Internal Controls Over Nonfinancial Data in Higher Education: What’s Next?
A number of higher education institutions have learned a lesson in recent years: Numbers matter, or more precisely, accurate numbers matter. Not just financials, but also nonfinancial numbers that help schools define, rank, and promote themselves.
Administrators across the country are familiar with the incidents at George Washington University, Claremont McKenna College, Emory University, Tulane University, Bucknell University, and others where incorrect data about the school was being reported, sometimes for years. It didn’t really matter whether the misreporting was intentional or not, it was perceived by many to be fraudulent and damaging to the reputation of the school, its trustees, and senior officials.
Nearly three years after these high-profile cases, the higher education industry should be asking itself, “What have we learned from the mistakes of others, and what are we doing to safeguard our institution from similar mistakes?”
If the answer is, “We’ve looked into this area and we don’t have that problem,” the institution’s leaders should consider who is answering the question and then take a deeper look at the school’s internal controls over reporting of nonfinancial data.
Why accurate numbers matter in higher education
U.S. News & World Report is a well-known example of the rankings used by students and parents to make important educational decisions. In many cases, these respected and widely cited listings are based on information provided by the schools. Acceptance and retention rates, graduation percentage, standardized test scores, and environmental sustainability are just a few examples of nonfinancial data being tracked and reported.
The Department of Education also requires colleges and universities to report massive amounts of information annually. State and federal support, financial aid, and grant programs may depend on the completeness, transparency, and accuracy of this data.
In a 2012 Inside HigherEd survey conducted on the heels of the previously mentioned cases, 91 percent of admissions directors said they believed more universities than the ones who had been called out were guilty of inflating or otherwise fudging the data.
Since then, most institutions have recognized that there is a potential risk in this area. Even so, many have not taken adequate steps to implement control measures.
An internal control framework for nonfinancial reporting
Controls over financial reporting are typically reviewed and scrutinized in independent audits, but much of the nonfinancial data gathering still lacks effective controls or the independent review of an external auditor.
Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) framework for internal controls, which was updated in 2013, can be applied to the recording, collecting, and reporting of nonfinancial data in much the same way as it is for financial data, operational efficiency and effectiveness, and compliance.
The potential body of nonfinancial data in schools of all sizes is huge; compiling and reporting it is complex and time-consuming. Business officers and audit committees may be aware of the pitfalls inherent in gathering this data, but they may lack the tools, resources, and knowledge to identify and address the underlying issues.
COSO’s integrated framework can help administrators identify risks and establish and implement controls. The goal is to improve the accuracy, completeness, and reliability of data, which will lead to increased transparency and better-informed decisions. Internal controls advance a school’s sustainability strategy, mission, and vision through streamlined information flow, enhanced cross-functional coordination, and increased commitment to a sustainable model.
Five components of internal control
Everyone from the board of directors to athletic coaches and cafeteria staff can be part of the control environment — it all depends on management’s expectation of which individuals and groups will work together to ensure quality reporting. The integrity, ethical values, and competence of each individual involved in the process comes into play here, as does management’s willingness to assign authority and responsibility for nonfinancial reporting. The tone and awareness of controls across the school spectrum is set by the institution and becomes the foundation for the other four components.
Every college and university must identify and analyze the risks associated with the objectives it wants to achieve. For nonfinancial reporting, this means properly identifying material issues using a robust assessment. It also means recognizing risk situations that might impact data quality and then designing and implementing appropriate controls to mitigate the risk. Because economic conditions, industry trends, regulatory and operating conditions, and stakeholder expectations are often moving targets, you need mechanisms with flexibility to deal with a changing world.
These are the policies and procedures that help ensure that management directives are carried out. They also help ensure that necessary actions are taken to secure quality data and address risks of misreporting. Control activities occur throughout the institution, at all levels and in all functions. They include approvals, authorizations, verifications, reconciliations, reviews of operating performance, confirmation of assumptions and estimations, security of assets, and segregation of duties.
Information and communication
Communication is a key component of solid internal controls. If you want to record the number of students who study abroad, you must identify, capture, and communicate the data in a form and within a timeframe that enable people to meet their responsibilities. Information systems produce reports containing nonfinancial information that makes it possible to control and run the enterprise.
Effective communication must flow down, across, and up the organization. All personnel must receive a clear message from top management: control responsibilities for nonfinancial reporting are to be taken seriously. Each person must understand his or her role in the internal control system and how individual activities relate to the work of others. There must be a means of communicating significant information upstream.
There should also be effective communication with external users, potential new employees, and regulators. All have different expectations from the institution.
All of the internal controls mentioned so far will not be effective if the systems that monitor the reporting break down. So nonfinancial reporting needs to include a process that assesses the quality of the system’s performance over time. This is accomplished through oversight, evaluations, or a combination of the two. In addition, an independent third party should provide external assurance of nonfinancial information, usually on an annual basis. Any deficiencies should be reported upstream, with serious matters reported to top management.
A work in progress
External reporting communities are developing regulatory and voluntary nonfinancial reporting standards, and are also requiring institutions to report on nonfinancial matters. Colleges and universities should be examining and developing specific programs that address all areas of the COSO framework. But before any academic institution can report accurate, material, and useful nonfinancial information, it must have confidence in the quality of the data; that is a function of its internal control environment.
The aim of this framework is to help enhance decision making with solid and relevant nonfinancial reporting. Many institutions have made a good start, but despite the efforts of public accounting firms and others, universal understanding and adaptation is still a work in progress.