporting. These specific items are noted below. The control standards University Audit considered during this audit and the status of the related control environment are provided in the following table:
General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Finding No.
Page No.
Organizational Strategic Objectives are Achieved Capital project budgets are reviewed and
approved by appropriate levels of authority. Reasonable to Strong Controls in Place
N/A N/A Capital project budgets are developed according
to agreed-upon policies and procedures. Reasonable to Strong Controls in Place
N/A N/A Capital projects are advertised for bids and the
lowest responsible bidder is selected. A formal Reasonable to Strong Controls in Place
N/A N/A
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 3 of 11
notice to proceed is required after the contract award is made.
Reliability and Integrity of Financial and Operational Information
Payment of invoices require project manager review and approval prior to payment.
Reasonable to Strong Controls in Place
N/A N/A The project manager reviews and approves the
burdened labor rate to ensure it is accurate and does not include prohibited line items.
Opportunity for Improvement
2
6
Effectiveness and Efficiency of Operations
A defined change management process exists and is followed.
Reasonable to Strong Controls in Place
N/A N/A ASU’s organization and project team structure is
clearly defined and reporting roles and responsibilities within the team are clearly understood.
Reasonable to Strong Controls in Place
N/A N/A
A Construction Project checklist is utilized to ensure all required project documentation is obtained and maintained as part of the construction project process.
Opportunity for Improvement
4
9
Ongoing vendor and subcontractor compliance monitoring is performed to ensure compliance to contractual terms.
Opportunity for Improvement
3
7
Safeguarding of Assets Monthly reports tracking key status and metrics
of the project are prepared by the CM@Risk and provided to ASU.
Opportunity for Improvement
1
4
Compliance with Laws and Regulations N/A N/A We appreciate the assistance of Capital Programs Management Group during the audit.
___________________________ ____________________________ Gordon Murphy, CPA, CFE, MAEd Internal Auditor Senior
Lisa Grace, CPA, CIA, CISA, CISSP Executive Director
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 4 of 11
1. Required monthly reporting by the CM@Risk was not performed as required by the contract. Condition: The CM@Risk did not provide ASU with the required monthly reporting. Although three instances of detailed cost, schedule and project status were observed in November 2014, January 2015 and February 2015, reports were not formally distributed after this point. The lack of tracking of “Contingency and Allowance usage” is of specific concern as this is one of the primary methods through which ASU would detect potential misuse of the Contingency. Specifically, section 7.11 of the contract allows the CM@Risk to allocate variances of the Schedule of Values (SOV) to the Construction Contingency without express approval by ASU. Section 1.2.3 states that the Bidding/Construction Contingency is to be used to cover any excess in the amount bid by a subcontractor over the amount for that work in the GMP or to cover unforeseen expenses. As a result, the monthly reporting related to the Contingency usage is the primary control that gives management visibility into potential misuse. Criteria: Section 2.1.2 of the contract requires the CM@Risk to provide monthly reporting that includes the following items:
Cost tracking with projected final cost Subcontract amounts and buy-out status Contingency and Allowance usage Updates to current Critical Path Method (CPM) schedule Tracking of project schedule variance Updates to cash flow projection for the duration of the project Copies of the construction superintendent’s daily site reports Identification of construction document conflicts or ambiguities requiring resolution Health and safety performance tracking Tracking of issues that could jeopardize the CM@Risk’s ability to compete the work for the GMP on schedule and within the contract time(s).
Cause: Formal project management processes were not in place to ensure required reporting was obtained and assessed. Instead, reliance was made on the frequent communication between the project manager and the CM@Risk. Effect: Although no material items were noted related to the lack of these reports, it is considered best practice to ensure the monthly updates are obtained and reviewed to ensure effective management of the overall project status and to ensure adequate transparency to potential risk areas of the project.
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 5 of 11
Additionally, specific to the Contingency usage reporting, the lack of transparency around SOV changes and Contingency use negatively impacts management’s ability to ensure that all potential savings are being passed back to ASU as required by the contract, a key benefit of a Guaranteed Maximum Price contract. Although there are review and approval controls in place to ensure that actual items submitted for payment are supportable, the volume of support and detail provided is such that it limits the ability to identify potential misuse of the contingency. Recommendations: CPMG should enforce the contractual terms to ensure consistent distribution of the monthly status reports to ASU project managers, managements and other relevant stakeholders. Management Response: Management concurs with this issue. CPMG will ensure that monthly reports are completed by the CMAR consistently and completely going forward.
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 6 of 11
2. Review of CM@Risk Labor Costs was not formally documented. Condition: There was no evidence documenting that a review was performed of the direct supervisory labor cost. This review ensures that prohibited items are not included and that the overall rates are reasonable and appropriate. Criteria: Sections 1.2.22 and 2.2.2.1 of the contract describe an open book cost concept to ensure there is full transparency of labor costs. It is acceptable that “allocated rates” are used for such billings, but these rates must be reviewed and approved by ASU at the start of the project. Cause: Management confirmed that the review was performed as required; however, this review and approval was not formally documented. Effect: University Audit was unable to independently confirm if this review occurred and if the rates billed by the CM@Risk were compliant with contractual terms. Recommendations: CPMG should formally document the review process involved in reviewing the labor costs including the required approval. As part of this review, appropriate document should be maintained to evidence that the rates are reasonable and do not include any prohibited items. Management Response: Management concurs with this issue. CPMG confirmed that the review was performed and that both the Project Manager and the Project Manager’s Supervisor approved the rate; however, no documentation was maintained. In the future, a formal memo to the project file documenting the review process, including approval by management, will be maintained with the project file.
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 7 of 11
3. Vendor, CM@Risk and Subcontractor Compliance and Monitoring is not occurring in all cases. Condition: CPMG has implemented tracking on various compliance and performance requirements; however, there were several areas identified as part of testing that had limited or no tracking place. Compliance Item Contract/Policy Reference Tracking Mechanism Verification Status Vendor and CM@Risk Insurance Certificates
Varies by contract None Observed No CPMG tracking observed. Insurance certificates provided by CM@Risk. Exceptions noted for Native Environmental and Century Link.
Major Subcontractor 1% Apprenticeship Program Contribution
CM@Risk Contract Section 13.19D
CM@Risk – Tracking Sheet No CPMG tracking observed. Per CM@Risk, mechanical subcontractor is union and is required to make the contribution.
Use of 10% ration of apprentice to journeyman
CM@Risk Contract Section 13.19D
None Observed No tracking mechanism observed for CPMG, CM@Risk or Subcontractors.
Tracking of Subcontractor performance in past ASU projects
ABOR Policy 7-111;Best Practices
None Observed No tracking of subcontractor performance by CPMG observed.
Tracking of Fees and Markups
CM@Risk Contract Sections 1.2.7, 10.4
ASU – Monthly Pay App and Change Notice Review
Minor inconsistencies noted regarding applications of CM@Risk Fee and Tax rates.
Tracking of Rental Equipment
CM@Risk Contract Section 7.12 None Observed Rental Equipment use was minimal during this project.
Criteria: There are various components of the contract that require specific performance by the CM@Risk. Cause: Management did not have a formal process or checklist to ensure all compliance/performance items are tracked to ensure compliance to the terms of the contract. Effect: While none of these areas by themselves are of a significant risk for this project, in aggregate they demonstrate a need to formalize tracking processes to ensure the required terms of the contract are met and maintained.
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 8 of 11
Recommendations: CPMG should work with the CM@Risk to ensure that all subcontractors and service providers are consistently reviewed for compliance with contractual requirements. In addition, tracking mechanisms should be implemented by CPMG to promote contract compliance and reduce risks associated with non-allowable construction costs and under-insurance. In some cases, tracking should be done by the CM@Risk; however, CPMG should implement processes to ensure this is being done. Management Response: CPMG has created a responsible matrix to clarify which ASU department is accountable for contract component management to ensure clearer areas of responsibility and to ensure compliance is tracked.
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 9 of 11
4. Required and/or relevant project documents were not obtained/maintained as part of the Psychology capital project. Condition: Various project documents that may help ASU monitor and control the scope, cost and schedule of project budget or that were required per the contract were not obtained/maintained as part of the overall project management. As a result, the following documents were not available as part of our review. Ref Document Description (1) Documentation of conflict-checks performed (2) Pre-Construction and Construction Phase monthly written status reports (3) Documents confirming that all project close out items were received prior to retention payment (per General
Conditions section 7.9.2) including: a) An affidavit that payrolls, bills tor materials and equipment, and other indebtedness connected with the
Work for which the Owner or the Owner's property might be responsible or encumbered (less amounts withheld by the Owner) have been paid or otherwise satisfied by the CM@Risk;
b) A certificate evidencing that insurance required by the Contract Documents to remain in force after Final Payment is currently in effect and will not be canceled or allowed to expire until at least thirty (30) calendar days' prior written notice has been given to the Owner;
c) Consent of Surety to Final Payment; d) Unconditional waivers of lien in statutory form from all Subcontractors, material suppliers, or other
persons or entities having provided labor, materials and equipment relating to the Work; e) If required by the Owner, other data establishing payment or satisfaction of obligations, such as receipts,
releases and waivers of liens, claims, security interests or encumbrances arising out of the Contract Documents;
f) All Project warranty documents, including special manufacturers warranties; g) Final Subcontractor List; h) All approved Submittals and Shop Drawings (electronic copy); i) Schedule of Required maintenance
Criteria: Based on various contract terms, neither final payment nor final release of retainage shall become due until the CM@Risk submits the required documents. Cause: Although a project checklist was created as a result of a previous contract audit to document required documents that may help ASU monitor and control the scope, cost and schedule of construction projects, it was not available at the time of this audit. No other processes were in place to ensure relevant and required documents were obtained. Effect: Although no specific impact was noted, it is considered best practice to ensure the completion and tracking of these documents to promote a more comprehensive project management process as well as to reduce cost overruns, process inefficiencies and close out issues.
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 10 of 11
Recommendations: CPMG should utilize the project documentation list previously developed. CPMG should develop a document tracking process to promote easy retrieval of documents or to document where compliance to the specified item was not feasible and the reason why. Management Response: Management concurs with this issue. CPMG will work with University Audit to finalize the list and use as part of the overall project management process going forward. This will be completed by January 31, 2017.
Arizona State University 2016 Capital Project Audit
October 24, 2016
Page 11 of 11
Distribution: Audit Committee, Arizona Board of Regents Michael M. Crow, President Mark S. Searle, Executive Vice President and University Provost Morgan R. Olsen, Executive Vice President, Treasurer and Chief Financial Officer José A. Cárdenas, Senior Vice President and General Counsel Christine K. Wilkinson, Senior Vice President and Secretary of the University Joanne Wamsley, Vice President for Finance Lisa S. Loo, Vice President for Legal Affairs and Deputy General Counsel Bruce Nevel, Associate Vice President, Facilities Development and Management Bruce Jensen, Executive Director, Capital Programs Management Diane Rowley, Director, Capital Programs Management Internal Audit Review Board
This page left blank intentionally.
Internal Audit Department
Summer Camps and Conferences Audit Report
June 2016
Report Number FY 16-09
This page left blank intentionally.
Northern Arizona University Summer Camps and Conferences
Audit Report June 8, 2016
Summary
Our audit of NAU’s Summer Camps and Conferences is in the Annual Audit Plan for FY 2016, as approved by the Audit Committee of the Arizona Board of Regents. This audit links to Northern Arizona University’s goal of having efficient, effective, and accountable practices. Background: In August 2012, NAU entered a management agreement with Sodexo to manage Summer Camps and Conferences. The University’s summer conference season spans mid-May through early August. The one-stop-shop blueprint offers clients the convenience of one point of contact, one contract and one bill for their entire summer program. The single point of contact works closely with NAU departments to coordinate group usage of on-campus lodging, dining, catering, meeting space, academic space, recreation facilities, athletic fields, transportation and parking arrangements. Youth groups from all over the nation choose NAU as their destination for summer programs. NAU is also host to a number of summer adult conferences that include both national and international attendees. These groups range in size from 10 to 2,500 people and stay as little as one night or as long as five weeks. The combination of Flagstaff’s proximity to the Grand Canyon, its elevation, state-of-the-art facilities and summer weather make NAU a popular choice for summer programs. Sodexo utilizes the Event Management System (EMS) to reserve and administer summer camps and conferences. EMS is a database of all NAU rooms and facilities and facilitates the management of room availability. Unit Financial System (UFS) is the accounting system used to account for summer camps and conferences. Summer Camps and Conferences offers many venues for group meetings, receptions and activities, including meeting rooms, classrooms, recreational space and assembly halls. Meeting rooms can be equipped with audio/visual equipment. Meeting rooms are located within the du Bois Center, University Union, Health and Learning Center, W.A. Franke College of Business and R.H. Castro College of Social and Behavior Sciences and include space for the following capacities:
du Bois Center - 17 to 250 participants
University Union - 28 to 115 participants
Health and Learning Center - 48 to 104 participants
W.A. Franke College of Business - 40 to 200 participants
R.H. Castro College of Social and Behavior Sciences - 83 to 200 participants
Banquet rooms and ballrooms - 300 to 850 participants
Performance halls - 400 to 1,300 participants
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 2 of 11
Recreational fields feature indoor/outdoor soccer fields, multi-purpose fields/space, sand volleyball courts, indoor volleyball courts, basketball courts, tennis courts, indoor track, badminton courts and projector and screen for movies. Recreational fields include the following:
South Field Complex The Aquatic and Tennis Complex
The du Bois Center Field Union Fieldhouse
Observatory Field Multi Activity Court (MAC) Gym
Gabaldon Field South Gym Housing options include the following on-campus residence halls:
Traditional Style Halls Suite Style Halls
McConnell Gabaldon
Reilly Mountain View
Allen The Suites Campus Dining provide meals and catering services to camps/conference participants. A variety of food choices are offered at The Hot Spot and The Dub, as well as the option of catering services. Rates per participant for 2015 Summer Camps and Conferences are as follows:
Food Service
Breakfast $ 5.02 Lunch 8.37 Dinner 8.61 Tax 1.97
Total Food Service $ 23.97
Residence Life $14 to $58.50
Conference Fee $ 9.50
Health Center Fee $ 0.20
Meeting rooms range from $50 to $2,000 plus the cost of labor; while recreational facilities/fields range from $5 per hour to $100 per hour for indoor recreational facilities; $80 per day to $1,200 per day for outdoor recreational facilities and $100 per day to $200 per day for the swimming pool.
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 3 of 11
Per the management agreement, payments from Sodexo to NAU represent surplus (net income), which are recognized as revenue on NAU’s books minus the revenue generated from Campus Dining; while deficits (net losses) are charged as an expense to NAU and result in a payment to Sodexo. NAU reported net income during the summer months while net losses occurred during the rest of the academic year. Residence Life and Campus Dining provided 35% and 39% of total revenue, respectively. Approximately 17% of total revenue related to the Conference Center, with the remaining 9% of revenue allocated to other NAU departments involved with Summer Camps and Conferences (i.e. parking, shuttle, Health and Learning Center, room rentals) in accordance with Sodexo policies and procedures. The following reflects the activity for Summer 2015:
June July August Total
Sales
Rooms-regular 31,272.50 60,354.00 19,951.87 111,578.37
Lodging 283,248.00 350,292.25 123,457.70 756,997.95
Banquet and catering 4,706.06 1,067.26 - 5,773.32
Food lunch 321,342.37 416,964.65 94,632.74 832,939.76
Conference 142,048.32 174,448.50 56,819.50 373,316.32
Merchandise-regular 37,540.74 30,758.64 13,131.83 81,431.21
Restaurant-discountable (328,688.43) (416,903.90) (95,554.89) (841,147.22)
Total sales 491,469.56 616,981.40 212,438.75 1,320,889.71
Special services 2,931.80 3,672.41 1,196.20 7,800.41
Total sales and revenue 494,401.36 620,653.81 213,634.95 1,328,690.12
Operating Expenses
Labor
Wages 13,493.28 5,542.45 12,077.40 31,113.13
Benefits and payroll taxes 6,292.77 3,468.50 5,865.56 15,626.83
Wage accruals 220.05 220.11 241.18 681.34
Total labor 20,006.10 9,231.06 18,184.14 47,421.30
Controllables
Telephone 11.00 11.00 11.00 33.00
Delivery - 0.64 - 0.64
Printed materials - - 5,436.79 5,436.79
Miscellaneous (4,626.37) 2,237.89 1,782.11 (606.37)
Credit card discount fees 1,362.66 2,380.40 1,182.54 4,925.60
Total controllables (3,252.71) 4,629.93 8,412.44 9,789.66
Non-controllables
Amortization-depreciation 77.39 61.90 61.91 201.20
Insurance 535.10 575.95 521.29 1,632.34
Taxes, license and fees 470.79 - 471.03 941.82
Management fee 2,483.35 1,986.68 1,998.20 6,468.23
Systems support 21.45 21.45 21.45 64.35
Total non-controllables 3,588.08 2,645.98 3,073.88 9,307.94
Total operating expenses 20,341.47 16,506.97 29,670.46 66,518.90
Net Income 474,059.89 604,146.84 183,964.49 1,262,171.22
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 4 of 11
Audit Objective: The primary objective of the audit is to determine if Summer Camps
and Conferences held at NAU are adequately planned, administered and accounted for.
Scope: The scope of our audit included a review of all policies and procedures governing the management of Summer Camps and Conferences as well as other procedures that helped us achieve our primary audit objective. We reviewed documents and system reports supporting transactions that occurred from May 2015 to August 2015, as well as current practices and procedures. Methodology:
Reviewed the Summer Camps and Conferences website.
Reviewed ABOR and NAU policies and procedures related to Summer Camps and Conferences.
Reviewed Sodexo policies and procedures related to Summer Camps and Conferences.
Interviewed NAU and Sodexo staff responsible for managing Summer Camps and Conferences, which include Sodexo, Housing and Residence Life, and Enrollment Management and Student Affairs.
Reviewed contracts, planning/management checklists, EMS reservation system and UFS accounting system reports for selected invoices to determine camp/conference was adequately planned, administered and accounted for.
Reviewed revenue allocation, income statements provided by Sodexo and general ledger activity for Summer Camps and Conferences.
The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. Conclusion: Summer Camps and Conferences are adequately planned, administered and account for. Checklists and periodic meetings among NAU departments prove effective in planning and administering Summer Camps and Conferences. While the use of EMS allows for efficient booking and paperless retention (i.e. contracts, insurance policies, etc.) for Summer Camps and Conferences, UFS is used to invoice customers and collect on those invoices.
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 5 of 11
The control standards we considered during this audit and the status of the related control environment are provided in the following table.
General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Recommen- dation No.
Page No.
Reliability and Integrity of Financial and Operational Information
Departments prepare complete and timely billings for Summer Camps and Conferences
Reasonable to Strong Controls in Place
Revenue recognition is not duplicated Reasonable to Strong Controls in Place
Reconciliation of NAU Department billings to customer invoices is performed
Reasonable to Strong Controls in Place
Duplicate reservations are not allowed Reasonable to Strong Controls in Place
Revenue and expenses are captured in the correct annual accounting period
Reasonable to Strong Controls in Place
Rate schedules exist and are approved by NAU administration and Sodexo
Opportunity for Improvement
1 7
Monthly reports are timely submitted to NAU administration for review.
Reasonable to Strong Controls in Place
2 8
Monthly reports for NAU administration are adequate.
Opportunity for Improvement
2 8
Management oversight is provided to ensure revenue and expense capture is appropriately recorded
Opportunity for Improvement
3 9
Safeguarding of Assets
Reservation and accounting software and data are backed up
Reasonable to Strong Controls in Place
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 6 of 11
General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Recommen- dation No.
Page No.
Sensitive information is adequately protected
Reasonable to Strong Controls in Place
Effectiveness and Efficiency of Operations
Policies and procedures exist for Summer Camps and Conferences
Reasonable to Strong Controls in Place
Contracts are used and adequately explain Camps/Conference policies
Reasonable to Strong Controls in Place
Features within EMS are used to efficiently plan and effectively manage Summer Camps and Conferences
Reasonable to Strong Controls in Place
Planning meetings between Summer Camps and Conferences and NAU Departments are adequate
Reasonable to Strong Controls in Place
Customer disputes are timely followed-up on and resolved
Reasonable to Strong Controls in Place
Compliance with Laws and Regulations
Summer Camps and Conferences complies with ABOR policies and AZ State Law
Reasonable to Strong Controls in Place
1 7
We appreciate the assistance of the staff of Sodexo, Housing and Residence Life and Enrollment Management and Student Affairs.
/s/ /s/ Karletta Jones Senior Internal Auditor Northern Arizona University (928) 523-4136 [email protected]
Mark Petterson Chief Audit Executive Northern Arizona University (928) 523-6438 [email protected]
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 7 of 11
Audit Results, Recommendations and Responses
1. NAU Management and Sodexo should periodically review and agree on rate schedules related to summer camps and conferences components.
Condition: NAU administration and Sodexo have approved dining rates for Summer Camps and Conferences; however, no formalized agreement exists for rates related to housing, conference fee, health center fee, facility (room and recreation) rentals and special rates. Rates, other than dining, have not changed significantly for several years. Criteria: Per ABOR Policy 7-209, Rental Rates, “The rental rates for use of university facilities and properties by off-campus organizations shall be approved by the president of each institution. Rental rates should reflect considerations of the fair market value rates charged by comparable facilities, actual expenses incurred in providing the space (operations, maintenance, and deferred maintenance), and inflation. Each university shall review its established rates annually. A university may offer reduced rental rates to affiliated non-profit organizations.” Cause: Because the rates related to housing, conference fee, health center fee and facility rentals have not significantly changed since Sodexo began managing Summer Camps and Conferences, the rates have not been outlined in the contract and/or related addendums. Effect: Adequate approved documentation does not exist to support fees charged. Without a formal agreement, potential disputes related to fees charged exist. Lack of annual review of rates could result in inadequate rates for cost recapture. Recommendation: In addition to dining rates, all other conference/camp rates should be included in the contract and/or addendum to the contract as well as approved special rates. Rates should be periodically reviewed to ensure cost recapture is adequate. Response: Senior administration of all involved departments will meet annually to formalize summer conference package and facility rates. The rates will be in effect for two years and will be reassessed by senior administration to ensure its adequacy. Involved departments include NAU Residence Life, High Country Conference Center, NAU Dining Services, NAU Campus Health Services, NAU Campus Services and Activities, NAU Athletics and Campus Recreation Services. Approved summer package and facility rates will be acknowledged on an internal NAU document to be approved and signed by all involved parties. A proposed 2016 Summer Conferences Package and
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 8 of 11
Facility Rates Schedule has been drafted and will be approved by senior administration by June 30, 2016.
2. Monthly reports provided to NAU management should be more detailed.
Condition: Currently, Sodexo provides Monthly Operating Statements and Revenue Allocation worksheets for Summer Camps and Conferences. The Operating Statements reflect monthly revenue and expenses by account type. The Revenue Allocation is a spreadsheet that lists all events billed for a particular month with each billing allocated to several NAU departments for their share of the revenue. A contra-revenue account for discounts and bad debt expense accounts does not exist. Instead, discounts and bad debt are netted against revenue, with the net revenue allocated to the respective department. Criteria: Reporting requirements as outlined in the Sodexo contract indicate monthly profit and loss reports and weekly sales reports are to be provided to NAU administration. Per the management agreement (Article VI, 6.1), Sodexo shall collect and account for Gross Revenue and pay Operating Expenses as required and will submit an Annual Operating Projection (Article VI, 6.2) to project revenues, management fees, operating expenses, routine capitalized maintenance and major reports for the forthcoming fiscal year. Cause: Because the reporting requirements are limited to several reports and no deadline exists, there has been no request by NAU management to request detailed information within a certain deadline. There is no guidance in the management agreement to record discounts applied to revenue or the recognition of bad debt expense. Effect: Without adequate and timely detail to support expenses and no separate tracking of discounts and bad expense, management is limited in their review of expenses to ensure payments made to Sodexo are accurate and comply with the management agreement; specifically if expenses are reasonably consistent with the Annual Operating Projection. Recommendation: General ledger detail of expense line items should be requested monthly for review with adequate supporting documentation and/or explanation for unusual/significant activity noted by NAU administration. A deadline should be established within the management agreement for reporting requirements. Discounts should be reported in a contra-revenue account and bad debt expense should be separately recognized as opposed to being netted against revenue.
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 9 of 11
Response: A contra-revenue account will be created to reflect discounts that are given for NAU Summer Camps and Conferences. A bad debt expense account (credit memos) will be created to capture accounts written-off; instead of being netted against revenue. This will be completed by Sodexo’s fiscal year-end of August 31, 2016. Detail of expense line items will be provided in the operations statement provided to NAU Management on a monthly basis. This will be completed by Sodexo’s fiscal year-end of August 31, 2016.
3. NAU Management oversight should be improved to ensure revenue and
expenses are recorded appropriately on the general ledger.
Condition: Net income reported on Sodexo Operating Statements are recorded in one revenue account on NAU’s general ledger as opposed to recording revenue and expense separately. The net loss reported on Sodexo Operating Statements are recorded in consulting expense on NAU’s general ledger. Criteria: Per the management agreement, payments made to Sodexo are a result of any deficit (net loss) recognized for the month; while payments made to NAU are a result of any surplus (net income) recognized for the month. While no directive exists regarding revenue and expense postings on NAU’s general ledger, recording the components that make up net income in their appropriate general ledger account (revenue and expense) will make the Status of Funds more accurate. Cause: Without a second review of the accounting of cash receipts (net income) and cash disbursements (net loss), revenue and consulting expense have been understated. Effect: Status of Funds reports (income statements) that NAU administration uses to assess the performance of Summer Camps and Conferences are not accurate. Per the Status of Funds, net income for July 2015 in the amount of $604,147 was inadvertently recorded in consulting expense resulting in a credit balance for an expense account. Our scope includes June 2015; however, the June 2015 net income recognized was properly accrued at June 30, 2015 and reversed on July 1, 2015. Accordingly, revenue and expense is understated by $46,177, which is the sum of total operating expenses for July and August 2015. Recommendation: July 2015 net income should be reclassified to miscellaneous operating revenue and expenses associated with July and August 2015 should be
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 10 of 11
reclassified to consulting expense. Because June 2015 is zeroed out by the reversing entry, we do not recommend reclassifying the expense to consulting expense. A second review of general ledger recordings should be made to ensure its accuracy and completeness. Response: FY16 revenues and operating expenses will be reclassed in accordance with the recommended method above. The reclassification will be completed by June 30, 2016. Beginning with June 2016 activity, an additional review of the general ledger will be performed.
Northern Arizona University Summer Camps and Conferences
Audit Report
Page 11 of 11
Distribution:
Audit Committee, Arizona Board of Regents NAU Internal Audit Review Board Rita Cheng, President Mark Boyer, Director for Campus Services and Activities Administration Jennus Burton, Vice President for Finance and Administration Joe Cordova, Sodexo Unit Controller TC Eberly, Executive Director for Campus Services and Activities Administration Joanne Keene, Executive Vice President and Chief of Staff Jane Kuhn, Vice President for Enrollment Management and Student Affairs Jill Larson, Sodexo Sales Manager Michelle Parker, General Counsel Wendy Swartz, Associate Vice President and Comptroller Scott Thomson, Sodexo General Manager This report is intended for the information and use of the Arizona Board of Regents, NAU administration, the Arizona Office of the Auditor General, and federal awarding agencies and sub-recipients.
This page left blank intentionally.
Internal Audit Department
Student Employment Audit Report
June 2016
Report Number FY 16-10
This page left blank intentionally.
Northern Arizona University Audit of Student Employment
Audit Report June 21, 2016
Summary
Our audit of student employment at NAU is in the University’s Annual Audit Plan for FY
2016, as approved by the Arizona Board of Regents Audit Committee. The audit links to
NAU’s strategic goals of sustainability and effectiveness and of student success. This is
the first time student employment practices have been audited by Internal Audit.
Background: Student employees and graduate assistants provide a vital resource to
NAU. While their primary endeavor is their studies, many student employees are able to
fund their education as student workers, graduate assistants, and resident assistants. In
2015, NAU employed 4,666 student employees representing 187 departments. Salary
expense for student employees represents approximately 9% of NAU’s total salary
expense. The tables below show the gross salaries and hours worked for student
employees during the past three calendar years.
Total Salaries of Student Employees by Type
CY 2013 CY 2014 CY 2015
Student Workers
$12,889,088
$13,384,109
$12,881,068 Graduate Assistants 6,325,366 6,746,202 6,889,510 Federal Work Study 426,021 603,176 1,059,097
Total Salaries for Student Employees
$19,640,475
$20,733,487
$20,829,676
Total Hours of Student Employees by Type
CY 2013 CY 2014 CY 2015
Student Workers 1,272,577 1,429,725 1,348,480 Graduate Assistants 373,284 399,497 401,636 Federal Work Study 50,478 70,659 120,827
Total Hours for Student Employees 1,695,339 1,899,881 1,870,942
Northern Arizona University Audit of Student Employment
Audit Report
Page 2 of 15
Student employment responsibilities are decentralized. Some of the departments
responsible for student employment practices include:
1. NAU Career Development maintains “Jobs for Jacks/Handshake” for students searching and applying for employment.
2. Hiring departments post their vacancies to Jobs for Jacks/Handshake or elect to use alternative solicitation methods. In addition to advertising open student positions, hiring departments are responsible to create student employment job descriptions; select and hire student workers, residential assistants, and graduate assistants; provide specific departmental and task training; ensure mandatory university training has been completed, communicate job expectations; determine hourly pay rates; resolve student grievances; request background checks; monitor hours worked for compliance to NAU policies and regulations; and terminate student employees for unacceptable performance or at the end of their work assignment.
3. The Office of Financial Aid, within EMSA, administers NAU’s Federal Work Study program. It determines who is eligible for the Federal Work Study program and monitors students’ compliance to ongoing program requirements.
4. Human Resources is responsible for:
ensuring students are eligible to work;
processing ePARS (electronic personnel action requests) per departmental instructions;
ensuring required background checks are performed;
monitoring compliance with the Affordable Care Act compliance; and
processing payroll. Upon request, Human Resources will assist student employees and hiring departments in resolving grievances and disputes.
5. The Equity and Access Office ensures NAU meets its obligations regarding affirmative action in employment, equal opportunity, non-discrimination and harassment, and accessibility and reasonable accommodations for individuals with disabilities. The department provides mandatory Safe Working and Learning training to all new employees, including student workers. The office is also charged with investigating and resolving discrimination, harassment, and retaliation complaints.
Northern Arizona University Audit of Student Employment
Audit Report
Page 3 of 15
Nine of NAU’s fifteen ABOR-approved peer institutions report having a student employment office. A summary of the functions performed by those offices follows:
University
Location within University
Functions
Akron Financial Services and Student Employment
Posts jobs, assists students find jobs, maintains a student employment manual, and handles disputes between student workers and their supervisors.
Alabama Financial Aid and Human Resources
Human Resources helps post jobs, educates students on proper practices to apply for and start jobs, maintains workplace expectations for students, provides training or helps departments provide training. FWS is managed by Financial Aid.
Bowling Green
Career Center Hiring, payroll processing, payroll, training (works with Financial Aid on maintenance of the FWS annual allocation).
Kent State Career Center Hiring, development of student employment handbook, handles grievances after hiring department.
Maine Financial Aid Helps departments post jobs, provides services to student employees and potential student employees. Handles hiring paperwork, employee training, and employment policies. Manages FWS.
North Carolina at Greensboro
Career Services Helps students find jobs, manages hiring paperwork, and manages FWS. Provides training to supervisors on how to manage student employees.
Northern Illinois
Human Resources
Maintains documentation on student workers, administers payroll, provides training, and handles grievances after hiring department.
Southern Illinois Carbondale
Financial Aid Works with Payroll, Accounts Payable, and individual university hiring departments to support student workers. Student jobs are linked to the Student Life website.
Western Michigan
Career Services and Student Employment
Provides training for student employee supervisors, may meet with student employee and their supervisors to resolve grievances.
Northern Arizona University Audit of Student Employment
Audit Report
Page 4 of 15
Audit Objectives: The primary audit objectives for this review were to:
evaluate and assess NAU’s student employment practices for compliance to Federal regulations, and NAU policies and for consistency and fairness to student employees and
identify opportunities to improve procedures for hiring and administering student employment.
Scope: The scope of this audit focused on student employment policies and procedures
in effect as of March 31, 2016. Employment of graduate assistants, the Affordable Care
Act, and Employment Eligibility Verification were not within the audit scope.
Methodology: The following procedures were performed to accomplish the audit
objectives:
• Identified and met with primary departments responsible for administrating student employment;
• developed and distributed questionnaires to those primary departments who are charged with administrating student employment;
• analyzed the responses from 27 departments and noted their concerns; • identified gaps between NAU procedures and compliance to Federal regulations
and NAU policies; and
• researched student employment practices of peer institutions to identify alternative student employment practices that may benefit NAU.
The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.
Conclusion: Administration of student employment at NAU has significant opportunities
for improvement. NAU is subject to the following risks, primarily caused by the lack of a
centralized student employment office:
NAU may not be in compliance with the Americans with Disabilities Act (ADA) because the current job application and posting system is not accessible by students with particular disabilities. No effective alternative is provided for them to complete these processes.
The lack of consistent policies, practices and procedures for student employment makes it difficult to investigate complaints and ensure that students are not subject to discrimination.
Northern Arizona University Audit of Student Employment
Audit Report
Page 5 of 15
Without a well-documented hiring process and tracking of terminations, promotions and transfers, NAU cannot adequately comply with guidance from the Office of Federal Contract Compliance Programs (OFFCP) that universities include employees in their affirmative action plans and proactive programs.
Student employment practices vary by department, creating duplicate procedures, inefficient and inconsistent practices, and inadequate oversight.
Recommendations for improvement are discussed further in the report.
We recommend a centralized Student Employment Office be created at NAU to administer
student employment hiring and administration.
The control standards we considered during this audit and the status of the related control environment are provided in the following table.
General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Recommen- dation No.
Page No.
Reliability and Integrity of Financial and Operational Information
Not Applicable
Safeguarding of Assets Not Applicable
Authorization Procedures Not Applicable
Effectiveness and Efficiency of Operations
NAU is aware of, and has established, student employment practices that are responsive to students and ensure regulatory requirements are met.
Opportunity for Significant Improvement
1 7
All students are provided the opportunity to apply for student employment.
Opportunity for Significant Improvement
1 7
Student employees are treated equitably and compensation is consistent.
Opportunity for Improvement
1, 4, 5
7,10, 12
Supervisors of student employees are timely and adequately trained; and a handbook has been developed for reference.
Opportunity for Improvement
1, 6 7, 13
Northern Arizona University Audit of Student Employment
Audit Report
Page 6 of 15
General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Recommen- dation No.
Page No.
Student employees are adequately trained and made aware of job expectations; and a handbook has been developed for reference.
Opportunity for Improvement
1, 6, 7
7,13, 14
Applying for student employment is efficient for students.
Opportunity for Improvement
1, 2 7, 8
Compliance with Laws and Regulations
Assurance is provided that NAU is in compliance with affirmative action and equal opportunity student employment policies and laws.
Opportunity for Improvement
1, 3 7, 9
Assurance is provided that NAU is in compliance with disability and equal access laws.
Opportunity for Significant Improvement
1, 2 7, 8
We appreciate the assistance of all staff who responded to our questionnaires and
interviews, including representatives from multiple offices within Enrollment Management
and Student Affairs, the Equity and Access Office, Environmental Health and Safety,
Graduate College, Human Resources, Contract and Purchasing Services, and the
University College.
/s/ /s/ Penny Whitmore Senior Internal Auditor Northern Arizona University (928) 523-6459 [email protected]
Mark Petterson Chief Audit Executive Northern Arizona University (928) 523-6438 [email protected]
Northern Arizona University Audit of Student Employment
Audit Report
Page 7 of 15
Audit Results, Recommendations and Responses
1. NAU should create a student employment office.
Condition: Many of the administrative functions relating to student employment would be
more effectively and efficiently performed by a centralized student employment office than
by hiring departments.
Criteria: Hiring and administration of student employees should be efficient and
effective. Hiring practices should:
1) facilitate compliance to federal regulations and NAU policies; 2) promote consistent compensation practices; 3) standardize steps in the hiring process, including the application for employment; 4) include a student-employee handbook and a supervisory handbook; 5) develop and implement an Affirmative Action Plan for student employees; 6) communicate student employment policies and procedures; 7) include awareness of leading practices via participation in student employment
associations 8) include a process to work with outside employers to obtain and post jobs; 9) standardize performance evaluation procedures; and 10) standardize resolution of student grievances.
Cause: Student employment practices have developed piecemeal over time, with no
central authority controlling them.
Effect: NAU student hiring and administration practices are inefficient, expose NAU to
discrimination complaints, and create extra work for hiring departments.
Recommendation: NAU should create a student employment office.
Response:
Finance and Administration: We concur and recommend that it be placed in EMSA within a student career services office.
EMSA: We agree. The student employment office will be placed within the career services center with heavy collaboration with Financial Aid to ensure we are in compliance with Title IV requirements. Career Services will be moving back to EMSA during FY17; due to this we request a minimum of one year to make
Northern Arizona University Audit of Student Employment
Audit Report
Page 8 of 15
necessary changes.
2. Students with disabilities should be accommodated in applying for vacancies when necessary.
Condition: Some students with disabilities are not able to independently search for and
apply for employment opportunities using Jobs for Jacks/Handshake. NAU does not
provide and communicate alternatives to accommodate students with disabilities
searching for student employment.
Criteria: The Americans with Disabilities Act (ADA) provides that employers are required
to provide accommodations to the known physical or mental limitations of applicants or
employees, unless the accommodation would result in an undue hardship on the
employer. No covered entity shall discriminate against a qualified individual with a disability
because of the disability of such individual in regard to job application procedures, the
hiring, advancement, or discharge of employees, employee compensation, job training,
and other terms, conditions, and privileges of employment. ADA, Public Law 101-336,
Section 102(a).
Section 504 of the Rehabilitation Act prohibits discrimination on the basis of disability in
programs or activities that receive Federal financial assistance from the U.S. Department
of Education. Title II of the Act prohibits discrimination on the basis of disability by state
and local governments.
Reasonable accommodations should be provided to students with disabilities to comply
with federal legislation and provide the largest pool possible of qualified student applicants.
According to the U.S. Department of Labor Office of Federal Contract Compliance
Program, online systems such as Jobs for Jacks/Handshake should utilize “universal
design” techniques. Other reasonable accommodations may include providing information
regarding job vacancies in a format accessible to individuals with vision or hearing
impairments, e.g. Braille, Telecommunications Devices for the Deaf (TDDs), readers, and
interpreters. Currently, no system can ensure accessibility in all scenarios; therefore,
federal regulations require that applicants be provided an equally effective alternative with
substantially equitable ease of use or be afforded the opportunity to request an
accommodation from a designated individual.
Northern Arizona University Audit of Student Employment
Audit Report
Page 9 of 15
Cause: When the online application and job posting system was selected, the vendor
agreed to meet appropriate accessibility standards. The vendor has not delivered on that
promise.
Effect: NAU may not be compliant with federal regulations and not all qualified students
are afforded the opportunity to apply for student employment.
Recommendation: NAU Career Development and Disability Resources should work with
the vendor to upgrade Jobs for Jacks/Handshake to accommodate disabled students
searching and applying for student employee openings. If not feasible, alternative
procedures should be identified and considered for implementation.
Response:
Finance and Administration: We concur and suggest that EMSA be asked to respond.
EMSA: EMSA will review Jobs for Jacks/Handshake and make a recommendation in this regards. EMSA will work with ITS to identify alternative software that is assessable.
3. There should be consistent and well-documented employment practices to assure that NAU is in compliance equal employment opportunity regulations and can comply with affirmative action requirements.
Condition: NAU has a system in place to ensure that all qualified applicants applying for
benefit-eligible positions have an equal opportunity for recruitment, selection, and
advancement. However, there is no assurance that NAU’s student employment practices
comply with affirmative action (AA) and equal employment opportunity (EEO) regulations.
Criteria: According to NAU’s Equity and Access Office (EAO), during the last few years
the federal government has informed university federal contractors of the need to include
student employees and graduate assistants in its affirmative action plan. (At present, the
University of Arizona and Arizona State University reportedly do not include student
employee in their affirmative action plans.) Universities have informed the government that
compliance will be difficult and require additional funding resources.
An affirmative action plan requires that the following be documented:
Northern Arizona University Audit of Student Employment
Audit Report
Page 10 of 15
Outreach to minorities, women, disabled students, and veterans;
minimum and preferred qualifications for each job being offered;
applications filled out by each student showing qualifications;
a confidential form is provided for each applicant to voluntarily indicate their race, sex, and disability and veteran status. The form is submitted directly to Equity and Access and not be seen by the supervisor;
how the applicants were ranked based on the required qualifications;
an explanation of any deviations from the ranked selection order. For example, an applicant withdrew;
a code assigned to each applicant not selected to indicate when and why they were no longer considered;
a listing of individuals who were hired; and employee hiring, transfers, promotions and terminations.
Cause: Incorporating student employees in NAU’s affirmative action plan would require
significant resources.
Effect: There is no assurance that NAU’s student employment practices comply with affirmative action (AA) and equal employment opportunity (EEO) regulations. NAU would have difficulty in disputing claims of discrimination since not all departments are documenting searches and retaining hiring, promotion, and termination records.
Recommendation: NAU should develop student hiring and administration procedures
that enable NAU to be in compliance with AA and EEO requirements.
Response:
Finance and Administration: We concur. HR would be happy to assist in areas where they can help.
EMSA Career Services (effective FY17) will work with Affirmative Action and HR to incorporate any necessary federal and state AA and EEO policies.
4. Student employment practices should be standardized.
Condition: Hiring departments and supervisors have developed sound student
employment practices, for the most part. However, practices often vary by department.
For example, some departments:
Northern Arizona University Audit of Student Employment
Audit Report
Page 11 of 15
require all their openings to be posted on Jobs for Jacks/Handshake while other departments rely on flyers, emails and word-of-mouth, or use a combination of methods;
utilize a hiring committee to ensure fair hiring practices while other departments meet and discuss fair hiring practices when filling positions;
have developed and use a hiring checklist to ensure that all hiring requirements have been fulfilled, i.e. required training has been taken, background checks have been requested, and the new employee packet has been completed and returned. Other departments do not use a checklist or are in the process of developing one;
require formal performance evaluations at set dates while other departments rely on continuing informal performance evaluations;
have developed formal disciplinary procedures while other departments have not; and
have developed student employment handbooks while other areas have not.
Criteria: NAU policies and procedures should exist and enable student employment to be
administered consistently across departments and according to Federal regulations.
Cause: Student employment practices have developed piecemeal over time, with no
central authority controlling them. As a result, hiring departments have taken on the
responsibility to develop job descriptions, fill open positions, evaluate performance, and
determine pay rates.
Effect: Inconsistent employment practices may result in; 1) failure to provide all interested
and qualified students the opportunity to apply for student employment, 2) a lack of
assurance that all student employees are being treated fairly, and 3) inefficient
departmental efforts.
Recommendation: NAU should standardize student employee hiring and administration
practices, and create the appropriate policies and procedures, communication, training
and tools to ensure that student employee hiring personnel have adequate support for
following consistent practices.
Response:
EMSA: We agree and per Recommendation 1 we will work to develop these practices over the next FY.
Northern Arizona University Audit of Student Employment
Audit Report
Page 12 of 15
5. Student compensation should be more consistent.
Condition: Compensation for student jobs is not consistent or equitable across the
University. For example, student custodians are hired by both Facility Services and
Resident Life for summer work. The student custodians who work for Residence Life are
given free housing (taxable) and wages; while student custodians working for Facility
Services are provided only wages.
Criteria: Student compensation across the University should be comparable, competitive
and correspond to the challenges of the job.
Cause: Student employment practices have developed piecemeal over time, with no
central authority controlling them.
Effect: Some students may be compensated more than other students who are doing the
same or more difficult work. Student employees may leave jobs for other easier jobs, or
similar jobs that provide greater compensation.
Recommendation: A process should be developed to better ensure equitable
compensation for similar jobs across the University, especially within departments. Pay
ranges and any benefits should be published.
Response:
Finance and Administration: HR will participate in discussions and can provide compensation consulting assistance to the unit that will be responsible for administration and maintenance of student worker compensation and determining an equitable approach and guidelines. We suggest that high level student wage guidelines may be the best overall approach vs. any strict student compensation system where the administration and resources to manage might outweigh the benefit.
EMSA: Will work collaboratively with Admin & Finance on developing the compensation to ensure we comply with Title IX policy.
Northern Arizona University Audit of Student Employment
Audit Report
Page 13 of 15
6. A student employee handbook and a handbook for supervisors of student
employees should be developed.
Condition: A Student Employment Handbook developed by the Office of Scholarships
and Financial Aid is available but has not been distributed to all hiring departments.
According to Financial Aid, it is only intended to apply to the Federal Work Study program.
No student employment handbook has been prepared and distributed to all student
workers.
There is no supervisory handbook for supervisors to provide consistent direction in hiring,
communicating job expectations, ensuring mandatory training is taken, evaluating
performance, determining pay rates and merit increases, handling student grievances,
recommended disciplinary process, etc.
Criteria: Standardized student employment and supervisory handbooks should be
developed for reference and to promote consistent practices.
Cause: Student employment practices have developed piecemeal over time, with no
central authority controlling them.
Effect: Consistent guidance is not provided to student employees and their supervisors
that provides guidance regarding hiring procedures, regulations and policies,
compensation, benefits and leaves, performance evaluation forms and guidelines,
disciplinary procedures, compensation rates, contacts and listing of other available
resources.
Recommendation: A student employee handbook that applies NAU-wide should be
developed and kept current. The handbook developed by the Office of Financial Aid would
be a good starting point. Evidence should be provide that reflects student employees are
familiar with the handbook and its contents.
Response:
Finance and Administration: HR will be glad to contribute to discussions in this area as appropriate. It is important to preserve the “at-will” nature of student employment and HR can assist with this. It is also appropriate to involve the Policy on Policy committee within the parameters of their charge. Presuming that the personnel hired by EMSA for the Student Employment/Career Services office also are
Northern Arizona University Audit of Student Employment
Audit Report
Page 14 of 15
responsible for resolving student employment grievances, HR will participate in the hiring process for personnel assigned to those tasks to help identify adequate skills and background. HR can also provide consulting assistance as needed to Student Employment/career Services personnel.
EMSA will work collaboratively with HR and Financial Aid to develop a student handbook.
7. A centralized system for tracking student training should be implemented.
Condition: There is no assurance that all mandatory NAU training is taken by student
employees. Supervisors request student employees to provide evidence of training taken
or the supervisors contact the training administrators directly to confirm training taken.
NAU does not presently have a comprehensive learning management system in place for
employee training.
Criteria: Evidence of all NAU training taken by students should be readily available for
review by departmental supervisors and potential employers.
Cause: Lack of a student employment office and lack of information technology support.
Effect: There is no efficient way to identify what training students have received.
Recommendation: A centralized system for tracking student training would be the most
effective solution for managing student training requirements, given the large volume of
student employees and transient nature of student work. Until the centralized system is
developed, we recommend that the hiring departments be made aware of their obligation
to maintain manual records of all student training.
Response:
Finance and Administration: We concur. The NAU department assigned student employment should communicate with departments to ensure they keep manual records until the ITS solution is launched.
Northern Arizona University Audit of Student Employment
Audit Report
Page 15 of 15
Distribution: Audit Committee, Arizona Board of Regents Internal Audit Review Board Rita Cheng, President Cynthia Anderson, Dean of Students, Student Life Jamie Axelrod, Director, Disability Resources Jennus Burton, Vice President for Finance and Administration Sarah Ells, Health/Safety Officer, Environmental Health and Safety Bjorn Flugstad, Vice President, Planning and Institutional Research Erin Grisham, Associate Vice President, Enrollment Management and Student Affairs Joanne Keene, Executive Vice President and Chief of Staff Jane Kuhn, Vice President, Enrollment Management and Student Affairs Emily McCarthy, Program Director, Career Development, University College Becky McGaugh, Executive Director, Contracting and Purchasing Services Priscilla Mills, Assistant Vice President, Equity and Access Office Nydia Nittman, Executive Director, Office of Scholarships & Financial Aid Michelle Parker, General Counsel David Spivey, Director, Graduate College Wendy Swartz, Associate Vice President and Comptroller Diane Verkest, Associate Vice President, Human Resources Maribeth Watwood, Dean, Graduate College
This page left blank intentionally.
Internal Audit Department
Information Technology General Controls Audit Report
August 2016
Report Number FY 16-11
This page left blank intentionally.
Northern Arizona University Information Technology General Controls
Audit Report August 15, 2016
Summary
Our audit of Information Technology General Controls is in the Northern Arizona
University Annual Audit Plan for FY 2016, as approved by the Audit Committee of the
Arizona Board of Regents. The audit links to NAU’s strategic goal of sustainability and
effectiveness. The area was previously audited in December 2012.
Background: General controls are controls that relate to the environment within which
computer-based application systems are developed, maintained and operated, and are
applicable to all applications. The objectives of general controls are to ensure the proper
development and implementation of applications and the integrity of program and data
files and of computer operations. Like application controls, general controls may be either
manual or programmed.
Common IT general controls are:
Logical access controls over infrastructure, applications, and data;
System development life cycle controls;
Program change management controls;
Data center physical security controls;
System and data backup and recovery controls;
Computer operation controls.
The IT environment being audited is Information Technology Services, which operates
and maintains information technology and telecommunications services in support of the
NAU mission and goals. Services include academic support, administrative systems
support, student services, telecommunications, and faculty and staff support and training.
Audit Objectives: The objectives of this review were to assess ITS controls in the
following areas:
Change management
Contingency planning
Logical access policies, standards, and processes Physical security
Problem management
Project Management
Source code / document version control
Technical support
Northern Arizona University Information Technology General Controls
Audit Report
Page 2 of 5
Scope: The scope of our audit encompassed the examination and evaluation of the
internal control structure and procedures controlling information technology general
controls as implemented by ITS.
The scope also included a review of access rights assigned to users of PeopleSoft
applications for Human Capital Management, LOUIE (student and employee information
management system), and PeopleSoft Financials.
Methodology: We used control questionnaires and interviews to identify IT general
controls, then tested a sample of the controls.
The audit was conducted in accordance with the International Standards for the
Professional Practice of Internal Auditing.
Conclusion: Information technology general controls in the areas audited at Information
Technology Services are adequate. One audit recommendation was made.
Observation: ITS has significantly improved its change management procedures since
the previous IT General Controls audit in 2012.
NAU has also automated the process for assigning and removing logical access rights to
PeopleSoft applications, replacing a cumbersome manual system.
The control standards we considered during this audit and the status of the related
control environment are provided in the following table.
General Control Standard (The bulleted Items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Recommen-dation No.
Page No.
Reliability and Integrity of Financial and Operational Information
Changes meet business requirements and are authorized.
Reasonable to Strong Controls in Place
Controls protect the integrity of program code.
Reasonable to Strong Controls in Place
Logical access to PeopleSoft applications is limited to authorized users
Reasonable to Strong Controls in Place
Northern Arizona University Information Technology General Controls
Audit Report
Page 3 of 5
General Control Standard (The bulleted Items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Recommen-dation No.
Page No.
Effectiveness and Efficiency of Operations
IT projects are effectively managed.
Opportunity for Improvement
1 4
The root causes of problems are identified and addressed.
Reasonable to Strong Controls in Place
Procedures exist to help users report problems and perform more efficiently.
Reasonable to Strong Controls in Place
Safeguarding of Assets
Access is managed based on business needs.
Reasonable to Strong Controls in Place
Disaster recovery/backup and recovery procedures enable continued processing despite adverse conditions.
Reasonable to Strong Controls in Place
Controls protect the physical security of information technology assets from individuals and from environmental risks
Reasonable to Strong Controls in Place
Compliance with Laws and Regulations
Not Applicable
We appreciate the assistance of the staff of Information Technology Services during the audit. /s/
Mark Petterson Chief Audit Executive (928) 523-6438 [email protected]
Northern Arizona University Information Technology General Controls
Audit Report
Page 4 of 5
Audit Results, Recommendations and Responses
1. The ITS Project Management Office is not managing IT projects effectively.
Condition: ITS has a project management framework for NAU information systems
development projects, but it has not been fully implemented and does not enable the
alinement of NAU information technology resources with NAU strategic goals.
Criteria: Information systems development projects should have project management
adequate to ensure all relevant project management tasks are completed.
Cause: A pervasive lack of financial and staffing resources exists within Information
Technology Services.
University culture assigns responsibility for successful implementation of enterprise
systems development projects only to ITS, rather than ITS and project stakeholders.
Stakeholders outside of ITS control some of the resources needed for successful project
completion but currently do not share responsibility for success.
Effect: The current project management staff of three individuals is inadequate to assign
a full-time project manager to each enterprise system development project. Project
managers only have time to deal with the most critical project management tasks, such
as identifying and assigning staffing resources to the project. Less critical project
management tasks are being handled informally or not at all.
The current project management practices:
fail to fully implement NAU’s well-designed project management framework
result in slow progress in changing NAU’s culture of informality in information
systems project management
increase the risk of incomplete or flawed systems implementation
result in Inadequate involvement in systems development by the user community.
Recommendation:
The organization and procedures of the Project Management Office should be reviewed
to enable :
o a full-time project manager to be assigned to each enterprise systems
development project
Northern Arizona University Information Technology General Controls
Audit Report
Page 5 of 5
o resources for project management consulting to be available to smaller information
systems development efforts.
Response: We agree with the audit recommendation as reported. Regarding the one
opportunity for improvement, we agree that project management staffing is not ideal for
our current project load. With the difficulty in funding new hires, we will need to find some
creative ways to improve our current process. One option that we are pursuing is to more
carefully align projects with strategic mission, so that we can focus scarce resources on
the most critical tasks. This may result in the delay of some projects, but should provide
superior results for the chosen projects, with a positive impact on IT, project management,
and functional office staffing resources. We will look for other ways to improve our current
process, and will report progress when requested.
Distribution:
Audit Committee, Arizona Board of Regents
Internal Audit Review Board
Rita Cheng, President
Steve Burrell, Chief Information Technology Officer
Jennus Burton, Vice President for Finance and Administration
Bjorn Flugstad, Vice President, Planning and Institutional Research
Joanne Keene, Executive Vice President and Chief of Staff
Michelle Parker, General Counsel
Wendy Swartz, Associate Vice President and Comptroller
This report is intended for the information and use of the Arizona Board of Regents, NAU
administration, the Arizona Office of the Auditor General, and federal awarding agencies
and sub-recipients.
This page left blank intentionally.
Internal Audit Department
Aquatic and Tennis Center Audit Report
October 2016
Report Number FY 16-12
This page left blank intentionally.
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report October 27, 2016
Summary
Northern Arizona University contracted with Haydon Building Corp. (HBC) to
construct an Aquatic and Tennis Complex to replace the Wall Aquatic Center. Our
audit of this construction project is included in NAU’s Fiscal Year 2016 Annual
Internal Audit Plan, as approved by the Arizona Board of Regents Audit
Committee. New construction is required to accommodate student enrollment
growth and enhance students’ learning experiences. The audit links to ABOR’s
strategic goal of promoting student learning and success.
Background: The project is being delivered through the Construction Manager at
Risk (CMAR) method. Construction administration and project management are
being provided by Facility Services.
The Aquatic and Tennis Complex is used by NAU student-athletes, other members
of the NAU community, and Olympic-class athletes. The facility is home to the
Lumberjacks swimming and diving team and tennis teams. NAU Athletics shares
and operates the facility in conjunction with NAU Campus Recreation. The
123,341-square foot facility replaces the old 50,074-square foot aquatic center.
The aquatic complex includes an Olympic-size pool, separate diving pool, elevated
stadium seating, dry land training area, locker rooms, and program support space.
The tennis complex has six indoor courts, which are equipped with umpire chairs,
benches, separation nets and backdrop curtains; and features spectator seating,
a large scoreboard, and training and support space and informal lockers. The
indoor portion of the Aquatic and Tennis Complex was substantially complete and
opened in February 2016. The outdoor portion of the Aquatic and Tennis Complex
includes six outdoor tennis courts and an outdoor multipurpose athletic field that
are currently under construction and are expected to be substantially completed in
October 2016. The debt service is funded from Systems Revenue and Refunding
Bonds Series 2014.
The pre-construction contract agreement with the CMAR was executed in June
2013. A notice to proceed for construction services was issued in April 2014.
Design professional services were provided by Sink Combs Dethlefs for
$1,998,804. Haydon’s pre-construction costs were $303,941. The guaranteed
maximum price for construction, excluding pre-construction and architectural
costs, is currently at $39.2 million.
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 2 of 11
Audit Objectives: The primary objectives of this review were to determine if:
contract terms are applied as written;
charges are adequately supported by actual costs incurred by the CMAR;
the subcontractor selection process is consistent with ABOR policies;
proposed change orders are sufficiently documented; and
fees are applied as specified by the construction contract. Scope: The scope of this audit was the project construction phase from inception
through February 29, 2016 (Pay Application 23). We relied on Facility Services’
expertise for the construction technical aspects and to determine whether NAU
received the contracted scope of work. Accordingly, the audit scope did not include
any on-site inspections to assess construction methods, materials, or compliance
with design specifications. Facility Services provided a tour of the aquatic and
indoor tennis facility.
Methodology: The audit objectives were accomplished using the current Tri-
University construction audit program (August 1, 2013 edition), which includes:
Reconciling construction payments, as recorded in NAU’s financial system, to applications for payments.
Verifying that pay applications are supported by the contractor’s internal financial records.
Performing a detailed review of transactions charged to General Conditions and other reimbursable costs to ensure they are allowable and adequately supported.
Verifying subcontractors were selected according to contract requirements and ABOR procurement policies.
Confirming that overhead and fees on proposed change orders are calculated consistently and per the contract. Determining whether GMP adjustments are properly approved by NAU.
Assessing whether proposed change orders provide sufficient information to validate price-reasonableness and, where appropriate, rates are consistent with the subcontractor contracts.
Verifying that charges for bonds, insurance, and sales taxes are documented and per the contract.
Ensuring that usage of contingency funds and allowances are properly approved.
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 3 of 11
The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.
Conclusion: Construction of the Aquatic and Tennis Complex was adequately
controlled by Facility Services, but opportunities for improvement exist as
described in the audit recommendations. When construction of the outdoor tennis
courts and multipurpose field is complete, there are several outstanding items to
complete before project close out:
obtaining final lien waivers and notices that the CMAR released retainage funds to subcontractors
verifying that all punch list items were resolved
confirming that liability insurance, bonds, and taxes are charged to the project based on actual costs
evaluating project results and the performance of the CMAR.
Observation: We noted that beginning with pay application #4 for services
rendered through July 31, 2014, hourly rates as authorized per the CMAR contract
for CMAR’s supervision personnel did not agree to hourly rates charged under
general conditions. Hourly rates charged were higher than authorized hourly rates
for the project coordinator, mechanical coordinator, superintendent 3 and a general
employee. A change order will be issued to properly authorize the increase in
hourly rates from pay application #4 to current.
Opportunities for improvement are reflected in the remainder of the report. The
areas we reviewed during this audit and the status of each are provided in the
following table.
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 4 of 11
General Control Standard (The bulleted Items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Recommen- dation No.
Page No.
Reliability and Integrity of Financial and Operational Information
Contractor billings and change orders are supported by the contractor’s job cost ledger.
Opportunity for Improvement
1 6
The contractor’s job cost ledger is supported by sub-ledgers that facilitate analyses and reviews, such as equipment rental charges, payroll schedules, and subcontractor payment ledgers.
Opportunity for Improvement
2 8
Adequate documentation is pro- vided to support charges made to General Conditions with the pay applications and General Conditions are allowable per the contract.
Reasonable to Strong Controls in Place
Allowances and contingencies are accurately tracked and properly approved.
Reasonable to Strong Controls in Place
Charges for indirect costs such as fees, taxes, and insurance are supported or accurately calculated.
Opportunity for Improvement
1 6
Subcontractor change order proposals are submitted with sufficient information to determine price reasonableness.
Opportunity for Improvement
2 8
Effectiveness and Efficiency of Operations
The overall contract is clear, effective, and efficient to administer.
Reasonable to Strong Controls in Place
2 8
Allowable costs are sufficiently defined in the contract and are efficiently processed.
Reasonable to Strong Controls in Place
2 8
Safeguarding of Assets
Compliance with Laws and Regulations
The contract and ABOR selection process for subcontracted work is followed and the subcontracts are supported by the bid awards.
Reasonable to Strong Controls in Place
Change orders are priced per the contract and are properly approved.
Reasonable to Strong Controls in Place
2 8
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 5 of 11
We appreciate the assistance of the staff of Haydon Building Corp. and Facility Services during the audit. Management is supportive of our recommendations and has actively begun
working to implement their identified action items.
/s/ /s/ Karletta Jones Senior Internal Auditor Northern Arizona University (928) 523-4136 [email protected]
Mark Petterson Chief Audit Executive Northern Arizona University (928) 523-6438 [email protected]
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 6 of 11
Audit Results, Recommendations, and Responses
1. The invoices for builder’s risk insurance and the job cost detail ledger were not provided timely by the CMAR.
Condition: Amounts paid by the CMAR for Builder’s Risk Insurance could not be verified as invoices were not provided by the CMAR until the Internal Audit department requested them as part of the audit. Builder’s Risk Insurance is required of all general contractors to protect the interests of NAU and contractors from physical loss or damage to materials, fixtures and/or equipment being used in the construction of a building. Charges included on the pay applications could not be verified timely as the job cost detail ledger was not provided by the CMAR until the Internal Audit department requested them as part of the audit.
Criteria: Section 2.1.14 of the CMAR contract states: “With respect to all Work
performed by CMAR and its Subcontractors and Consultants, CMAR, its
Subcontractors and Consultants, shall keep full and detailed accounts and
exercise such cost controls as may be necessary for proper financial management,
using accounting and control systems in accordance with generally accepted
accounting principles and subject to review by Owner.” The General Contractor’s
job cost ledger provides a detailed account as it captures all costs associated with
the construction project. The job cost ledger supports the contractor billings and
change orders.
All construction costs should be verifiable to ensure the billings paid by NAU are
accurate and complete.
Cause: Builder’s Risk Insurance is charged on a monthly basis per each pay
application; however, the CMAR did not provide invoices or calculations to support
the builder’s risk charges until the project was substantially complete.
The CMAR’s failure to provide a job cost ledger in a timely fashion was attributed
to problems related to an accounting system conversion during the project
Effect: Consistent with their insurance policy the CMAR calculated builder’s risk
monthly premiums on the total cost of the project. Builder’s risk premiums as
calculated by the CMAR and verified by the auditor from inception through
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 7 of 11
February 29, 2016 were $36,522. Builder’s risk totaled $94,940 per pay
application #23, from inception to February 29, 2016. The charges per the pay
applications were more than the monthly premiums; resulting in NAU overpaying
on builder’s risk insurance in the amount of $58,418 as of February 29, 2016. Per
the insurance policy, the builder’s risk coverage extends through May 1, 2016;
however, per Section 6.3.5 of the CMAR contract, coverage should be provided
and maintained “until written notice of Substantial Completion from the Owner”,
which was February 8, 2016 for the indoor facility portion of the project.
Because two accounting systems were used, the account detail to support direct
costs, indirect costs and fees could not be timely generated.
Recommendation: Facility Services should obtain supporting documentation
related to Builder’s Risk insurance expenses and the Job Cost Detail Ledger as
the project progresses with the option to escalate when the CMAR is not providing
the requested information.
Facility Services should verify the insurance coverage period against the notice of
Substantial Completion for the indoor facility portion of the project and verify
overpayment once the project is complete for builder’s risk, which will impact taxes.
Response:
Job Cost Ledger:
Per the recommendation, Facility Services will begin requesting a fully detailed job
cost ledger with each monthly payment application. It should include detail of all
general conditions, subcontractor costs, and indirect costs.
Builder’s Risk:
NAU will issue Haydon a deductive change order for the difference between the
total amount paid to Haydon for builder’s risk and the amount of their actual costs,
including the offset in applicable taxes.
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 8 of 11
2. Facility Services should improve its authorization of rates to properly verify costs charged to construction projects.
Condition: The audit identified several situations where Facility Services can improve its verification of project costs:
a) While testing change orders, we noted most subcontractor agreements did not state labor rates. Accordingly, subcontractor labor was not supported by documentation sufficient to verify the labor rates charged were appropriate and in accordance with approved rates agreed upon between the general contractor and subcontractor.
b) NAU did not obtain a listing of equipment expected to be used on the project
for each subcontractor. The listing should include the fair market value of each item at the time it was used and is contractually required to ensure that equipment rental charges are not excessive. Because no equipment rental listing was provided, equipment rental rates could not be verified to determine if appropriate and properly authorized.
c) Per Diem (i.e. travel and hotel) was charged by several subcontractors,
however subcontractor agreements did not state approved per diem rates. Instead the contract and subcontractor agreements outlined general conditions as 10% and the fee as 5%. To be consistent with CMAR General Condition’s billings, subcontractor general conditions should include per diem, but were separately billed. General conditions and per diem charged separately appear to be a duplicate charge. Both charges are then considered in the 5% fee, which result in the fee being overstated. Of the change orders sampled, we noted total per diem charged in the amount of $6,780 in addition to the general condition percentage of 10% and fee of 5%.
Criteria: Facility Services should ensure negotiated rates are approved by NAU
management. This provides authorization for amount of costs to be charged to the
project by the owner. These authorized rates are instrumental in the timely
verification of the costs charged to the project.
Cause: Project costs related to subcontractor labor rates, equipment rental rates
and subcontractor per diem rates were inadequately outlined per the contract.
Instead, Facility Services relied on reasonableness tests to verify these project
costs.
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 9 of 11
Effect: Although the existing process allows for the CMAR to negotiate lower rates,
there is no consistent approval of rates to be charged to the project via initial
subcontractor contract and/or change orders.
Recommendation: Facility Services should ensure the contract is appropriately
updated to verify the reasonableness of all costs and distinction between
subcontractor general conditions and subcontractor per diem. Additionally, with
each negotiation, rates for labor, equipment and per diem should be approved by
NAU. These approved rates should then be used to verify the costs charged to
the project.
Response:
a) This contract version did not specify the CMAR to require labor rates for subcontractors within their subcontracts. The reason the CMAR gave for not requiring labor rates within all subcontracts was to enable them the ability to negotiate labor rates throughout the project. Facility Services and the Design Professional review all labor rates within proposed change orders for reasonableness noting that there is a wide range of what is considered an industry standard for a labor rate (i.e. craft level labor rates for a general “laborer” may be $12/hour whereas a typical labor rate for an elevator technician may be as high as $280/hour). We may improve our process by including language in the contract requiring the CMAR provide labor rates for all subcontracts. We will discuss with the Tri-U construction group including language in the CMAR contract that would require the CMAR to provide labor rates for all subcontracts.
b) As far as the equipment rates, this contract version did not specify the CMAR to require equipment rates for subcontractors within their subcontracts. At the time of GMP negotiation with Haydon, we were aware that Haydon was not going to charge any “in-house” equipment rental and that any equipment rentals would be procured either through the subcontractors as part of a competitive bidding process, or through a rental equipment company such as RCS or Sunstate, also through competitive bidding process, therefore we didn’t need to include a rental equipment pricing list in the GMP Amendment. When subcontractors included equipment rentals in their change order requests, we did compare these rates to equipment rates from rental equipment vendors; to RS Means rates
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 10 of 11
and to equipment rates provided on other CMAR projects and found them to be market competitive and reasonable. RS Means is a division of Reed Business Information that provides cost information to the construction industry so contractors in the industry can provide accurate estimates and projections for their projected costs. In the future, we will ask the CMARs to provide a list of the specific pieces of equipment their subcontractors are planning on using on their specific projects, and to provide the market value of such equipment so that we can better verify that the cost of renting equipment doesn’t exceed their market value.
a) Per diem was included in the CMAR contract at a rate of $125/week/onsite employee for the CMAR. This contract did not specify the CMAR to require Per diem rates for subcontractors within their contracts, but the terms of the CMAR contract indicates that the only allowed line items for subcontractors C.O. are material, labor, equipment, GCs (capped at 10%), fees (capped at 5%) and taxes. This creates the situation that CMARs are allowed to include per diem in GCs, but subcontractors are not. The same contract language applies to ASU and UA, and their subcontractors typically don’t have to deal with out of town travel. In our case, it seems that we do have added cost due to labor workers having to be out of town to complete the work. We will discuss with the Tri-U construction group including language in the CMAR contract that would require the CMAR to provide per diem rates for all subcontracts.
Northern Arizona University Aquatic and Tennis Complex Construction Contract
Audit Report
Page 11 of 11
Distribution: Audit Committee, Arizona Board of Regents Internal Audit Review Board Rita Cheng, President Jennus Burton, Vice President for Finance and Administration Agnes Drogi, Director of Planning, Design and Construction, Facility Services Bjorn Flugstad, Chief Financial Officer Joanne Keene, Executive Vice President and Chief of Staff John Morris, Associate Vice President, Facility Services Michelle Parker, General Counsel Kathleen Viskocil, Project Manager, Facility Services Wendy Swartz, Associate Vice President for Financial Services and Comptroller This report is intended for the information and use of the Arizona Board of Regents, NAU administration, the Arizona Office of the Auditor General, and federal awarding agencies and sub-recipients.
This page left blank intentionally.
Internal Audit Department
Accounts Payable Audit Report
October 2016
Report Number FY 17-01
This page left blank intentionally.
Northern Arizona University Accounts Payable
Audit Report October 27, 2016
Summary
Our audit of Accounts Payable is in NAU’s Annual Audit Plan for FY 2017. An audit of Purchase Orders was done in FY 2010 and an audit of Accounts Payable using data analytics was done in FY 2015. This audit expands on the FY 2015 review by performing detailed transaction testing. The audit links to NAU’s value of integrity and its strategic goal of sustainability and effectiveness. Background: All funds coming into NAU are considered public funds and are subject to
State regulations. Use of public funds is restricted to expenses that promote the public’s
interests. Public funds may not be expended for gifts and personal expenses. NAU has
established policies that supplement State regulations and define the funds and
restrictions that apply to common disbursements. For FY 2016, 31,843 transactions were
processed, excluding purchasing card transactions. These expenses are categorized by
fund as follows.
Fund
FY 16 Expenditures
(excludes P-Cards)
State $ 23,631,961
Local-Designated 31,008,435
Local-Auxiliary 14,818,583
Grants 3,298,650
Unexpended Plant 58,244,210
Agency 37,821,941
Total FY 2016 $168,823,780
Accounts Payable is a unit within Contracting and Purchasing Services (CPS). It reviews
invoices and requests for payment to ensure that the amounts agree with the amounts
approved by department business units. Prior to authorizing payment, units are
responsible for ensuring all forms required for payment and receipts are attached per
NAU policies.
Accounts Payable is part of the disbursement cycle that also includes purchasing,
receiving, and payment oversight. Departmental business units are required to ensure
purchases comply with State and University policies. They are required to enter
requisitions, purchase orders, and receiving reports electronically into PeopleSoft
Northern Arizona University Accounts Payable
Audit Report
Page 2 of 8
Financials and retain approved requisition, purchase order, receiving documents and
related documentation to provide evidence of compliance. For allowable purchases over
$5,000, CPS oversees procurement of items in accordance with established policies and
procedures.
The Comptroller’s Office develops disbursement policies and procedures that supplement
State regulations. It maintains functional oversight of NAU’s electronic document storage
system, OnBase. As part of its compliance reviews and purchasing card analyses, the
Office reviews invoices and purchasing card documentation stored in OnBase. The
Comptroller’s Office also reviews purchasing and disbursement data via queries built in
ACL software.
Accounts Payable may authorize payments to vendors in one of the following ways:
Purchase Order. Payment is authorized on purchase orders for goods and services once
the requesting department electronically prepares a receiving report and Accounts
Payable receives an invoice from the vendor.
Check Requests. Check requests are used to pay third parties for which no Purchase Order has been set up and are processed using a single payment voucher in PeopleSoft. Specifically, check requests are used to: 1) reimburse students, 2) reimburse interviewee expenses, 3) pay for authorized non-employee travel costs, and 4) disburse revenue collected by NAU to vendors. Check requests for student reimbursements, interviewee expenses, and travel for non-employees are generally processed under a generic vendor code (the “Single Payment Vendor”), while check requests made to vendors are processed under the vendor’s unique vendor code. Audit Objective: The objective of this review was to assess NAU’s Accounts Payable
processes for efficiency and effectiveness.
Scope: The scope of our audit included FY 2016 Accounts Payable transactions related
to the purchase of goods and services from external sources. Purchasing card
transactions and employee reimbursements were not reviewed.
Methodology: The following procedures were performed to accomplish the audit
objectives:
distributed and reviewed questionnaires to CPS staff to gain an understanding of NAU’s disbursement cycle;
Northern Arizona University Accounts Payable
Audit Report
Page 3 of 8
interviewed CPS personnel as needed to ensure an understanding of the processes used to administer Accounts Payable;
evaluated the Accounts Payable process and procedures for efficiency, effectiveness and compliance with State regulations; and
judgmentally selected 350 transactions from PeopleSoft Financials to determine if purchases were allowable.
The audit was conducted in accordance with the International Standards for the
Professional Practice of Internal Auditing
Conclusion: NAU’s Accounts Payable processes are effective and efficient. Accounts
Payable processes are accurately posting dollar amounts to PeopleSoft Financials.
Purchase orders and vendor invoices are efficiently and timely processed in PeopleSoft
Financials; and the implementation of OnBase enables supporting documentation to be
efficiently archived and accessed.
Some opportunities for improvement were noted:
Library subscriptions should be renewed using purchase orders.
The OnBase document imaging system should be used to store supporting documentation for all payments authorized by Accounts Payable.
An appropriate description for payments made using Check Requests for student reimbursements should be reflected in transaction detail reports.
Management is supportive of our recommendations and has actively begun working to
implement their identified action items. These recommendations are discussed in the
remainder of the report.
Observations: Accounts Payable is utilizing the capabilities of PeopleSoft Financials
effectively and efficiently for payments made using purchase orders. The decentralized
Accounts Payable model in use requires NAU to rely on sound internal controls at the
department level. Audit plans to review departmental controls during future departmental
audits.
Contracting and Purchasing Services has drafted an Accounts Payable form which will
be the official document to pay speakers and performers. It will replace the current form
Northern Arizona University Accounts Payable
Audit Report
Page 4 of 8
used to authorize payment to speakers and performers. The new Accounts Payable form
will allow the department to indicate if travel will be reimbursed.
During the audit, NAU’s Policy, CMP 421-02, Interviewee and Non-Employee
Reimbursements, was revised by the Comptroller’s Office to correspond to the State of
Arizona Accounting Manual, Section 65, Vendor and Other Non-employee Travel, which
states that reimbursements are to be based on actual receipts, not to exceed State meal
reimbursement rates.
The control standards we considered during this audit and the status of the related control
environment are provided in the following table.
General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)
Control Environment
Recommen- dation No.
Page No.
Reliability and Integrity of Financial and Operational Information
Voucher payments are timely and accurately posted to PeopleSoft Financials.
Reasonable to Strong Controls in Place
Documentation supports the charges posted to PeopleSoft Financials.
Reasonable to Strong Controls in Place
Effectiveness and Efficiency of Operations
Purchase requisitions and receipts are matched to purchase orders prior to payment.
Reasonable to Strong Controls in Place
The Accounts Payable process is efficient.
Reasonable to Strong Controls in Place
All relevant supporting documentation is retained in a central repository and records are easily identified.
Opportunity for Improvement
2, 3 6, 7
The document retention process is efficient
Reasonable to Strong Controls in Place
Usage of check requests is limited and does not replace the need for purchase orders.
Reasonable to Strong Controls in Place
1 6
Northern Arizona University Accounts Payable
Audit Report
Page 5 of 8
We appreciate the assistance of the staff of Contracting and Purchasing Services.
/s/ /s/ Penny Whitmore Senior Internal Auditor Northern Arizona University (928) 523-6459 [email protected]
Mark Petterson Chief Audit Executive Northern Arizona University (928) 523-6438 [email protected]
Northern Arizona University Accounts Payable
Audit Report
Page 6 of 8
Audit Results, Recommendations and Responses
1. Library subscriptions should be renewed using purchase orders.
Condition: Seven sampled items, representing library subscriptions and totaling
expenses of $89,760 were paid using only Check Requests. One vendor was paid
$1,243,475 during FY 2016 without a purchase order.
Criteria: Subscriptions over $5,000 should be processed using a purchase order per
University procurement policies.
Cause: Prior to the implementation of PeopleSoft Financials, the Cline Library directly
uploaded subscription renewals to the financial system and requested payment using
Check Requests.
Effect: Library subscriptions that total over $5,000 are not procured in compliance with
University procurement regulations.
Recommendation: CPS should work with the Cline Library to ensure that purchasing
policies for procurements of library subscriptions are followed.
Response: Contracting and Purchasing Services and the Cline Library have
implemented the recommendation.
2. Supporting documentation for disbursements should be retained in a central repository.
Condition: Not all documents supporting payment of transactions that have been
authorized by Accounts Payable are retained in OnBase.
Accounts Payable files paper copies of invoices and supporting documentation for payments made using a Check Request.
There is no evidence in OnBase of approved departmental purchase requisitions and purchase orders that may provide details regarding the terms and conditions of the services or quality and quantity of the goods purchased.
Purchases of bottled water require approval from Facility Services to ensure they are not a personal expense. However, the approval is a purchasing document and retention is required at the department level for departmental purchases that are
Northern Arizona University Accounts Payable
Audit Report
Page 7 of 8
less than $5,000 and in Purchasing if the purchase is greater than $5,000. There is no evidence of approval from Facility Services stored in OnBase.
NAU’s Business Food-Meal Purchase Authorization form is required before Accounts Payable authorizes payment but the document is not always obtained or uploaded to OnBase to provide evidence of management approval.
Criteria: OnBase should be the central repository for all documentation supporting
payments authorized for payment by Accounts Payable.
Cause: OnBase functionality to upload check request documentation, requisitions,
purchase orders, receiving reports, and other supporting documentation has not been
developed.
Effect: Processes to ensure compliance with State regulations and University policies
are inefficient and inconsistent.
Recommendation: OnBase functionality should be developed to allow all relevant
supporting documentation to be uploaded into OnBase.
Response: Non-PO documentation in OnBase is expected to be available with the roll
out of “quick voucher” functionality in PeopleSoft Financials. We anticipate to go-live in
spring, 2017.
3. An appropriate description for payments made using Check Requests for student reimbursements should be reflected in transaction detail reports.
Condition: Student reimbursements represent 32 of the 65 Check Request payments
sampled using the Single Payment Vendor code. Student reimbursements are not
identifiable from other payments made using the Single Payment Vendor code in the
Transaction Detail reports. All payments using the Single Payment Vendor code reflect
the identical vendor ID number and descriptions. The student’s ID (in lieu of a vendor
name or ID) is not reflected in the PeopleSoft Transaction Detail report.
Criteria: Student reimbursements should be descriptive in the Transaction Detail report.
Cause: Accounts Payable is not entering a description for payments when using the
Single Payment Vendor code
Northern Arizona University Accounts Payable
Audit Report
Page 8 of 8
Effect: It is inefficient to research student reimbursements in PeopleSoft.
Recommendation: Accounts Payable should enter a description for Check Request
payments. This information may also help to segregate student reimbursements from
other third party reimbursements.
Response: As of October 26, 2016, Accounts Payable changed its business process to
require entry of the description for all payments against Check Requests. AP is working
with Information Resource Management department to see if the vendor information can
be included in the Transaction Detail Report. AP will update this response when we
determine if it can be added.
Distribution:
Audit Committee, Arizona Board of Regents Internal Audit Review Board Rita Cheng, President Jennus Burton, Vice President for Finance and Administration Bjorn Flugstad, Chief Financial Officer Joanne Keene, Executive Vice President and Chief of Staff Carol Luckey, Assistant Director, Contracting and Purchasing Services Becky McGaugh, Executive Director, Contracting and Purchasing Services Michelle Parker, General Counsel Wendy Swartz, Associate Vice President and Comptroller This report is intended for the information and use of the Arizona Board of Regents, NAU administration, the Arizona Office of the Auditor General, and federal awarding agencies and sub-recipients.
Issued by: Sara J. Click, CPA, Chief Auditor
Internal Audit Department
SPEED Deferred Maintenance and Building Renewal Projects
February 2016 FY15 - #12
Submitted to: Christopher M. Kopach, Assistant Vice President Facilities Management
Copies to: Institutional Internal Audit Review Board Audit Committee, Arizona Board of Regents Andrew C. Comrie, Senior Vice President for Academic Affairs and Provost Gregg Goldman, Senior Vice President for Business Affairs and Chief Financial Officer Laura Todd Johnson, Vice President, Legal Affairs and General Counsel Robert R. Smith, Vice President, Business Affairs Peter Dourlein, Assistant Vice President, Planning, Design and Construction Jon Dudas, Senior Associate to the President and Secretary of the University Duc D. Ma, Interim Associate Vice President, Financial Services Karen Williams, Interim Chief Information Officer
This page left blank intentionally.
SPEED Deferred Maintenance and Building Renewal Projects
The University of Arizona Page 1 of 8 February 2016
Summary
Our audit of Phase II and III Stimulus Plan for Economic and Educational Development
(“SPEED”) Deferred Maintenance and Building Renewal (“DM/BR”) projects was
included in our approved Fiscal Year (“FY”) 2015 Audit Plan. Phase I was reviewed as
part of our Fiscal Year 2010 Audit Plan, and audit report FY10 - #05 was issued in
January 2010.
The SPEED initiative supports the “Engaging” and “Innovating” pillars of the University’s
Never Settle strategic plan by providing urgently needed funding to extend the life of
and modernize facilities to help meet the education needs of the future. Administration
and project monitoring for the SPEED DM/BR projects is provided by Facilities
Management (“FM”).
Background: The SPEED funding was designed to help spur the State’s economy by
issuing bonds to fund capital projects. University revenues cover 20% of the debt
service, with the State paying the remaining 80% out of Arizona Lottery proceeds.
In February 2009, the Legislature’s Joint Committee on Capital Review (“JCCR”)
reviewed the three universities’ fire and life safety SPEED project submissions and
allocated $68 million for UA’s projects. The most critical projects, totaling $16 million,
were completed under Phase I. The remaining $52 million was used to complete Phase
II and III projects (covered by this audit). The Phase II and III projects were divided into
10 categories of work with a total of 15 UA financial accounts that included 163 projects.
(See table below.)
Category of Work
No. of Accounts
No. of Projects
Project Costs
Interior/Exterior Building Components 2 18 $18,431,987
Heating, Ventilation and Air-Conditioning 2 30 14,560,593
Arizona Health Sciences Critical Improvements 1 21 5,963,981
Mechanical System Repairs & Replacements 1 49 5,579,228
Building Structural Components 2 5 2,385,000
Fire Alarm and Fire Sprinkler Systems 1 4 1,990,844
Elevator/Code Compliance Upgrades 1 10 986,819
Electrical Code Upgrades 2 6 834,584
Football Stadium Structural Repairs 2 2 737,640
Critical Roofing Repairs 1 18 598,948
Total 15 163 $52,069,624
SPEED Deferred Maintenance and Building Renewal Projects
The University of Arizona Page 2 of 8 February 2016
The SPEED DM/BR projects reviewed were awarded using the following types of
procurement methods:
• Sole-Source Provider: A sole source exists when there is a need for a specific
item or service that is only available from one source. For example, systems that
are integrated across campus, such as fire detection, fire suppression, and
access control and security, necessitate the use of a single contractor or service
provider. Sole-source documentation is prepared and only one contractor
prepares a bid.
• Sealed Bid: Projects that exceed an aggregate dollar amount of $100,000 are
awarded on the basis of sealed competitive proposals or bids from various
qualified contractors who respond to a specific scope of work. A purchase order
is then awarded to the contractor with the lowest responsible bid.
• Job Order Contracting (“JOC”): JOC construction contractors are selected
through a qualifications-based selection process in response to a Request for Proposal (“RFP”) solicitation that is issued on a five-year cycle. A shortlist of
qualified contractors for specific services (e.g., mechanical, electrical) is ranked,
and upon the successful negotiation of project-specific work, a Work Order and
Notice to Proceed are issued. Work Orders for renovation and alteration projects
cannot exceed $2M. Once a JOC contract is issued, any change in the contract
price, contract time, or scope of work must be made by a written and approved
change order. Exhibit A of the Tri-University’s standard JOC agreement
prescribes specific methodology for calculating change orders, including
limitations on contractor and subcontractor fees.
Audit Objectives: To determine whether contractor billings for the SPEED DM/BR
projects are adequately supported and in accordance with contract provisions, including
whether:
• internal controls were in place and operating effectively to ensure requests for
cost-proposals/quotes, bids, and contractor selections complied with University
procurement policies and procedures;
• contractor requests for payment were adequately supported and did not exceed
the purchase order amount;
• bond and insurance coverage was in compliance with the terms of the contract;
• change orders (“CO”) were priced according to the contract terms; and
• opportunities for process improvements exist.
Scope: Our audit of the SPEED DM/BR projects included all Phases II and III projects
completed between June 2011 and October 2014 totaling $52 million.
SPEED Deferred Maintenance and Building Renewal Projects
The University of Arizona Page 3 of 8 February 2016
Methodology: Our audit objectives were accomplished through:
• reviewing applicable University procurement and expenditure policies and
procedures;
• discussing and corresponding with University representatives from FM,
Procurement and Contracting Services (“PACS”), and Planning, Design and
Construction (“PD&C”);
• examining PACS’ project files, including sole-source justifications, JOC
processes and agreements, Request for Proposals/Bids, and Purchase Orders;
• verifying all required insurance coverage and bonds were maintained during the
project;
• preparing a control schedule of project purchase orders, COs, and payments;
• reconciling purchase orders and payments and comparing to the detailed
supporting invoices or contractor payment applications;
• reviewing COs and supporting documentation to ensure changes were
reasonable and approved; and
• recalculating the fee, bonds and insurance, and taxes charged on COs.
Sample Selection Methodology:
• To select accounts for review, we used ACL Analytics to randomly select 5
(30.3%) of the 15 Phase II and III accounts. The 5 sample accounts contained 51
projects, from which we judgmentally selected 11 sample projects for review. The
11 projects represented 28 purchase orders awarded to various vendors/
contractors.
• Our objective was to select at least 50% of the dollar amount for each of the five
sample accounts, with an overall minimum of 25% coverage for all Phase II and
III projects. The 11 sample projects represent approximately $14 million (27%) of
the $52 million.
Conclusions: Based on our audit work, we found that University processes for
procurement of Phase II and III DM/BR projects complied with University policies and
that financial transactions generally complied with the terms of the contracts.
Specifically, we concluded that the contractor selection process complied with
University policies and procedures, including the requirement for maintaining insurance
and payment and performance bonds. We ascertained that all transactions were
sufficiently supported and payments were based on actual costs incurred. Our review of
COs revealed that the COs represented a legitimate change in the scope of work, and
credits were received where applicable. However, not all revised JOC contractual
SPEED Deferred Maintenance and Building Renewal Projects
The University of Arizona Page 4 of 8 February 2016
amounts were accurate and/or priced in accordance with Exhibit A. Additional details
can be found beginning on page 6.
The audit identified an opportunity for improvement that could further enhance FM’s
management of future projects. We suggested to FM management that subaccounts be
established within UAccess to assist in accounting for individual project costs. As
reflected in the table on page 1, the 163 Phase II and III SPEED DM/BR projects were
managed under 15 UAccess accounts based on categories of work. Each project has
separate accountability requirements. Because the costs were intermingled within one
account, they were not easily identifiable to a specific project. As suggested, FM began
using subaccounts in FY 2015 and will use them for future projects.
According to the Institute of Internal Auditors International Professional Practices
Framework, an organization is expected to establish and maintain effective risk
management and control processes. These control processes are expected to ensure,
among other things, that:
• the organization’s strategic objectives are achieved;
• financial and operational information is reliable and possesses integrity;
• operations are performed efficiently and achieve established objectives;
• assets are safeguarded; and
• actions and decisions of the organization are in compliance with laws,
regulations, and contracts.
Our assessment of these control objectives as they relate to the SPEED DM/BR
projects is on the following page.
SPEED Deferred Maintenance and Building Renewal Projects
The University of Arizona Page 5 of 8 February 2016
General Control Objectives
Control Environment
Audit Result
No. Page
Achievement of the Organization’s Strategic Objectives
• Strategic objectives were met by extending the life and quality of UA facilities for current and future students, staff, employees, and visitors.
Reasonable to Strong Controls in Place
Reliability and Integrity of Financial and Operational Information
• Contractor billings were adequately supported by actual costs incurred by the contractors.
Reasonable to Strong Controls in Place
• Change orders were priced and approved according to contract requirements.
Opportunity for Improvement
1 6
Effectiveness and Efficiency of Operations
• UA payments to contractors did not exceed the contracted amount.
Reasonable to Strong Controls in Place
Safeguarding of Assets
• The contractors provided the contracted scope of work.
Reasonable to Strong Controls in Place
Compliance with Laws and Regulations
• Bonds and insurance coverage was in compliance with the terms of the contract.
Reasonable to Strong Controls in Place
• The contracts were managed to ensure contractors complied with contract terms.
Reasonable to Strong Controls in Place
We appreciate the assistance of FM, PACS, and PD&C personnel during the audit.
___________/s/___________ _________/s/___________
Deborah S. Corcoran, CCA, CIA Auditor-In-Charge (520) 626-0185
Sara J. Click, CPA Chief Auditor
(520) 626-4155 [email protected]
SPEED Deferred Maintenance and Building Renewal Projects
The University of Arizona Page 6 of 8 February 2016
Audit Results, Recommendations, and Responses
1. Change Orders were not accurately priced.
Condition:
Sixteen (67%) of the twenty-four change orders reviewed1 contained errors related
mainly to allowable fees. As a result, the University of Arizona overpaid two JOC
contractors a net amount of $16,260.
Criteria:
• Paragraph 28.3 of the 2012 Job Order Contract states, “The cost or credit to the
Owner resulting from a change in Work shall be determined in one or more of the
following ways:
“A. By unit prices from the Unit Price Book specified. Unit prices, from a unit
price book (i.e. R.S. Means, etc.), proposed on the Proposal form and
included in the Contract are not subject to further overhead and profit
adjustments. The Contract Sum will be adjusted by the direct extension of the
number of units and the unit prices. Contractor Fee will be added, and then
adding the insurance, bonds, and tax to compute the total cost.
“B. By mutual acceptance of a lump sum properly itemized and supported by
sufficient substantiating data to permit evaluation as a non-prepriced item in
accordance with the Contract Documents and in the format as described on
Exhibit A, Change Order Pricing Format.”
• Exhibit A of the JOC Contract states that contractor fees shall be “actual
percentages based on and supported by records of the applicable Subcontractor
and/or Contractor.” PD&C developed the JOC 2012 Contractors’ Information chart
that established allowable fees for JOC contractors who were awarded a 2012 JOC
agreement.
Causes:
• FM staff were not aware of all JOC contract requirements and stipulations, including
(1) the JOC 2012 JOC Contractors’ Information chart that established profit and
overhead fees for individual contractors, and (2) the contractually prescribed
methodology for pricing change orders.
1 Ten of the twenty-eight sample-selected purchase orders had a total of 24 change orders, valued at $1,354,045. Of
the 24 change orders, 7 were non-JOC contracts and 17 were JOC contracts.
SPEED Deferred Maintenance and Building Renewal Projects
The University of Arizona Page 7 of 8 February 2016
• Although FM had procedures in place to coordinate with the architect to determine if
change order costs were reasonable, the procedures did not include a validation
process to ensure all costs, including contractor profit and overhead fees, were
accurate and priced in accordance with Exhibit A.
Effect:
Without specific procedures in place to ensure accurate change order pricing, the
University is at risk for paying more than the allowable contract amount.
Recommendations:
1) FM should initiate action to recoup change order under/overpayments identified
during the audit.
2) Management should consider reviewing the remaining 14 change orders for the
two contractors to determine whether other overpayments exist and seek
reimbursement accordingly.
3) FM management should coordinate with PD&C to obtain immediate training to
become familiar with existing construction contract delivery methods, to include
JOC and Construction Manager at Risk agreements. Thereafter, training should
occur at least annually and/or as changes are made to agreements. FM staff such
as project managers, business services personnel, and appropriate associate
directors should attend the training.
4) FM should strengthen existing procedures for validating change order amounts.
The procedures should include a review of allowable contractor fees to ensure the
correct fees are applied.
Management Response:
1) Implemented: May 2016. It was FM’s recommendation to reach out to our JOC
Contractors to recoup the overpayment charged for the profit and overhead on the
change orders. Consequently, the meeting has taken place with the contractor,
and they have agreed to reimburse the University for the overpayment.
2) Target Implementation Date: May 2016. FM Business Services has reviewed the
remaining 14 change orders and determined that there was only one overpayment
of the profit and overhead totaling $76.90 to a contractor. FM is in the process of
invoicing the contractor for that total.
SPEED Deferred Maintenance and Building Renewal Projects
The University of Arizona Page 8 of 8 February 2016
3) Target Implementation Date: June 2016. FM is in the process of coordinating a
training in the near future and scheduling annual refresher training with all those
involved in the JOC and Construction Manager at Risk process.
4) Implemented: April 2016. FM immediately initiated a two-step process in which
before the change order is approved, FM Business Services recalculates the
overhead and profit amount to make sure the fees are within the limitations
prescribed in the Tri-University Standard JOC negotiated agreement. After it has
been verified that the appropriate profit and overhead percentages are being used,
authorization is issued to the Project Manager to move forward with the change
order.
Issued by: Sara J. Click, CPA, Chief Auditor
Internal Audit Department
Health Sciences Education Building, Finish Shell Space Construction Contract
April 2016 FY16 - #06
Submitted to: Robert R. Smith, Vice President for Business Affairs Peter Dourlein, Assistant Vice President, Planning, Design & Construction Jennifer Andrews, Project Manager, Special Facilities - Phoenix Biomedical Campus
Copies to: Institutional Internal Audit Review Board Audit Committee, Arizona Board of Regents Andrew C. Comrie, Senior Vice President for Academic Affairs and Provost Jon Dudas, Senior Vice President, Senior Associate to the President and Secretary of the
University Gregg Goldman, Senior Vice President for Business Affairs and Chief Financial Officer Laura Todd Johnson, Senior Vice President, Legal Affairs and General Counsel Duc D. Ma, Interim Associate Vice President, Financial Services Karen A. Williams, Interim Chief Information Officer
This page left blank intentionally.
Health Sciences Education Building, Finish Shell Space
The University of Arizona Page 1 of 6 April 2016
Summary
Our audit of the Health Sciences Education Building, Finish Shell Space (HSEB SS)
construction contract was included in our approved Fiscal Year 2016 Audit Plan. The
University of Arizona (UA) contracted for the HSEB SS tenant improvement project with a
construction phase Guaranteed Maximum Price (GMP) of $9 million. Construction projects
have been identified as strategic, high-risk areas for the universities. Charges to the project
may not comply with the negotiated contract, resulting in overcharges and cost overruns.
Construction administration and project monitoring for UA is provided by Planning, Design
and Construction (PD&C). Since 2009, we have completed nine audits of construction
contracts administered by PD&C.
Background: HSEB is a 265,000-square foot building located
on the Phoenix Biomedical Campus (PBC) at 7th Street and
Van Buren. HSEB was completed in July 2012; however,
45,371 SF of shell space remained temporarily unfinished.
Completion of the built-out space included a Lecture Hall on
the 1st floor; an expanded Simulation Center, a new Learning
Studio, and classroom space on the 3rd and 4th floors; and office and administrative support
space on the 5th floor.
The HSEB construction project is part of the $376 million PBC, Phase II project. One
request for qualifications (RFQ) was issued, and the contract was awarded to DPR/Sundt
(A Joint Venture). The original contract and amendments included the following
construction sub-projects:
• HSEB,
• Vivarium,
• Arizona Biomedical Collaborative II (ABC 2) building, and
• Phoenix Union High School Renovation.
Separate GMP and design documents were prepared for each sub-project. As the project
progressed, the Phoenix Union High School Renovation was put on hold due to budget
constraints. The ABC 2 building was funded and renamed the Biomedical Sciences
Partnership Building. This project is currently under construction and will be substantially
complete in December 2016 with occupancy in January 2017.
At its March 2013 meeting, the ABOR Business and Finance Committee granted Project
Approval for $17.9 million for the HSEB SS project.1 Funding was provided through the
sale of Stimulus Plan for Economic and Educational Development (SPEED) revenue
1 Approximately $8.8 million of the $17.9 million approved for the HSEB SS project was put on hold until NAU finalized plans for their space, leaving a total of $9.1 million for this phase of the project.
Health Sciences Education Building, Finish Shell Space
The University of Arizona Page 2 of 6 April 2016
bonds, which are to be repaid 80% from State lottery proceeds and 20% from University
funds.
The cost of the project was shared by UA and Northern Arizona University (NAU). Once
needs were identified and costs estimated, the cost split between UA and NAU for tenant
improvement of the shell space was based upon square footage costs on a floor-by-floor
basis. Project costs were first calculated per floor and then divided based on square
footage assigned to either NAU or UA. The split was then based upon percentage of total
construction costs. The percentage was determined to be approximately 75.8% for UA
(covered by this audit) and 24.2% for NAU. See table below for cost breakout.
GMP Description UA NAU Total
Pre-Construction Phase Fee $57,607 $33,833 $91,440
Construction Phase GMP 6,847,616 2,189,923 9,037,539
Total Pre-Construction and Construction GMP
$6,905,223 $2,223,756 $9,128,979
HSEB was built using the Construction Manager at Risk (CM@Risk) project delivery
method, and the HSEB SS project was delivered through continuation of the CM@Risk
originally selected for HSEB. The CM@Risk selected for HSEB was DPR/Sundt (A Joint
Venture), hereinafter referred to as “DPR/Sundt.” The contract with DPR/Sundt included
pre-construction design-phase services as well as construction-phase management,
including coordinating all subcontracted work.
The contract included an approved sub-contractor selection plan that allowed for Core
Team Partners to be selected by a Quality Based Selection (QBS) process. This process
eliminates the typical request for three subcontractor competitive bids. The QBS selection
is based on a subcontractor’s qualifications, which include: successful experience with the
CM@Risk; successful experience with the UA, NAU, or the City of Phoenix; skill in
providing early conceptual estimating and value design options; and financial strength.
The following table lists the top five subcontractors by subcontract dollar amount. One of
the five, DPR Drywall, was awarded lump sum subcontracts, as stipulated in the contract,
for self-performed work.
Trades Description
Subcontractor Original GMP
Amount Net
Adjustments Final GMP
Amount
Mechanical UMEC, Inc. $1,379,309 $207,425 $1,586,734
Finishes DPR Drywall $1,295,022 $152,126 $1,447,148
Electrical Cannon & Wendt $1,261,324 ($34,346) $1,226,978
Finishes Barrett-Homes $587,194 $26,596 $613,790
Openings Walters & Wolf $447,140 $80,215 $527,355
Health Sciences Education Building, Finish Shell Space
The University of Arizona Page 3 of 6 April 2016
The Notice to Proceed was issued December 23, 2013, and construction work began in
January 2014. The contract called for substantial completion by June 30, 2014. PD&C is
satisfied with the quality of the work and that the contractor completed work during the
required timeframe, issuing a Certificate of Substantial Completion dated July 1, 2014.
Audit Objectives: To determine whether financial transactions relating to construction
activity for the HSEB SS project complied with the terms of the contract, including whether:
• contractor billings were adequately supported by actual costs or subcontractor
estimates, plus overhead, profit, and fees as specified by the construction contract;
• general conditions expenses were charged to the project in accordance with contract
provisions;
• contingency funds were managed in accordance with contract requirements;
• Change Orders were priced according to the contract terms and were properly
approved;2
• the CM@Risk provided the contracted scope of work;
• insurance coverage during construction was in compliance with the terms of the
contract;
• quality assurance and control procedures were implemented in accordance with the
contract terms; and
• opportunities for process improvements exist.
Scope: Our audit of the HSEB SS project included all construction-phase expenses
incurred by DPR/Sundt from the start of the contract in December 2013 through August
2015, the last pay application processed prior to commencement of the audit.
We relied on PD&C’s expertise for the construction technical aspects and, therefore, our
scope of work did not include any on-site inspections to assess construction methods,
materials, or compliance with design specifications. We also did not include any costs
associated with the project that were not part of the CM@Risk contract, including
architectural fees or PD&C internal costs.
Methodology: Our audit objectives were accomplished through:
• preparing a control schedule of the initial GMP, internal adjustments, and payment
applications to ensure payments to the CM@Risk did not exceed the approved
GMP;
• reviewing all 14 UA construction-phase payment applications and comparing the
summary information in the payment application to the detailed supporting invoices
or payment applications from the subcontractors to DPR/Sundt;
• recalculating the fee, bonds and insurance, and taxes applied against the GMP to
verify accuracy of indirect construction costs;
2 We found that there were no Change Orders executed for UA’s portion of the contract.
Health Sciences Education Building, Finish Shell Space
The University of Arizona Page 4 of 6 April 2016
• reconciling the job cost ledger against invoices and pay applications;
• reviewing the itemized list of General Conditions and Requirements and examining
pay application line items and supporting documentation to ensure General
Conditions and Requirements items were not included as expenses in pay
applications;
• reviewing UA payments to vendors other than DPR/Sundt to ensure the expenses
were not included in the CM@Risk contracted scope of work;
• reviewing quality control processes, issues, and resolutions;
• verifying all required insurance coverage and bonds were maintained during the
project;
• selecting and reviewing a random sample of contingency expenditures to ensure
that all uses of the contingency fund are made in accordance with the contract;
• ensuring the subcontractor bidding process was performed in compliance with
contract terms;
• reviewing the third party assessment of costs for self-performed work areas to
ensure reasonableness and compliance with contract terms;
• reviewing subcontracts and bid documents for the three largest (by final contract
dollar amount) subcontractors to ensure the contract terms were consistent and in
compliance with the CM@Risk contract;
• examining project close out documents to ensure punch list items were resolved and
a substantial completion certificate was issued in a timely manner; and
• discussing the project with representatives from PD&C and DPR/Sundt to obtain
additional information and clarification.
Conclusions: Based on our audit work, the financial transactions relating to construction
activity, by both DPR/Sundt and PD&C, complied with the terms of the contract.
Specifically, the Schedule of Value line items were based on actual costs and supported
with back-up documentation, and contingency funds were managed in accordance with
contract requirements. Additionally, the CM@Risk provided the contracted scope of work;
insurance coverage during construction was in compliance with the terms of the contract;
quality assurance and control procedures were implemented in accordance with the
contract terms; and close-out documents completed to date were in order.3
During this project, the CM@Risk utilized a field management software tool, BIM 360TM
Field, to manage quality control issues from initial identification through final punch list
resolution. The mobile app facilitated real-time reporting through the use of cloud-based
collaboration and reporting to and from field personnel and office/project managers, thereby
improving quality, safety, and project visibility.
This construction project was part of an umbrella contract signed in 2009, prior to
development of the current Tri-University construction contract. Therefore, the General
3 A contractor evaluation had not been completed since the project was not yet finalized.
Health Sciences Education Building, Finish Shell Space
The University of Arizona Page 5 of 6 April 2016
Conditions and Requirements expenses were fixed at $1,208,626 (13% of the total GMP)
for which no supporting documentation was required. The revised standard Tri-University
contract now requires all General Conditions and Requirements expenses to be based on
actual costs and documented with receipts, invoices, and/or purchase orders, allowing for
more auditable expenses.
During this audit, we identified a $15,050 expense for final cleaning that is traditionally a
part of General Conditions and Requirements. However, the CM@Risk excluded final
cleaning from the General Conditions and Requirements. The CM@Risk believed this to
be an additional expense and transferred contingency funds to an added line item for the
final cleaning expense while $10,000 of the fixed general conditions amount remained
unspent. Although final cleaning costs are normally included in generally accepted General
Conditions and Requirements, the 2009 construction contract did not specify expenses to
be included in the General Conditions and Requirements fixed amount. Since the revised
Tri-University standard construction contract eliminated the option for fixed amount General
Conditions and Requirements and requires those expenses to be itemized and supported,
this issue should not occur in the future.
As noted in a previous construction contract audit, the current standard Tri-University
contract requires retainage to be withheld from contractor payments. However, ABOR
Policy 3-804, Professional Services and Construction Services Procurement, dated 6/2006,
permits the CM@Risk to provide a substitute security in lieu of retainage. Since this has
become a fairly common practice, the Tri-University contract committee should consider
including contract language that allows the CM@Risk the option to substitute security for
retainage. If the committee elects to revise the contract to permit the contractor to
substitute security for retainage, the committee should evaluate whether existing monitoring
practices are sufficient to ensure the required amounts are deposited into security escrow
accounts.
According to the Institute of Internal Auditors International Professional Practices
Framework, an organization is expected to establish and maintain effective risk
management and control processes. These control processes are expected to ensure,
among other things, that:
• the organization’s strategic objectives are achieved;
• financial and operational information is reliable and possesses integrity;
• operations are performed efficiently and achieve established objectives;
• assets are safeguarded; and
• actions and decisions of the organization are in compliance with laws, regulations,
and contracts.
Our assessment of these control objectives as they relate to the HSEB, Finish Shell Space
construction contract is on the following page.
Health Sciences Education Building, Finish Shell Space
The University of Arizona Page 6 of 6 April 2016
General Control Objectives
Control Environment
Recommendation
No. Page
Achievement of the Organization’s Strategic Objectives
• Strategic objectives were met by providing state-of-the-art facilities that help the university achieve its research and educational goals.
Reasonable to Strong Controls in Place
Reliability and Integrity of Financial and Operational Information
• Contractor billings were adequately supported by actual costs incurred by the CM@Risk.
Reasonable to Strong Controls in Place
• General Conditions were charged to the project in accordance with contract provisions.
Reasonable to Strong Controls in Place
• Contingency funds were managed efficiently and effectively.
Reasonable to Strong Controls in Place
• Change Orders were priced and approved according to contract requirements.
Not Applicable
Effectiveness and Efficiency of Operations
• Quality control procedures were effective in ensuring compliance with the contract.
Reasonable to Strong Controls in Place
Safeguarding of Assets
• The CM@Risk provided the contracted scope of work.
Reasonable to Strong Controls in Place
Compliance with Laws and Regulations
• Insurance coverage during construction was in compliance with the terms of the contract.
Reasonable to Strong Controls in Place
• The contract was managed to ensure the CM@Risk complied with all terms of the contract.
Reasonable to Strong Controls in Place
We appreciate the assistance of both PD&C and DPR/Sundt representatives during the
audit.
_____________/s/_____________ _____________/s/____________
Deborah S. Corcoran, CCA, CIA Auditor-In-Charge (520) 626-0185
Sara J. Click, CPA Chief Auditor
(520) 626-4155 [email protected]