Full Audit Reports - INDEX - public.azregents.edu Documents/2016-11-16_ABOR-Audit...FULL AUDIT REPORTS INDEX ... management took appropriate action by reporting a fraud allegation

FULL AUDIT REPORTS INDEX

Following are the full and complete audit reports for which summaries have been included in the November 16, 2016 Arizona Board of Regents Audit Committee Agenda Book. Agenda Book Tab# Report Title 02.C AudGen Theft and Misuse of Public Monies at NAU

04.A1 ASU Athletics 2016 Summer Financial Aid

04-A2 ASU Athletics 2016 Student Athlete Eligibility

04-A3 ASU Capital Project-Psychology Bldg Renovation

04-B1 NAU Summer Camps and Conferences

04-B2 NAU Student Employment

04-B3 NAU IT General Controls

04-B4 NAU Aquatic and Tennis Center

04-B5 NAU Accounts Payable

04-C1 UA SPEED Defd Maint & Bldg Renewal

04-C2 UA Health Sciences Education Bldg Finish Shell Space

This page left blank intentionally.

Northern Arizona University Theft and Misuse of Public Monies

Debra K. Davenport Auditor General

Special Investigation

October 2016Report 16-405

A Report to the Arizona Legislature

The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators and five representatives. Her mission is to provide independent and impartial information and specific recommendations to improve the operations of state and local government entities. To this end, she provides financial audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits and special reviews of school districts, state agencies, and the programs they administer.

The Joint Legislative Audit Committee

Representative John Allen, Chair Senator Judy Burges, Vice Chair

Representative Regina Cobb Senator Nancy Barto

Representative Debbie McCune Davis Senator Lupe Contreras

Representative Rebecca Rios Senator David Farnsworth

Representative Kelly Townsend Senator Lynne Pancrazi

Representative David Gowan (ex officio) Senator Andy Biggs (ex officio)

Audit Staff

Lindsey Perry, Manager and Contact Person

Contact Information Arizona Office of the Auditor General 2910 N. 44th St. Ste. 410 Phoenix, AZ 85018

(602) 553-0333

www.azauditor.gov

2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051

MELANIE M. CHESNEY

DEPUTY AUDITOR GENERAL

DEBRA K. DAVENPORT, CPA

AUDITOR GENERAL

STATE OF ARIZONA

OFFICE OF THE

AUDITOR GENERAL

October 24, 2016

Members of the Arizona Legislature

The Honorable Doug Ducey, Governor

The Arizona Board of Regents

Rita Cheng, President Northern Arizona University

The Honorable David W. Rozema, Coconino County Attorney

The Office of the Auditor General (Office) has conducted a special investigation of Northern Arizona University (University) for the period July 1997 through January 2013. The Office performed the investigation to determine the amount of public monies misused, if any, during that period and the extent to which those monies were misused.

The investigation consisted primarily of inquiries and examination of selected financial records and other documentation. Therefore, the investigation was substantially less in scope than an audit conducted in accordance with generally accepted auditing standards. Accordingly, the Office does not express an opinion on the adequacy of the University’s financial records or internal controls. The Office also does not ensure that all matters involving the University’s internal controls, which might be material weaknesses under standards established by the American Institute of Certified Public Accountants or other conditions that may require correction or improvement, have been disclosed.

The Special Investigative Report describes the Office’s findings and recommendations as a result of this special investigation.

Sincerely,

Debbie Davenport Auditor General

Attachment

REPORT HIGHLIGHTSSpecial Investigation

October 2016

Mr. Talley embezzled $354,902 of university monies by orchestrating two fictitious vendor schemesDuring this 15½-year period, Mr. Talley may have violated state laws related to theft, misuse of public monies, fraudulent schemes, and money laundering when he caused the University to issue 245 checks and make 12 purchasing card payments totaling $354,902 to two fictitious vendors he created. The majority of these checks were fraudulently endorsed and deposited in a credit union account he jointly held with another person, and monies were generally withdrawn or transferred to one of Mr. Talley’s separately held bank and credit union accounts within a few weeks. The purchasing card payments were directly credited to another of Mr. Talley’s bank accounts. All of the embezzled monies were commingled with other monies and spent by Mr. Talley for his personal purposes. To orchestrate and help conceal his schemes, Mr. Talley falsified information in the University’s accounting software, submitted fictitious invoices, and fabricated purchasing card records.

Former university officials failed to safeguard and control university moniesMr. Talley embezzled this money by abusing his authority as university postal services manager, a position he held for over 36 years. He also took advantage of former university officials’ poor oversight of his activities. In particular, management did not monitor or take steps to ensure employees were appropriately following policies and procedures designed to protect public monies. Accordingly, management was unaware that employees falsely verified the receipt of postal supplies never received and improperly shared their accounting software login credentials. Additionally, management did not adequately train employees to investigate invoice anomalies or reconcile purchasing card reports to bank software, either of which actions could have revealed Mr. Talley’s fraud scheme.

Northern Arizona University Theft and Misuse of Public Monies CONCLUSION: As part of its responsibility to prevent and detect fraud, Northern Arizona University (University) management took appropriate action by reporting a fraud allegation to both its police department and the Office of the Auditor General (Office). The university police department subsequently requested our Office to investigate the allegations of financial misconduct by Edwin Talley, former university postal services manager, and we determined that from July 1997 through January 2013, Mr. Talley used fraud schemes to embezzle public monies totaling $354,902. The embezzled monies came from university revenues that consisted primarily of state appropriations and students’ tuition and fee payments, and should have been used to pay for services provided to university students. We have submitted our report to the Coconino County Attorney’s Office, which has taken criminal action against Mr. Talley resulting in his indictment on six felony counts.

Investigation highlights

Former Northern Arizona University postal services manager Edwin Talley:

• Embezzled $345,902 by paying himself through fictitious vendors.

• Falsified computer data and purchasing card records, and submitted fictitious invoices in order to conceal his embezzlement.

Although the University took corrective measures, university officials can take additional actions to improve control over public monies and help deter and detect fraudWith the 2012 implementation of new accounting software, university officials improved certain internal controls which, when combined with a university-wide review of purchasing card activity, led to their discovery of Mr. Talley’s fraud schemes. In addition, in the time since the Office’s investigation began, management reported that they implemented other improvements to controls over university monies such as adding purchasing card software that disallows purchasing card users from manipulating activity statements. Management also implemented a new conduct, ethics, reporting, and transparency program, which outlines employees’ legal and ethical obligations to the University. Finally, management also conducted an employee training regarding internal controls and financial transactions, and mandated that employees not share their login credentials.

RecommendationsAlthough the University took corrective measures and no internal control system can completely prevent dishonest behavior such as Mr. Talley’s, the following recommendations are additional actions university officials can take to improve control over public monies and help deter and detect fraud. Specifically, university officials should:

• Perform periodic reviews on a random and unannounced basis to ensure that invoiced goods marked as received in the accounting software are actually physically located and accounted for.

• Continue to require employees to sign statements acknowledging their understanding and acceptance of university policies concerning employment. Additionally, consider requiring all employees to separately acknowledge their understanding and acceptance of the university policy that prohibits the sharing of login credentials and outlines employees’ responsibilities for protecting and locking their computer or work stations when not in use.

• Periodically assess whether controls over the University’s purchasing process are functioning effectively and as designed, and continue to provide training to those employees responsible for making and authorizing purchases. Likewise, ensure that the University continues providing training to employees involved in the purchasing process. That training should include guidance on how to review vendor invoices for accuracy and appropriateness, as well as for anomalies that should be investigated. Additionally, university officials should consider including criteria in these employees’ performance evaluations regarding their adherence to university purchasing procedures.

Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General

A copy of the full report is available at: www.azauditor.gov | Contact person: Lindsey Perry (602) 553-0333

Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General Northern Arizona University—Theft and Misuse of Public Monies | October 2016 | Report 16-405Arizona Auditor General

PAGE i

1

3

3

4

7

9

11

Introduction and Background

Finding 1: Mr. Talley embezzled $354,902 of university monies by orchestrating two fictitious vendor schemes

Mr. Talley caused the University to issue 245 checks to his fictitious company, Flag Mailing Products

Mr. Talley caused the University to make 12 purchasing card payments to his fictitious company, Omega Supplies

Finding 2: Former university officials failed to safeguard and control university monies

Recommendations

Conclusion

Table

1 Public monies Mr. Talley embezzled July 1997 through January 2013 3

TABLE OF CONTENTS


PAGE ii


PAGE 1

Northern Arizona University (University), located in Flagstaff, is one of three fully accredited public universities governed by the Arizona Board of Regents. During fiscal year 2015, the University received revenues of nearly $524 million to provide educational services to nearly 28,000 students. The university postal services department oversees the entire university mail operation, including distributing incoming and outgoing mail according to local, state, and federal laws, and coordinates with external postal agencies for mail delivery.

In addition to his university employment, Mr. Talley operated Talley Security, an online personal security businessMr. Talley had postal services responsibilities for over 36 years beginning in August 1976 and ending with his termination in January 2013. During his tenure Mr. Talley supervised about six employees and managed all university postal and shipping services, including purchasing supplies and preparing annual postal services budgets. Since at least 1999, Mr. Talley was assigned a university purchasing card for business purposes such as postal supplies and travel-related expenditures.

Starting in 1998 and continuing throughout his employment with the University, Mr. Talley operated an online business called Talley Security, sometimes also using derivatives of the same name such as Talley Personal Security Products or Talley Auto Alarms and Security. He sold various items such as stun guns, mace/repellent spray, security systems, cameras, and safety lights. In addition to check and money orders, he later accepted credit card payments, which were processed through a merchant services company and deposited in his business bank account.1

Mr. Talley’s other purported companies, Flag Mailing Products and Omega Supplies, existed in name onlyAs described on pages 3 and 4, the University paid Flag Mailing Products and Omega Supplies $354,902 for postal supplies, the majority of which was deposited to Mr. Talley’s credit union or business bank accounts. Aside from receiving monies from the University, Flag Mailing Products and Omega Supplies existed in name only. In fact, neither Flag Mailing Products nor Omega Supplies had a real business address or phone number, or even a web presence in which actual goods such as postal supplies were offered for sale. Additionally, neither company was registered with the Arizona Corporation Commission or Arizona Secretary of State, and neither had a Flagstaff business license to collect sales tax.

University officials discovered payments associated with Talley SecurityIn November 2012, Mr. Talley prepared a conflict-of-interest form disclosing his business ownership of Talley Security to the University. University officials were also aware of his business association through their general

1 Although no university payments to Talley Security were noted during our investigation, as described on pages 4 and 5, Mr. Talley used his Talley Security merchant services company and business bank account to process university purchasing card payments to his fictitious company, Omega Supplies.

INTRODUCTION AND BACKGROUND

Mr. Talley had university postal services responsibilities for over 36 years.

knowledge. As a result, during a university-wide review of purchasing card activity in January 2013, a university employee discovered $12,287 of charges made with Mr. Talley’s university purchasing card in a 6-month period that were associated with his Talley Security business. In particular, she conducted research, and in addition to other discrepancies she determined that while the charges and associated payments were made to a company named Omega Supplies, the listed phone number matched the Talley Security phone number. Consequently, university officials conducted an inquiry, determined that Mr. Talley had violated several university policies, contacted university police and our Office, and terminated Mr. Talley’s employment.

Mr. Talley made several admissions and paid $12,287 to the UniversityMr. Talley made several admissions to university officials during their inquiry of his misconduct, although he did not concede that the two vendors he paid himself through were fictitious companies.2 Specifically, he apologized for his actions, accepted responsibility for misusing the purchasing card to make $12,287 charges to Omega Supplies, and said he made a bad decision. Later, he admitted to university officials that there were other university payments made to one of his companies called Flag Mailing Products and he had deposited these checks to his credit union account.

On January 23, 2013, the University withheld $4,668 from his final paycheck, which included his accumulated vacation pay. A week later, Mr. Talley repaid the remaining portion of Omega Supplies charges through a $7,619 cashier’s check payable to the University.

2 Mr. Talley declined to interview with Auditor General staff.


PAGE 2

Mr. Talley admitted to university officials that he:

• Misused the university purchasing card by paying $12,287 to his company Omega Supplies.

• Deposited to his credit union account university check payments issued to another of his companies, Flag Mailing Products.

A university employee determined that $12,287 of Mr. Talley’s purchasing card charges were associated with his business, Talley Security.


PAGE 3

Mr. Talley embezzled $354,902 of university monies by orchestrating two fictitious vendor schemesFrom July 1997 through January 2013, Mr. Talley, former Northern Arizona University (University) postal services manager, embezzled $354,902 of public monies when he orchestrated two fictitious vendor schemes and falsified purchasing card records to help conceal his embezzlement. The embezzled monies came from university revenues that consisted primarily of state appropriations and students’ tuition and fee payments, and should have been used to pay for services provided to university students. As shown in Table 1 below, for over 15 years Mr. Talley caused the University to issue 245 checks and make 12 purchasing card payments to his fictitious companies, Flag Mailing Products and Omega Supplies, respectively. Neither of these companies had a real business address or even a web presence in which actual goods such as postal supplies were offered for sale. To help orchestrate and conceal his schemes, Mr. Talley falsified information in the University’s accounting software, submitted fictitious invoices, and fabricated university purchasing card records.

FINDING 1

Table 1Public monies Mr. Talley embezzled July 1997 through January 2013

Source: Auditor General staff analysis of university and bank records, and interviews with university representatives.

Description Number of payments Amount

Check payments to fictitious vendor, Flag Mailing Products 245 $342,615

Purchasing card payments to fictitious vendor, Omega Supplies 12 12,287

Total embezzled 257 $354,902

Mr. Talley caused the University to issue 245 checks to his fictitious company, Flag Mailing ProductsFrom July 1997 through May 2012, Mr. Talley caused the University to issue 245 checks totaling $342,615 to his fictitious company, Flag Mailing Products, for postal supplies the University never requested nor received. Specifically, although certain records were not available for the entire embezzlement period, Mr. Talley’s university accounting software login credentials, or those he had access to, were used to authorize the majority of the supposed purchase of goods from Flag Mailing Products.3 In addition, the receipt of these goods was falsely marked as verified in the accounting software mostly by these same users’ credentials. The remaining purchase authorizations and receipt of goods verifications were made by other employees who admitted to Auditor General staff that although they should have inspected the goods, they never physically verified any items were actually

3 As further described in Finding 2 on page 7, one of Mr. Talley’s subordinates shared with him her university accounting software login credentials.

received. Additionally, many of the invoiced items were for extraneous products, such as wooden nesting bins that were not used by postal services or for mailbox doors and locks that were donated by another organization.

Likewise, 29 Flag Mailing Products’ invoices for these supposed items were fabricated to match the false purchase information in the accounting software.4 Still, these invoices included certain anomalies that university employees should have noticed and investigated. For instance, invoices often had math and spelling errors, were missing amounts and dates, and were missing invoice numbers or had invoice numbers that were contrived from the date. Invoices were generally submitted to the finance department one to three times a month and ranged from $444.62 to $2,472.57. As a result, the University issued 245 checks totaling $342,615 payable to Flag Mailing Products. Although records are not available for all 245 checks, 179 of these checks were sent to either Mr. Talley’s personal residence or to a mailbox he rented from a retail postal services store.

Although not all checks were available and some endorsements were illegible, 216 of the 245 checks payable to Flag Mailing Products were fraudulently endorsed with the name of Mr. Talley’s friend. This false endorsement was sometimes combined with “Flag Mailing Products” and then deposited into a credit union account that Mr. Talley and his friend held jointly. Although Mr. Talley declined to interview with Auditor General staff, he provided through his attorney a sworn statement declaring that this friend “. . . had no involvement whatsoever in any misconduct involving Northern Arizona University (NAU) funds.” Similarly, Mr. Talley’s friend reported to Auditor General staff that she had never heard of Flag Mailing Products and did not deposit or endorse any of these checks. Within a few weeks after the checks were deposited, the monies were generally withdrawn or transferred to Mr. Talley’s other bank and credit union accounts and used for his personal expenses.

Mr. Talley caused the University to make 12 purchasing card payments to his fictitious company, Omega SuppliesFrom July 2012 through January 2013, Mr. Talley caused the University to make 12 purchasing card payments totaling $12,287 to his fictitious company, Omega Supplies, for postal supplies the University never requested nor received and falsified purchasing card records to help conceal his embezzlement. Specifically, after the University implemented new accounting software in July 2012 and required all vendors to provide a new W-9 form–Request for Taxpayer Identification Number and Certification, Mr. Talley ceased submitting Flag Mailing Products invoices and began using his university purchasing card to purportedly buy supplies from a different fictitious company, Omega Supplies. These university purchasing card payments were processed through the same merchant services company Mr. Talley used for his legitimate business of selling personal security devices described on page 1, Talley Security, and deposited in his business bank account.

The 12 university purchasing card payments were processed electronically and deposited in Mr. Talley’s business bank account—To obtain these university purchasing card payments electronically, Mr. Talley accessed the credit card processing service he used for Talley Security. Specifically, the University’s purchasing card information was processed through the merchant service company’s remote terminal, which Mr. Talley ordered in Omega Supplies’ name and linked to his business bank account. After charging the university purchasing card, payments were directly credited to Mr. Talley’s business bank account generally within 4 days, commingled with other deposits, and used for his personal and business expenses.

4 Flag Mailing Products’ invoices submitted prior to July 2007 were not available.


PAGE 4

Flag Mailing Products fictitious invoices often:

• Contained math and spelling errors.

• Were missing amounts and dates.

• Were missing invoice numbers or had invoice numbers that were contrived from the date.

Mr. Talley submitted fictitious Omega Supplies’ invoices and fabricated purchasing card records to help orchestrate and conceal his scheme—Although Mr. Talley typically charged these fictitious Omega Supplies’ purchases ranging from $670 to $1,104 twice a month, he did not always submit an invoice to the finance department. The eight invoices he did submit were fictitious and had anomalies similar to Flag Mailing Products invoices. For instance, they often had math errors, used nonexistent addresses, always had even dollar amounts, were missing amounts, and had invoice numbers that were contrived from the date. Additionally, the invoiced items were mostly for extraneous products, such as mailbox locks, which another organization donated.

Mr. Talley did not submit any invoices for the remaining four Omega Supplies charges. Rather, Mr. Talley fabricated records by removing these amounts from the bank purchasing-card-activity statements and omitting the same charges from his purchasing-card logs, which he submitted monthly to a university finance department employee for approval. Nevertheless, Mr. Talley was not able to fully conceal his theft by this omission as he did not alter the bank software, which recorded all 12 of the Omega Supplies’ purchasing card charges. Consequently, as described on page 1, university staff were able to find all $12,287 of Mr. Talley’s purchasing card charges that he made with Omega Supplies.


PAGE 5

Omega Supplies fictitious invoices often:

• Contained math errors.

• Used nonexistent addresses.

• Always had even dollar amounts.

• Were missing amounts.

• Had invoice numbers that were contrived from the date.


PAGE 6


PAGE 7

Former university officials failed to safeguard and control university moniesFormer Northern Arizona University (University) officials failed to properly protect and control university monies by not always providing adequate oversight of the postal services department, thus affording Mr. Talley the opportunity to abuse his position and circumvent controls. Specifically, university officials failed to ensure policies and procedures designed to safeguard public monies were being appropriately abided by, as follows:

• Receipt of postal supplies not verified—Although university policy required an employee independent of ordering postal supplies to inspect the goods and verify the actual receipt of them prior to any payment, none of the reported postal supplies from Flag Mailing Products were ever verified as having been physically received. Two employees whose login credentials showed that they had verified the receipt of these supplies admitted to Auditor General staff that they had not physically verified that any of the items were in fact received. A third employee was unaware that her credentials were used to verify the receipt of these items in the accounting software and denied that she approved these purchases, but admitted she had shared her login credentials with her supervisor, Mr. Talley.

• Accounting software login credentials improperly shared—As described above, one of Mr. Talley’s subordinates improperly shared her login credentials with him, thus allowing him access and ability to override existing controls within the accounting software. Moreover, it came to our attention that several other employees were also improperly sharing their login credentials despite university policy prohibiting such action.

• Invoice anomalies not investigated—All available invoices from Flag Mailing Products and Omega Supplies contained at least one anomaly, and most of these invoices included several more unusual aspects that an employee should have investigated. Although an employee independent of ordering postal supplies reviewed invoices and compared them to information recorded in the accounting software prior to payment, the reviewer failed to notice and pursue unusual aspects such as math and spelling errors, missing amounts and dates, even dollar amounts, and missing or nonsequential invoice numbers. A further study would have also revealed nonexistent addresses and could have stopped Mr. Talley’s fraud scheme.

• Purchasing card reports not reconciled to bank software—Mr. Talley’s supervisors reviewed only the purchasing card logs and activity statements he submitted to them and did not reconcile or compare these reports to the bank software. This reconciliation would have revealed the Omega Supplies charges Mr. Talley had omitted from his reports and could have stopped his fraud scheme.

FINDING 2


PAGE 8


PAGE 9

Although the University took corrective measures, university officials can take additional actions to improve control over public monies and help deter and detect fraudIn the time since the Office of the Auditor General’s investigation began, university officials reported that they instituted new procedures and implemented improvements to controls over university purchasing practices such as adding new purchasing card software that disallows purchasing card users from manipulating activity statements. University officials also implemented a new conduct, ethics, reporting, and transparency program that outlines employees’ legal and ethical obligations to the University. Finally, university officials conducted a training for employees regarding internal controls and financial transactions, and mandated that employees not share their login credentials.

RecommendationsAlthough the University took these corrective measures and no internal control system can completely prevent dishonest behavior such as Mr. Talley’s, the following recommendations are additional actions university officials can take to improve control over public monies and help deter and detect fraud. Specifically, university officials should:

1. Perform periodic reviews on a random and unannounced basis to ensure that invoiced goods marked as received in the accounting software are actually physically located and accounted for.

2. Continue to require employees to sign statements acknowledging their understanding and acceptance of university policies concerning employment. Additionally, consider requiring all employees to separately acknowledge their understanding and acceptance of the university policy that prohibits the sharing of login credentials and outlines employees’ responsibilities for protecting and locking their computer or work stations when not in use.

3. Periodically assess whether controls over the University’s purchasing process are functioning effectively as designed and explore ways to strengthen them. Likewise, ensure that the University continues providing training to employees involved in the purchasing process. That training should include guidance on how to review vendor invoices for accuracy and appropriateness, as well as for anomalies that should be investigated. Additionally, university officials should consider including criteria in these employees’ performance evaluations regarding their adherence to university purchasing procedures.

RECOMMENDATIONS


PAGE 10


PAGE 11

On October 20, 2016, the Coconino County Attorney’s Office presented evidence to the Coconino County Grand Jury. This action resulted in Mr. Talley’s indictment on six felony counts related to theft, misuse of public monies, fraudulent schemes, and money laundering.

CONCLUSION

Arizona State University Sun Devil Athletics

2016 Summer Financial Aid Audit August 17, 2016




Page 1 of 7

Summary The Sun Devil Athletics (SDA) – 2016 Summer Financial Aid audit was included in the Arizona State University (ASU) annual audit plan for Fiscal Year 2017. This audit is historically completed on an annual basis, and is deemed to be of strategic importance given the reputational risk posed to the University for non-compliance with National Collegiate Athletic Association (NCAA) regulations and bylaws. Background: Approximately five hundred fifty student-athletes at ASU compete in ten men’s programs and thirteen women’s programs in one of the most competitive conferences in the country, the Pac-12. Men compete in baseball, basketball, football, golf, swimming & diving, indoor track & field, outdoor track & field, cross country, wrestling, and ice hockey; women compete in basketball, golf, gymnastics, soccer, softball, swimming & diving, tennis, indoor track & field, outdoor track & field, cross country, volleyball, beach volleyball, and water polo. The University’s Athletics Compliance Office (Athletics Compliance) is responsible for administering and monitoring sports program compliance with NCAA regulations and bylaws. The major institutional risks the University seeks to mitigate include regulatory and reputational risk. Audit Objectives: The objectives of the engagement were to evaluate the effectiveness of the Sun Devil Athletics and Athletics Compliance processes to ensure compliance with NCAA bylaws regarding student-athlete financial aid and pertinent Arizona Board of Regents and Arizona State University policies and procedures. Scope: The scope of this engagement was to review and evaluate the University’s compliance with the NCAA rules and bylaws pertaining to summer 2016 Financial Aid. The summer 2016 period for all twenty-three Sun Devil Athletics sponsored teams was reviewed at the request of Athletics Compliance, which is responsible for administering and monitoring sports program compliance with NCAA regulations and bylaws. Methodology: University Audit evaluated supporting documentation provided by Athletics Compliance for the sports programs under review, and assessed the effectiveness of processes governing the administration and monitoring of the Financial Aid process, as well as compliance with applicable NCAA bylaws and pertinent policies and procedures. Athletics Compliance provided a list of student-athletes who were scheduled to take summer session classes. A random sample of student-athletes was selected, and this information was then reconciled to the individual student-athlete accounts in PeopleSoft for the selected student-athletes. All twenty-three of the ASU sponsored teams were included in the scope of the audit, and a sample size of twenty-five percent of the student-athletes was selected from eighteen



Page 2 of 7

sponsored teams for inclusion in the audit test work. The women’s beach volleyball team, women’s golf, and men’s cross country teams did not have any specific members request athletic financial aid for summer 2016. The student-athletes received athletic financial aid to attend school during summer sessions. Student athletes are counted once even if receiving summer financial aid for multiple sessions of summer school. The breakdown of the audit sample by sport is as follows:

Sport Number of Student-Athletes Receiving Athletic Financial Aid

Number of Students Sampled Women’s Basketball 16 4 Women’s Beach Volleyball 0 0 Women’s Cross Country 1 1 Women’s Golf 0 0 Women’s Gymnastics 7 2 Women’s Soccer 17 5 Softball 4 1 Women’s Swimming 6 2 Women’s Tennis 1 1 Women’s Track, Indoor and Outdoor 3 1 Women’s Volleyball 15 4 Women’s Water Polo 3 1 Baseball 13 4 Men’s Basketball 11 3 Men’s Cross Country 0 0 Football 83 21 Men’s Golf 3 1 Men’s Ice Hockey 9 3



Page 3 of 7

Men’s Swimming 7 2 Men’s Track, Indoor and Outdoor 1 1 Men’s Wrestling 8 2 Total 208 59 Conclusion: Based on the audit test work performed, University Audit noted no instances of non-compliance with the NCAA bylaws under review related to Summer Financial Aid. For the current 2016 Summer Financial Aid Audit, the student-athlete book reconciliation was completed in a timely manner prior to the start of the Fall 2016 semester. This is a direct result of Athletics Compliance and the SDA Office of Student-Athletic Development working with the Sun Devil Stores manager, Follett Higher Education Group, Inc., to streamline the process involving student-athlete books so the reconciliation could be completed efficiently and in a timely manner. The NCAA Bylaws reviewed are listed in Appendix A, while the NCAA Compliance rules are listed in Appendix B. The control standards University Audit considered during this audit and the status of the related control environment are provided in the following table:

General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)

Control Environment

Finding No.

Page No.

Reliability and Integrity of Financial and Operational Information Not Applicable N/A N/A Effectiveness and Efficiency of Operations Not Applicable N/A N/A Safeguarding of Assets Not Applicable N/A N/A Compliance with Laws and Regulations Reasonable to Strong

Controls in Place N/A N/A

We appreciate the assistance of Athletics Compliance and the Student Business Services office staff during the audit.

________________________________

____________________________

Kim Prendergast, CPA, CIA, CFE Internal Auditor Senior

Lisa Grace, CPA, CIA, CISA, CISSP Chief Audit Executive



Page 4 of 7

Distribution: Audit Committee, Arizona Board of Regents Michael M. Crow, President Mark S. Searle, Interim University Provost Morgan R. Olsen, Executive Vice President, Treasurer and Chief Financial Officer José A. Cárdenas, Senior Vice President and General Counsel Christine K. Wilkinson, Senior Vice President and Secretary of the University Joanne Wamsley, Vice President for Finance Ray Anderson, Vice President for University Athletics and Athletic Director Jeffrey Wilson, Faculty Athletic Representative Cynthia Jewett, Senior Associate General Counsel Stephen T. Webb, Executive Director Athletic Compliance Melissa Pizzo, Executive Director, Financial Aid and Scholarship Services Justin Pollnow, Director of Athletic Compliance Internal Audit Review Board



Page 5 of 7

Appendix A – NCAA Bylaws Reviewed The following NCAA Bylaws were selected for inclusion in the SDA –2016 Summer Financial Aid audit: 15.2.3 Books. A member institution may provide a student-athlete financial aid that covers the actual cost of required course-related books. [R] (Revised: 4/24/03 effective 8/1/03) 15.2.8 Summer Financial Aid. Summer financial aid may be awarded only to attend the awarding institution’s summer term, summer school or summer-orientation program, provided the following conditions are met: (Revised: 1/10/90, 1/10/92) (a) The student has been in residence a minimum of one term during the regular academic year; (b) The student is attending a summer term, summer school or summer-orientation program and financial aid is administered pursuant to Bylaw 15.2.8.1.2, 15.2.8.1.3 or 15.2.8.1.4; or (c) The student is a two-year or a four-year college transfer student and is receiving aid to attend the awarding institution’s summer-orientation program. 15.2.8.1 General Stipulations. A student-athlete who is eligible for institutional financial aid during the summer is not required to be enrolled in a minimum full-time program of studies. However, the student-athlete may not receive financial aid that exceeds the cost of attendance in that summer term. A student-athlete may receive institutional financial aid based on athletics ability (per Bylaw 15.02.4.1 and 15.02.4.2), and any other financial aid up to the value of his or her cost of attendance. (See Bylaws 15.01.6.1, 16.3, 16.4 and 16.12.) (Revised: 4/29/04 effective 8/1/04, 5/26/09, 1/15/11 effective 8/1/11, 1/17/15 effective 8/1/15) 15.2.8.1.1 Exception for Pell Grant. A student-athlete who receives a Pell Grant may receive financial aid equivalent to the limitation set forth in Bylaw 15.2.8.1 or the value of a full grant-in-aid plus the Pell Grant, whichever is greater. (Adopted: 4/29/04 effective 8/1/04)

15.2.8.1.2 Enrolled Student-Athletes. After initial full-time enrollment during a regular academic year, a student-athlete shall not receive athletically related financial aid to attend the certifying institution’s summer term or summer school unless the student-athlete received such athletically related aid from the certifying institution during the student-athlete’s previous academic year at that institution. (Adopted: 1/10/90 effective 8/1/90, Revised: 1/10/91, 1/10/92, 11/12/97, 4/26/12, 4/28/16) 15.2.8.1.2.1 Attendance during Only One Term of Previous Academic Year. A student-athlete who attended the institution on a full-time basis for only one regular term during the previous academic year may receive financial aid during the following summer term (Adopted: 1/10/92, Revised: 04/28/16)

15.2.8.1.2.2 Exception for Nonqualifiers. A nonqualifier may receive athletically related financial aid to attend an institution’s summer term or summer school after the first academic year in residence under the following conditions: (Adopted: 1/10/92, Revised: 1/14/97 effective 8/1/97, 4/28/16) (a) The student-athlete has satisfied progress-toward-degree requirements and, thus, would be eligible for competition for the succeeding year (the student-athlete must have successfully satisfied the applicable requirements of Bylaw 14.4.3 and be in good academic standing at the institution); and (b) The student-athlete has been awarded athletically related financial aid for the succeeding academic year. 15.2.8.1.2.3 Exception for First-Time Recipient in the Next Academic Year. A student-athlete who has not received athletically related aid from the certifying institution during a previous academic year may receive athletically related financial aid to attend the institution’s summer term or summer school, provided he or she has been awarded athletically related financial aid for the following academic year. (Adopted: 1/15/11, Revised: 4/28/16)



Page 6 of 7

15.2.8.1.3 Prior to Initial, Full-Time Collegiate Enrollment—Institutional Nonathletics Aid. The following conditions apply to the awarding of institutional nonathletics financial aid to a prospective student-athlete to attend an institution in the summer prior to the prospective student-athlete’s initial, full-time collegiate enrollment: [D] (Adopted: 1/10/90, Revised: 1/10/92, 4/26/01, 3/10/04, 4/29/04, 1/10/05, effective 5/1/05, 3/14/05, 1/15/11 effective 8/1/11, 1/14/12, 1/18/14 effective 8/1/14) (a) The recipient shall be admitted to the awarding member institution in accordance with regular, published entrance requirements; (b) The recipient, if recruited (per Bylaw 15.02.8), is subject to NCAA transfer provisions pursuant to Bylaw 14.5.2-(h); (c) During the summer term or orientation period, the recipient shall not engage in any countable athletically related activities except for those activities specifically permitted in Bylaws 13 and 17 (see Bylaws 13.11.3.9, 17.1.1 and 17.1.1.1). 15.2.8.1.4 Prior to Initial Full-Time Enrollment at the Certifying Institution—Athletics Aid. The following conditions apply to the awarding of athletically related financial aid to a prospective student-athlete (including a prospective student-athlete not certified by the NCAA Eligibility Center as a qualifier) to attend an institution in the summer prior to the prospective student’s initial, full-time enrollment at the certifying institution (see also Bylaw 13.02.12.1): (Adopted: 4/27/00 effective 8/1/00, Revised: 9/6/00, 4/26/01, 3/10/04, 4/29/04, 1/10/05 effective 5/1/05, 3/14/05, 5/9/07, 1/15/11 effective 8/1/11, 1/14/12) (a) The recipient shall be admitted to the awarding member institution in accordance with regular, published entrance requirements; (b) The recipient is enrolled in a minimum of six hours of academic course work (other than physical education activity courses) that is acceptable degree credit toward any of the institution’s degree programs. Remedial, tutorial and noncredit courses may be used to satisfy the minimum six-hour requirement, provided the courses are considered by the institution to be prerequisites for specific courses acceptable for any degree program and are given the same academic weight as other courses offered by the institution; (c) The recipient, if recruited (per Bylaw 15.02.8), is subject to NCAA transfer provisions pursuant to Bylaw 14.5.2-(h), unless admission to the institution as a full-time student is denied; (d) During the summer term or orientation period, the recipient shall not engage in any countable athletically related activities except for those activities specifically permitted in Bylaws 13 and 17; and (e) Summer coursework is not used for the purpose of completing initial-eligibility or continuing-eligibility (transfer eligibility, progress-toward-degree) requirements. However, the hours earned during the summer prior to initial full-time enrollment at the certifying institution may be used to satisfy the applicable progress-toward-degree requirements in following years (see Bylaw 14.4.3). 15.2.8.2 Branch School. An institution may not provide a student-athlete with financial aid to attend a summer session at a branch campus of the institution.



Page 7 of 7

Appendix B – NCAA Compliance 2.1 The Principle of Institutional Control and Responsibility. [*] 2.1.1 Responsibility for Control. [*] It is the responsibility of each member institution to control its intercollegiate athletics program in compliance with the rules and regulations of the Association. The institution’s president or chancellor is responsible for the administration of all aspects of the athletics program, including approval of the budget and audit of all expenditures. (Revised: 3/8/06) 2.1.2 Scope of Responsibility. [*] The institution’s responsibility for the conduct of its intercollegiate athletics program includes responsibility for the actions of its staff members and for the actions of any other individual or organization engaged in activities promoting the athletics interests of the institution. 2.8 The Principle of Rules Compliance. [*] 2.8.1 Responsibility of Institution. [*] Each institution shall comply with all applicable rules and regulations of the Association in the conduct of its intercollegiate athletics programs. It shall monitor its programs to assure compliance and to identify and report to the Association instances in which compliance has not been achieved. In any such instance, the institution shall cooperate fully with the Association and shall take appropriate corrective actions. Members of an institution’s staff, student-athletes, and other individuals and groups representing the institution’s athletics interests shall comply with the applicable Association rules, and the member institution shall be responsible for such compliance. 2.8.2 Responsibility of Association. [*] The Association shall assist the institution in its efforts to achieve full compliance with all rules and regulations and shall afford the institution, its staff and student-athletes fair procedures in the consideration of an identified or alleged failure in compliance. 2.8.3 Penalty for Noncompliance. [*] An institution found to have violated the Association’s rules shall be subject to such disciplinary and corrective actions as may be determined by the Association.



Student-Athlete Eligibility Audit September 13, 2016




Page 1 of 9

Summary The Sun Devil Athletics (SDA) 2016 Student-Athlete Eligibility audit was included in the Arizona State University (ASU) annual audit plan for Fiscal Year (FY) 2016. This audit is completed on a cyclical basis, and is deemed to be of strategic importance given the reputational risk posed to the University for non-compliance with NCAA regulations and bylaws. Background: Approximately five hundred fifty student-athletes at ASU compete in ten men’s programs and thirteen women’s programs in one of the most competitive conferences in the country, the Pac-12. Men compete in baseball, basketball, football, golf, swimming & diving, indoor track & field, outdoor track & field, cross country, wrestling, and ice hockey; women compete in basketball, golf, gymnastics, soccer, softball, swimming & diving, tennis, indoor track & field, outdoor track & field, cross country, volleyball, beach volleyball, and water polo. The University’s Athletics Compliance Office (Athletics Compliance) is responsible for administering and monitoring sports program compliance with National Collegiate Athletic Association (NCAA) regulations and bylaws. The major institutional risks the University seeks to mitigate include regulatory and reputational risk. The Faculty Athletic Representative (FAR) is responsible for ensuring that student-athletes meet all NCAA, conference and institutional requirements for eligibility for practice, financial aid and intercollegiate competition. This should include continuing academic eligibility requirements for both freshmen and transfer student-athletes. These certifications should be performed by the FAR, performed under the direction of the FAR or, at a minimum, periodically reviewed and audited by the FAR. Initial eligibility certification is completed by the NCAA Eligibility Center. Academic eligibility certifications should be performed by persons outside of SDA. Audit Objectives: The objectives of the engagement were to evaluate the effectiveness of the Sun Devil Athletics, Athletics Compliance, and FAR processes to ensure compliance with NCAA bylaws regarding Student-Athlete Eligibility and pertinent Arizona Board of Regents and Arizona State University policies and procedures. Scope: The scope of this engagement was to review and evaluate the University’s compliance with the NCAA rules and bylaws pertaining to Student-Athlete Eligibility for academic year 2016. This audit was conducted at the request of Athletics Compliance, which is responsible for administering and monitoring sports program compliance with NCAA regulations and bylaws.



Page 2 of 9

Methodology: University Audit assessed Athletics Compliance, individual team, and FAR compliance with applicable NCAA bylaws, Arizona Board of Regents, and Arizona State University policies and procedures. Supporting documentation was provided by Athletics Compliance and the FAR Office for the sports programs under review. All twenty-three of the ASU sponsored teams were included in the scope of the audit, and University Audit selected a sample size of twenty-five percent of the sponsored teams for inclusion in the audit test work. Student-athletes were selected from squad lists which may include students participating in multiple sports or student-athletes who are not currently active team participants. The breakdown of the audit sample by sponsored team is as follows:

Sport Number of Student-Athletes Included on Squad List

Number of Student-Athletes Sampled

Baseball 38 10 Football 133 34 Men’s Basketball 16 4 Men’s Cross Country 20 5 Men’s Golf 9 3 Men’s Ice Hockey 33 9 Men’s Swimming 30 8 Men’s Track, Indoor 51 13 Men’s Track, Outdoor 52 13 Men’s Wrestling 48 12 Women’s Basketball 15 4 Women’s Cross Country 20 5 Women’s Golf 9 3 Women’s Gymnastics 14 4 Women’s Beach Volleyball 24 6 Women’s Soccer 34 9 Softball 27 7 Women’s Swimming 19 5 Women’s Tennis 9 3 Women’s Track, Indoor 49 13 Women’s Track, Outdoor 50 13 Women’s Volleyball 20 5 Women’s Water Polo 22 6

Total 742 194



Page 3 of 9

Conclusion: Based on the audit test work performed, University Audit noted no instances of non-compliance with the NCAA bylaws and Arizona State University policies and procedures related to Student-Athlete Eligibility. The NCAA Bylaws reviewed are listed in Appendix A, while the NCAA Compliance rules are listed in Appendix B. The control standards University Audit considered during this audit and the status of the related control environment are provided in the following table. General Control Standard (The bulleted items are internal control objectives that apply to the general control standards, and will differ for each audit.)

Control Environment

Finding No.

Page No.

Reliability and Integrity of Financial and Operational Information

Not Applicable Effectiveness and Efficiency of Operations Not Applicable

Safeguarding of Assets Not Applicable Compliance with Laws and Regulations

Compliance with NCAA Bylaws, ABOR and ASU Policies and Procedures

Reasonable to Strong Controls in Place

We appreciate the assistance of the Athletics Compliance and the Faculty Athletic Representative staff during the audit.

________________________________

____________________________

Kim Prendergast, CPA, CIA, CFE Internal Auditor Senior

Lisa Grace, CPA, CIA, CISA, CISSP Chief Audit Executive



Page 4 of 9

Distribution: Audit Committee, Arizona Board of Regents Michael M. Crow, President Mark S. Searle, Interim University Provost Morgan R. Olsen, Executive Vice President, Treasurer and Chief Financial Officer José A. Cárdenas, Senior Vice President and General Counsel Christine K. Wilkinson, Senior Vice President and Secretary of the University Joanne Wamsley, Vice President for Finance Ray Anderson, Vice President for University Athletics and Athletic Director Jeffrey Wilson, Faculty Athletic Representative Cynthia Jewett, Senior Associate General Counsel Stephen T. Webb, Executive Director Athletic Compliance Lori Briese, Assistant to the Senior Vice President and Secretary of the University Internal Audit Review Board



Page 5 of 9

Appendix A – NCAA Bylaws Reviewed The following NCAA Bylaws were selected for inclusion in the SDA – 2016 Student-Athlete Eligibility audit: 12.7.2.1 Content and Purpose. Prior to participation in intercollegiate competition each academic year, a student-athlete shall sign a statement in a form prescribed by the Council in which the student-athlete submits information related to eligibility, recruitment, financial aid, amateur status, previous positive-drug tests administered by any other athletics organization and involvement in organized gambling activities related to intercollegiate or professional athletics competition under the Association’s governing legislation. Failure to complete and sign the statement shall result in the student-athlete’s ineligibility for participation in all intercollegiate competition. Violations of this bylaw do not affect a student-athlete’s eligibility if the violation occurred due to an institutional administrative error or oversight, and the student-athlete subsequently signs the form; however, the violation shall be considered an institutional violation per Constitution 2.8.1. (Revised: 1/10/92 effective 8/1/92, 1/14/97, 2/19/97, 4/24/03, 11/1/07 effective 8/1/08, 7/31/14, 8/7/14) 12.7.2.2 Administration. The following procedures shall be used in administering the form: (Revised: 8/4/89, 1/9/06 effective 8/1/06, 7/30/10, 7/31/14) (a) The statement shall be administered individually to each student-athlete by the athletics director or the athletics director’s designee prior to the student’s participation in intercollegiate competition each academic year; and (b) The statement shall be kept on file by the athletics director and shall be available for examination upon request by an authorized representative of the NCAA. 12.7.2.3 Institutional Responsibility—Notification of Positive Test. The institution shall promptly notify the NCAA’s chief medical officer, in writing, regarding a student-athlete’s disclosure of a previous positive test for banned substances administered by any other athletics organization. (Adopted: 1/14/97 effective 8/1/97, Revised: 7/31/14) 12.7.3.1 Content and Purpose. Each academic year, a student-athlete shall sign a form maintained by the Committee on Competitive Safeguards and Medical Aspects of Sports and approved by the Council in which the student consents to be tested for the use of drugs prohibited by NCAA legislation. Failure to complete and sign the consent form prior to practice or competition, or before the Monday of the fourth week of classes (whichever occurs first) shall result in the student-athlete’s ineligibility for participation (practice and competition) in all intercollegiate athletics. (Adopted: 1/10/92 effective 8/1/92, Revised: 1/16/93, 1/10/95 effective 8/1/95, 1/14/97, 4/24/03, 8/5/04, 11/1/07 effective 8/1/08, 7/30/10, 7/31/14, 8/7/14) 12.7.3.2 Administration. The following procedures shall be used in administering the form (see Constitution 3.2.4.7): (Adopted: 1/10/92 effective 8/1/92, Revised: 4/27/00, 7/30/10, 7/31/14) (a) The consent form shall be administered individually to each student-athlete by the athletics director or the athletics director’s designee each academic year; (b) The athletics director or the athletics director’s designee shall disseminate the list of banned drug classes to all student-athletes and educate them about products that might contain banned drugs. All student-athletes are to be notified that the list may change during the academic year,



Page 6 of 9

that updates may be found on the NCAA website (www.ncaa.org) and informed of the appropriate athletics department procedures for disseminating updates to the list; and (c) The consent form shall be kept on file by the athletics director and shall be available for examination upon request by an authorized representative of the NCAA. 12.7.3.3 Exception—14-Day Grace Period. A student-athlete who is “trying out” for a team is not required to complete the form until 14 days from the first date the student-athlete engages in countable athletically related activities or before the student-athlete participates in a competition, whichever occurs earlier. (Adopted: 4/27/06 effective 8/1/06, Revised: 7/31/14) 12.7.3.4 Effect of Violation. A violation of Bylaw 12.7.3 or its subsections shall be considered institutional violations per Constitution 2.8.1; however, a violation shall not affect the student-athlete’s eligibility, provided the student-athlete signs the consent form. (Revised: 4/28/05 effective 8/1/05, 7/30/10, 7/31/14) 12.7.5 Eligibility Requirements for Male Students to Practice With Women’s Teams. Male students may engage in practice sessions with women’s teams under the following conditions: (Revised: 5/12/05, 5/29/08, 7/31/14) (a) Male students who practice with an institution’s women’s team on an occasional basis must be verified as eligible for practice in accordance with Bylaw 14.2.1 and must have eligibility remaining under the five-year rule (see Bylaw 12.8.1); (b) Male students who practice with an institution’s women’s teams on a regular basis must be certified as eligible for practice in accordance with all applicable NCAA eligibility regulations (e.g., must be enrolled in a minimum full-time program of studies, must sign a drug-testing consent form, must be included on the institution’s squad list); (c) It is not permissible for an institution to provide male students financial assistance (room and board, tuition and fees, and books) in return for practicing with a women’s team. A male student who is receiving financial aid or any compensation for serving in any position in the athletics department may not practice with a women’s team. A male student-athlete who is a counter in a men’s sport may not engage in practice sessions with an institution’s women’s team in any sport; (d) It is not permissible for an institution to provide male students room and board to remain on campus during a vacation period to participate in practice sessions with a women’s team; (e) It is not permissible for a male student-athlete who is serving an academic year of residence as a nonqualifier to participate in practice sessions with a women’s team; and (f ) It is permissible for an institution to provide practice apparel to male students for the purpose of practicing with a women’s team. 12.8 Seasons of Competition: Five-Year Rule. A student-athlete shall not engage in more than four seasons of intercollegiate competition in any one sport (see Bylaws 17.02.8 and 14.3.3). An institution shall not permit a student-athlete to represent it in intercollegiate competition unless the individual completes all of his or her seasons of participation in all sports within the time periods specified below: (Revised: 7/31/14) 12.8.1 Five-Year Rule. A student-athlete shall complete his or her seasons of participation within five calendar years from the beginning of the semester or quarter in which the student-athlete first registered for a minimum full-time program of studies in a collegiate institution, with



Page 7 of 9

time spent in the armed services, on official religious missions or with recognized foreign aid services of the U.S. government being excepted. For international students, service in the armed forces or on an official religious mission of the student’s home country is considered equivalent to such service in the United States. (Revised: 4/2/10, 7/31/14) 14.2.2.1.3 Final Semester/Quarter. A student-athlete may compete while enrolled in less than a minimum full-time program of studies, provided the student is enrolled in the final semester or quarter of the baccalaureate program and the institution certifies that the student is carrying (for credit) the courses necessary to complete degree requirements. The student granted eligibility under this provision shall be eligible for any postseason event that begins within 60 days following said semester or quarter, provided the student has not exhausted the five years for completion of the individual’s maximum permissible number of seasons of eligibility (see Bylaw 12.8). Thereafter, the student shall forfeit eligibility in all sports, unless the student completes all degree requirements during that semester or quarter and is eligible to receive the baccalaureate diploma on the institution’s next degree-granting date. (Revised: 1/10/92, 1/16/93, 1/10/95, 2/1/05, 11/1/07 effective 8/1/08, 1/14/12, 8/21/12) 14.2.2.1.4 Graduate Program. A student may compete while enrolled in a full-time graduate program as defined by the institution (see Bylaw 14.6). (Revised: 1/9/06 effective 8/1/06) 14.3.1 Eligibility for Financial Aid, Practice and Competition. A student-athlete who enrolls in a member institution as an entering freshman with no previous full-time college attendance shall meet the following academic requirements, as certified by the NCAA Eligibility Center, as approved by the Board of Governors, and any applicable institutional and conference regulations, to be considered a qualifier and thus be eligible for financial aid, practice and competition during the first academic year in residence. (Revised: 1/16/93 effective 8/1/94, 1/9/96 effective 8/1/97, 3/22/06, 5/9/07, 10/30/14) Delayed effective date. See specific date below. 14.3.1 Eligibility for Financial Aid, Practice and Competition. A student-athlete who enrolls in a member institution as an entering freshman with no previous full-time college attendance shall meet the following academic requirements, as certified by the NCAA Eligibility Center, as approved by the Board of Governors, and any applicable institutional and conference regulations, to be considered a qualifier or an academic redshirt. (Revised: 1/16/93 effective 8/1/94, 1/9/96 effective 8/1/97, 3/22/06, 5/9/07, 10/27/11, 4/26/12 effective 8/1/16; for student-athletes initially enrolling full time in a collegiate institution on or after 8/1/16, 10/30/14) 14.4.1 Progress-Toward-Degree Requirements. To be eligible to represent an institution in intercollegiate athletics competition, a student-athlete shall maintain progress toward a baccalaureate or equivalent degree at that institution as determined by the regulations of that institution subject to controlling legislation of the conference(s) or similar association of which the institution is a member and applicable NCAA legislation. (See Constitution 3.2.4.13 regarding the obligations of members to publish their progress-toward-degree requirements for student-athletes.) (Revised: 5/29/08, 4/15/09)



Page 8 of 9

14.4.3.1 Fulfillment of Credit-Hour Requirements. Eligibility for competition shall be determined based on satisfactory completion of at least: (Revised: 1/10/92, 10/31/02 effective 8/1/03, 3/10/04, 4/28/05) (a) Twenty-four semester or 36 quarter hours of academic credit prior to the start of the student-athlete’s second year of collegiate enrollment (third semester, fourth quarter); (b) Eighteen semester or 27 quarter hours of academic credit since the beginning of the previous fall term or since the beginning of the certifying institution’s preceding regular two semesters or three quarters (hours earned during the summer may not be used to fulfill this requirement) (see Bylaw 14.4.3.1.4); and (c) Six semester or six quarter hours of academic credit during the preceding regular academic term (e.g., fall semester, winter quarter) in which the student-athlete has been enrolled full time at any collegiate institution (see Bylaw 14.4.3.4 for postseason certification). 14.4.3.2 Fulfillment of Percentage of Degree Requirements. A student-athlete who is entering his or her third year of collegiate enrollment shall have completed successfully at least 40 percent of the course requirements in the student’s specific degree program. A student-athlete who is entering his or her fourth year of collegiate enrollment shall have completed successfully at least 60 percent of the course requirements in the student’s specific degree program. A student-athlete who is entering his or her fifth year of collegiate enrollment shall have completed successfully at least 80 percent of the course requirements in the student’s specific degree program. The course requirements must be in the student’s specific degree program (as opposed to the student’s major). (Adopted: 1/10/92 effective 8/1/92, Revised: 1/9/96, 10/31/02 effective 8/1/03)



Page 9 of 9

Appendix B – NCAA Compliance 2.1 The Principle of Institutional Control and Responsibility. [*] 2.1.1 Responsibility for Control. [*] It is the responsibility of each member institution to control its intercollegiate athletics program in compliance with the rules and regulations of the Association. The institution’s president or chancellor is responsible for the administration of all aspects of the athletics program, including approval of the budget and audit of all expenditures. (Revised: 3/8/06) 2.1.2 Scope of Responsibility. [*] The institution’s responsibility for the conduct of its intercollegiate athletics program includes responsibility for the actions of its staff members and for the actions of any other individual or organization engaged in activities promoting the athletics interests of the institution. 2.8 The Principle of Rules Compliance. [*] 2.8.1 Responsibility of Institution. [*] Each institution shall comply with all applicable rules and regulations of the Association in the conduct of its intercollegiate athletics programs. It shall monitor its programs to assure compliance and to identify and report to the Association instances in which compliance has not been achieved. In any such instance, the institution shall cooperate fully with the Association and shall take appropriate corrective actions. Members of an institution’s staff, student-athletes, and other individuals and groups representing the institution’s athletics interests shall comply with the applicable Association rules, and the member institution shall be responsible for such compliance. 2.8.2 Responsibility of Association. [*] The Association shall assist the institution in its efforts to achieve full compliance with all rules and regulations and shall afford the institution, its staff and student-athletes fair procedures in the consideration of an identified or alleged failure in compliance. 2.8.3 Penalty for Noncompliance. [*] An institution found to have violated the Association’s rules shall be subject to such disciplinary and corrective actions as may be determined by the Association.


Arizona State University 2016 Capital Project Audit Report Psychology Building Renovation

October 24, 2016


Arizona State University 2016 Capital Project Audit

October 24, 2016

Page 1 of 11

Summary The 2016 Capital Project Audit was included on the Arizona State University (ASU) FY 2017 audit plan approved by the Arizona Board of Regents (ABOR) Audit Committee and ASU senior leadership. The audit focused on the Psychology Building renovation and reviewed the adequacy of controls over the process, focusing on contract administration and due diligence as well as assessing if billings were adequately supported and in accordance with contract provisions. Background: The Psychology Building was originally constructed in 1972 and is a three-story, 81,000 gross square foot structure. The building required upgrades to all building infrastructure systems to meet program requirements and current building and life safety codes. The original project budget was approved at $22.7, million which was later reduced to $20.5 million primarily due to estimate reductions in construction costs and reduction in design/construction contingency requirements. Renovation work included asbestos remediation, new interior finishes, major upgrades to mechanical, electrical and plumbing systems, exterior building repairs, and new audio visual systems and Furniture and Fixed Equipment (FF&E). The project was completed in September 2015. The project was completed using the Construction Manager at Risk (CM@Risk) project delivery method, which provides for early involvement of the construction manager during the design phase, and completion of the construction under a Guaranteed Maximum Price (GMP). The CM@Risk was Holder Construction Group, as chosen by the Selection Committee. The Design Professional was SmithGroup JJR. Other major vendors included Native Environmental (remediation/demolition), Target Interiors (FF&E), and CenturyLink (communications). Holder Construction Group completed the construction portion of the project under a GMP of $14.1Million. Audit Objectives: The objectives of the engagement were to assess the Capital Programs Management Group (CPMG) controls around management and execution of the Psychology Building Renovation Project. Scope: The scope of this engagement was to review and assess the adequacy of controls over the process, focusing on contract administration and due diligence as well as to validate that the contractor billings and reporting were adequately supported and in accordance with contract provisions. Methodology: University Audit, supported by Protiviti, conducted walkthroughs of the CPMG processes used to manage the project including the following areas:

Project Approval Bidding, Procurement, and Contracting Change Management


October 24, 2016

Page 2 of 11

Project Accounting Project Management and Reporting.

In addition, applicable policies and procedures related to the capital project processes were reviewed and assessed for adequacy and compliance. Project documentation also was evaluated to test for compliance with agreed upon contract terms and conditions covering monthly billing, schedule management, change order management, subcontractor management, insurance/risk management and materials and equipment. Conclusion: Based on the audit test work performed, University Audit noted that the Psychology Building Renovation project was completed within the allocated budget. In addition, it was noted that CPMG has effective processes in place to monitor and assess performance of capital management activities, including the following areas:

Policies and procedures to govern project management activities Management and approval of project changes Invoice review processes requiring review from a technical project manager and design professional, including requiring adequate supporting documentation Centralized procurement group to manage contracting, procurement and bidding process for direct contractors, and Processes to monitor and track CM@Risk lien wavers.

Although reasonable to strong controls in these areas were found to be in place, from an overall program management prospective, CPMG would achieve increased benefits and efficiencies from enhancements to certain processes and controls in place around compliance management and project reporting. These specific items are noted below. The control standards University Audit considered during this audit and the status of the related control environment are provided in the following table:


Control Environment

Finding No.

Page No.

Organizational Strategic Objectives are Achieved Capital project budgets are reviewed and

approved by appropriate levels of authority. Reasonable to Strong Controls in Place

N/A N/A Capital project budgets are developed according

to agreed-upon policies and procedures. Reasonable to Strong Controls in Place

N/A N/A Capital projects are advertised for bids and the

lowest responsible bidder is selected. A formal Reasonable to Strong Controls in Place

N/A N/A


October 24, 2016

Page 3 of 11

notice to proceed is required after the contract award is made.


Payment of invoices require project manager review and approval prior to payment.


N/A N/A The project manager reviews and approves the

burdened labor rate to ensure it is accurate and does not include prohibited line items.

Opportunity for Improvement

2

6

Effectiveness and Efficiency of Operations

A defined change management process exists and is followed.


N/A N/A ASU’s organization and project team structure is

clearly defined and reporting roles and responsibilities within the team are clearly understood.


N/A N/A

A Construction Project checklist is utilized to ensure all required project documentation is obtained and maintained as part of the construction project process.


4

9

Ongoing vendor and subcontractor compliance monitoring is performed to ensure compliance to contractual terms.


3

7

Safeguarding of Assets Monthly reports tracking key status and metrics

of the project are prepared by the CM@Risk and provided to ASU.


1

4

Compliance with Laws and Regulations N/A N/A We appreciate the assistance of Capital Programs Management Group during the audit.

___________________________ ____________________________ Gordon Murphy, CPA, CFE, MAEd Internal Auditor Senior

Lisa Grace, CPA, CIA, CISA, CISSP Executive Director


October 24, 2016

Page 4 of 11

1. Required monthly reporting by the CM@Risk was not performed as required by the contract. Condition: The CM@Risk did not provide ASU with the required monthly reporting. Although three instances of detailed cost, schedule and project status were observed in November 2014, January 2015 and February 2015, reports were not formally distributed after this point. The lack of tracking of “Contingency and Allowance usage” is of specific concern as this is one of the primary methods through which ASU would detect potential misuse of the Contingency. Specifically, section 7.11 of the contract allows the CM@Risk to allocate variances of the Schedule of Values (SOV) to the Construction Contingency without express approval by ASU. Section 1.2.3 states that the Bidding/Construction Contingency is to be used to cover any excess in the amount bid by a subcontractor over the amount for that work in the GMP or to cover unforeseen expenses. As a result, the monthly reporting related to the Contingency usage is the primary control that gives management visibility into potential misuse. Criteria: Section 2.1.2 of the contract requires the CM@Risk to provide monthly reporting that includes the following items:

Cost tracking with projected final cost Subcontract amounts and buy-out status Contingency and Allowance usage Updates to current Critical Path Method (CPM) schedule Tracking of project schedule variance Updates to cash flow projection for the duration of the project Copies of the construction superintendent’s daily site reports Identification of construction document conflicts or ambiguities requiring resolution Health and safety performance tracking Tracking of issues that could jeopardize the CM@Risk’s ability to compete the work for the GMP on schedule and within the contract time(s).

Cause: Formal project management processes were not in place to ensure required reporting was obtained and assessed. Instead, reliance was made on the frequent communication between the project manager and the CM@Risk. Effect: Although no material items were noted related to the lack of these reports, it is considered best practice to ensure the monthly updates are obtained and reviewed to ensure effective management of the overall project status and to ensure adequate transparency to potential risk areas of the project.


October 24, 2016

Page 5 of 11

Additionally, specific to the Contingency usage reporting, the lack of transparency around SOV changes and Contingency use negatively impacts management’s ability to ensure that all potential savings are being passed back to ASU as required by the contract, a key benefit of a Guaranteed Maximum Price contract. Although there are review and approval controls in place to ensure that actual items submitted for payment are supportable, the volume of support and detail provided is such that it limits the ability to identify potential misuse of the contingency. Recommendations: CPMG should enforce the contractual terms to ensure consistent distribution of the monthly status reports to ASU project managers, managements and other relevant stakeholders. Management Response: Management concurs with this issue. CPMG will ensure that monthly reports are completed by the CMAR consistently and completely going forward.


October 24, 2016

Page 6 of 11

2. Review of CM@Risk Labor Costs was not formally documented. Condition: There was no evidence documenting that a review was performed of the direct supervisory labor cost. This review ensures that prohibited items are not included and that the overall rates are reasonable and appropriate. Criteria: Sections 1.2.22 and 2.2.2.1 of the contract describe an open book cost concept to ensure there is full transparency of labor costs. It is acceptable that “allocated rates” are used for such billings, but these rates must be reviewed and approved by ASU at the start of the project. Cause: Management confirmed that the review was performed as required; however, this review and approval was not formally documented. Effect: University Audit was unable to independently confirm if this review occurred and if the rates billed by the CM@Risk were compliant with contractual terms. Recommendations: CPMG should formally document the review process involved in reviewing the labor costs including the required approval. As part of this review, appropriate document should be maintained to evidence that the rates are reasonable and do not include any prohibited items. Management Response: Management concurs with this issue. CPMG confirmed that the review was performed and that both the Project Manager and the Project Manager’s Supervisor approved the rate; however, no documentation was maintained. In the future, a formal memo to the project file documenting the review process, including approval by management, will be maintained with the project file.


October 24, 2016

Page 7 of 11

3. Vendor, CM@Risk and Subcontractor Compliance and Monitoring is not occurring in all cases. Condition: CPMG has implemented tracking on various compliance and performance requirements; however, there were several areas identified as part of testing that had limited or no tracking place. Compliance Item Contract/Policy Reference Tracking Mechanism Verification Status Vendor and CM@Risk Insurance Certificates

Varies by contract None Observed No CPMG tracking observed. Insurance certificates provided by CM@Risk. Exceptions noted for Native Environmental and Century Link.

Major Subcontractor 1% Apprenticeship Program Contribution

CM@Risk Contract Section 13.19D

CM@Risk – Tracking Sheet No CPMG tracking observed. Per CM@Risk, mechanical subcontractor is union and is required to make the contribution.

Use of 10% ration of apprentice to journeyman

CM@Risk Contract Section 13.19D

None Observed No tracking mechanism observed for CPMG, CM@Risk or Subcontractors.

Tracking of Subcontractor performance in past ASU projects

ABOR Policy 7-111;Best Practices

None Observed No tracking of subcontractor performance by CPMG observed.

Tracking of Fees and Markups

CM@Risk Contract Sections 1.2.7, 10.4

ASU – Monthly Pay App and Change Notice Review

Minor inconsistencies noted regarding applications of CM@Risk Fee and Tax rates.

Tracking of Rental Equipment

CM@Risk Contract Section 7.12 None Observed Rental Equipment use was minimal during this project.

Criteria: There are various components of the contract that require specific performance by the CM@Risk. Cause: Management did not have a formal process or checklist to ensure all compliance/performance items are tracked to ensure compliance to the terms of the contract. Effect: While none of these areas by themselves are of a significant risk for this project, in aggregate they demonstrate a need to formalize tracking processes to ensure the required terms of the contract are met and maintained.


October 24, 2016

Page 8 of 11

Recommendations: CPMG should work with the CM@Risk to ensure that all subcontractors and service providers are consistently reviewed for compliance with contractual requirements. In addition, tracking mechanisms should be implemented by CPMG to promote contract compliance and reduce risks associated with non-allowable construction costs and under-insurance. In some cases, tracking should be done by the CM@Risk; however, CPMG should implement processes to ensure this is being done. Management Response: CPMG has created a responsible matrix to clarify which ASU department is accountable for contract component management to ensure clearer areas of responsibility and to ensure compliance is tracked.


October 24, 2016

Page 9 of 11

4. Required and/or relevant project documents were not obtained/maintained as part of the Psychology capital project. Condition: Various project documents that may help ASU monitor and control the scope, cost and schedule of project budget or that were required per the contract were not obtained/maintained as part of the overall project management. As a result, the following documents were not available as part of our review. Ref Document Description (1) Documentation of conflict-checks performed (2) Pre-Construction and Construction Phase monthly written status reports (3) Documents confirming that all project close out items were received prior to retention payment (per General

Conditions section 7.9.2) including: a) An affidavit that payrolls, bills tor materials and equipment, and other indebtedness connected with the

Work for which the Owner or the Owner's property might be responsible or encumbered (less amounts withheld by the Owner) have been paid or otherwise satisfied by the CM@Risk;

b) A certificate evidencing that insurance required by the Contract Documents to remain in force after Final Payment is currently in effect and will not be canceled or allowed to expire until at least thirty (30) calendar days' prior written notice has been given to the Owner;

c) Consent of Surety to Final Payment; d) Unconditional waivers of lien in statutory form from all Subcontractors, material suppliers, or other

persons or entities having provided labor, materials and equipment relating to the Work; e) If required by the Owner, other data establishing payment or satisfaction of obligations, such as receipts,

releases and waivers of liens, claims, security interests or encumbrances arising out of the Contract Documents;

f) All Project warranty documents, including special manufacturers warranties; g) Final Subcontractor List; h) All approved Submittals and Shop Drawings (electronic copy); i) Schedule of Required maintenance

Criteria: Based on various contract terms, neither final payment nor final release of retainage shall become due until the CM@Risk submits the required documents. Cause: Although a project checklist was created as a result of a previous contract audit to document required documents that may help ASU monitor and control the scope, cost and schedule of construction projects, it was not available at the time of this audit. No other processes were in place to ensure relevant and required documents were obtained. Effect: Although no specific impact was noted, it is considered best practice to ensure the completion and tracking of these documents to promote a more comprehensive project management process as well as to reduce cost overruns, process inefficiencies and close out issues.


October 24, 2016

Page 10 of 11

Recommendations: CPMG should utilize the project documentation list previously developed. CPMG should develop a document tracking process to promote easy retrieval of documents or to document where compliance to the specified item was not feasible and the reason why. Management Response: Management concurs with this issue. CPMG will work with University Audit to finalize the list and use as part of the overall project management process going forward. This will be completed by January 31, 2017.


October 24, 2016

Page 11 of 11

Distribution: Audit Committee, Arizona Board of Regents Michael M. Crow, President Mark S. Searle, Executive Vice President and University Provost Morgan R. Olsen, Executive Vice President, Treasurer and Chief Financial Officer José A. Cárdenas, Senior Vice President and General Counsel Christine K. Wilkinson, Senior Vice President and Secretary of the University Joanne Wamsley, Vice President for Finance Lisa S. Loo, Vice President for Legal Affairs and Deputy General Counsel Bruce Nevel, Associate Vice President, Facilities Development and Management Bruce Jensen, Executive Director, Capital Programs Management Diane Rowley, Director, Capital Programs Management Internal Audit Review Board


Internal Audit Department

Summer Camps and Conferences Audit Report

June 2016

Report Number FY 16-09


Northern Arizona University Summer Camps and Conferences

Audit Report June 8, 2016

Summary

Our audit of NAU’s Summer Camps and Conferences is in the Annual Audit Plan for FY 2016, as approved by the Audit Committee of the Arizona Board of Regents. This audit links to Northern Arizona University’s goal of having efficient, effective, and accountable practices. Background: In August 2012, NAU entered a management agreement with Sodexo to manage Summer Camps and Conferences. The University’s summer conference season spans mid-May through early August. The one-stop-shop blueprint offers clients the convenience of one point of contact, one contract and one bill for their entire summer program. The single point of contact works closely with NAU departments to coordinate group usage of on-campus lodging, dining, catering, meeting space, academic space, recreation facilities, athletic fields, transportation and parking arrangements. Youth groups from all over the nation choose NAU as their destination for summer programs. NAU is also host to a number of summer adult conferences that include both national and international attendees. These groups range in size from 10 to 2,500 people and stay as little as one night or as long as five weeks. The combination of Flagstaff’s proximity to the Grand Canyon, its elevation, state-of-the-art facilities and summer weather make NAU a popular choice for summer programs. Sodexo utilizes the Event Management System (EMS) to reserve and administer summer camps and conferences. EMS is a database of all NAU rooms and facilities and facilitates the management of room availability. Unit Financial System (UFS) is the accounting system used to account for summer camps and conferences. Summer Camps and Conferences offers many venues for group meetings, receptions and activities, including meeting rooms, classrooms, recreational space and assembly halls. Meeting rooms can be equipped with audio/visual equipment. Meeting rooms are located within the du Bois Center, University Union, Health and Learning Center, W.A. Franke College of Business and R.H. Castro College of Social and Behavior Sciences and include space for the following capacities:

du Bois Center - 17 to 250 participants

University Union - 28 to 115 participants

Health and Learning Center - 48 to 104 participants

W.A. Franke College of Business - 40 to 200 participants

R.H. Castro College of Social and Behavior Sciences - 83 to 200 participants

Banquet rooms and ballrooms - 300 to 850 participants

Performance halls - 400 to 1,300 participants


Audit Report

Page 2 of 11

Recreational fields feature indoor/outdoor soccer fields, multi-purpose fields/space, sand volleyball courts, indoor volleyball courts, basketball courts, tennis courts, indoor track, badminton courts and projector and screen for movies. Recreational fields include the following:

South Field Complex The Aquatic and Tennis Complex

The du Bois Center Field Union Fieldhouse

Observatory Field Multi Activity Court (MAC) Gym

Gabaldon Field South Gym Housing options include the following on-campus residence halls:

Traditional Style Halls Suite Style Halls

McConnell Gabaldon

Reilly Mountain View

Allen The Suites Campus Dining provide meals and catering services to camps/conference participants. A variety of food choices are offered at The Hot Spot and The Dub, as well as the option of catering services. Rates per participant for 2015 Summer Camps and Conferences are as follows:

Food Service

Breakfast $ 5.02 Lunch 8.37 Dinner 8.61 Tax 1.97

Total Food Service $ 23.97

Residence Life $14 to $58.50

Conference Fee $ 9.50

Health Center Fee $ 0.20

Meeting rooms range from $50 to $2,000 plus the cost of labor; while recreational facilities/fields range from $5 per hour to $100 per hour for indoor recreational facilities; $80 per day to $1,200 per day for outdoor recreational facilities and $100 per day to $200 per day for the swimming pool.


Audit Report

Page 3 of 11

Per the management agreement, payments from Sodexo to NAU represent surplus (net income), which are recognized as revenue on NAU’s books minus the revenue generated from Campus Dining; while deficits (net losses) are charged as an expense to NAU and result in a payment to Sodexo. NAU reported net income during the summer months while net losses occurred during the rest of the academic year. Residence Life and Campus Dining provided 35% and 39% of total revenue, respectively. Approximately 17% of total revenue related to the Conference Center, with the remaining 9% of revenue allocated to other NAU departments involved with Summer Camps and Conferences (i.e. parking, shuttle, Health and Learning Center, room rentals) in accordance with Sodexo policies and procedures. The following reflects the activity for Summer 2015:

June July August Total

Sales

Rooms-regular 31,272.50 60,354.00 19,951.87 111,578.37

Lodging 283,248.00 350,292.25 123,457.70 756,997.95

Banquet and catering 4,706.06 1,067.26 - 5,773.32

Food lunch 321,342.37 416,964.65 94,632.74 832,939.76

Conference 142,048.32 174,448.50 56,819.50 373,316.32

Merchandise-regular 37,540.74 30,758.64 13,131.83 81,431.21

Restaurant-discountable (328,688.43) (416,903.90) (95,554.89) (841,147.22)

Total sales 491,469.56 616,981.40 212,438.75 1,320,889.71

Special services 2,931.80 3,672.41 1,196.20 7,800.41

Total sales and revenue 494,401.36 620,653.81 213,634.95 1,328,690.12

Operating Expenses

Labor

Wages 13,493.28 5,542.45 12,077.40 31,113.13

Benefits and payroll taxes 6,292.77 3,468.50 5,865.56 15,626.83

Wage accruals 220.05 220.11 241.18 681.34

Total labor 20,006.10 9,231.06 18,184.14 47,421.30

Controllables

Telephone 11.00 11.00 11.00 33.00

Delivery - 0.64 - 0.64

Printed materials - - 5,436.79 5,436.79

Miscellaneous (4,626.37) 2,237.89 1,782.11 (606.37)

Credit card discount fees 1,362.66 2,380.40 1,182.54 4,925.60

Total controllables (3,252.71) 4,629.93 8,412.44 9,789.66

Non-controllables

Amortization-depreciation 77.39 61.90 61.91 201.20

Insurance 535.10 575.95 521.29 1,632.34

Taxes, license and fees 470.79 - 471.03 941.82

Management fee 2,483.35 1,986.68 1,998.20 6,468.23

Systems support 21.45 21.45 21.45 64.35

Total non-controllables 3,588.08 2,645.98 3,073.88 9,307.94

Total operating expenses 20,341.47 16,506.97 29,670.46 66,518.90

Net Income 474,059.89 604,146.84 183,964.49 1,262,171.22


Audit Report

Page 4 of 11

Audit Objective: The primary objective of the audit is to determine if Summer Camps

and Conferences held at NAU are adequately planned, administered and accounted for.

Scope: The scope of our audit included a review of all policies and procedures governing the management of Summer Camps and Conferences as well as other procedures that helped us achieve our primary audit objective. We reviewed documents and system reports supporting transactions that occurred from May 2015 to August 2015, as well as current practices and procedures. Methodology:

Reviewed the Summer Camps and Conferences website.

Reviewed ABOR and NAU policies and procedures related to Summer Camps and Conferences.

Reviewed Sodexo policies and procedures related to Summer Camps and Conferences.

Interviewed NAU and Sodexo staff responsible for managing Summer Camps and Conferences, which include Sodexo, Housing and Residence Life, and Enrollment Management and Student Affairs.

Reviewed contracts, planning/management checklists, EMS reservation system and UFS accounting system reports for selected invoices to determine camp/conference was adequately planned, administered and accounted for.

Reviewed revenue allocation, income statements provided by Sodexo and general ledger activity for Summer Camps and Conferences.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. Conclusion: Summer Camps and Conferences are adequately planned, administered and account for. Checklists and periodic meetings among NAU departments prove effective in planning and administering Summer Camps and Conferences. While the use of EMS allows for efficient booking and paperless retention (i.e. contracts, insurance policies, etc.) for Summer Camps and Conferences, UFS is used to invoice customers and collect on those invoices.


Audit Report

Page 5 of 11

The control standards we considered during this audit and the status of the related control environment are provided in the following table.


Control Environment

Recommen- dation No.

Page No.


Departments prepare complete and timely billings for Summer Camps and Conferences


Revenue recognition is not duplicated Reasonable to Strong Controls in Place

Reconciliation of NAU Department billings to customer invoices is performed


Duplicate reservations are not allowed Reasonable to Strong Controls in Place

Revenue and expenses are captured in the correct annual accounting period


Rate schedules exist and are approved by NAU administration and Sodexo


1 7

Monthly reports are timely submitted to NAU administration for review.


2 8

Monthly reports for NAU administration are adequate.


2 8

Management oversight is provided to ensure revenue and expense capture is appropriately recorded


3 9

Safeguarding of Assets

Reservation and accounting software and data are backed up



Audit Report

Page 6 of 11


Control Environment


Page No.

Sensitive information is adequately protected



Policies and procedures exist for Summer Camps and Conferences


Contracts are used and adequately explain Camps/Conference policies


Features within EMS are used to efficiently plan and effectively manage Summer Camps and Conferences


Planning meetings between Summer Camps and Conferences and NAU Departments are adequate


Customer disputes are timely followed-up on and resolved


Compliance with Laws and Regulations

Summer Camps and Conferences complies with ABOR policies and AZ State Law


1 7

We appreciate the assistance of the staff of Sodexo, Housing and Residence Life and Enrollment Management and Student Affairs.

/s/ /s/ Karletta Jones Senior Internal Auditor Northern Arizona University (928) 523-4136 [email protected]

Mark Petterson Chief Audit Executive Northern Arizona University (928) 523-6438 [email protected]

mailto:[email protected]



Audit Report

Page 7 of 11

Audit Results, Recommendations and Responses

1. NAU Management and Sodexo should periodically review and agree on rate schedules related to summer camps and conferences components.

Condition: NAU administration and Sodexo have approved dining rates for Summer Camps and Conferences; however, no formalized agreement exists for rates related to housing, conference fee, health center fee, facility (room and recreation) rentals and special rates. Rates, other than dining, have not changed significantly for several years. Criteria: Per ABOR Policy 7-209, Rental Rates, “The rental rates for use of university facilities and properties by off-campus organizations shall be approved by the president of each institution. Rental rates should reflect considerations of the fair market value rates charged by comparable facilities, actual expenses incurred in providing the space (operations, maintenance, and deferred maintenance), and inflation. Each university shall review its established rates annually. A university may offer reduced rental rates to affiliated non-profit organizations.” Cause: Because the rates related to housing, conference fee, health center fee and facility rentals have not significantly changed since Sodexo began managing Summer Camps and Conferences, the rates have not been outlined in the contract and/or related addendums. Effect: Adequate approved documentation does not exist to support fees charged. Without a formal agreement, potential disputes related to fees charged exist. Lack of annual review of rates could result in inadequate rates for cost recapture. Recommendation: In addition to dining rates, all other conference/camp rates should be included in the contract and/or addendum to the contract as well as approved special rates. Rates should be periodically reviewed to ensure cost recapture is adequate. Response: Senior administration of all involved departments will meet annually to formalize summer conference package and facility rates. The rates will be in effect for two years and will be reassessed by senior administration to ensure its adequacy. Involved departments include NAU Residence Life, High Country Conference Center, NAU Dining Services, NAU Campus Health Services, NAU Campus Services and Activities, NAU Athletics and Campus Recreation Services. Approved summer package and facility rates will be acknowledged on an internal NAU document to be approved and signed by all involved parties. A proposed 2016 Summer Conferences Package and


Audit Report

Page 8 of 11

Facility Rates Schedule has been drafted and will be approved by senior administration by June 30, 2016.

2. Monthly reports provided to NAU management should be more detailed.

Condition: Currently, Sodexo provides Monthly Operating Statements and Revenue Allocation worksheets for Summer Camps and Conferences. The Operating Statements reflect monthly revenue and expenses by account type. The Revenue Allocation is a spreadsheet that lists all events billed for a particular month with each billing allocated to several NAU departments for their share of the revenue. A contra-revenue account for discounts and bad debt expense accounts does not exist. Instead, discounts and bad debt are netted against revenue, with the net revenue allocated to the respective department. Criteria: Reporting requirements as outlined in the Sodexo contract indicate monthly profit and loss reports and weekly sales reports are to be provided to NAU administration. Per the management agreement (Article VI, 6.1), Sodexo shall collect and account for Gross Revenue and pay Operating Expenses as required and will submit an Annual Operating Projection (Article VI, 6.2) to project revenues, management fees, operating expenses, routine capitalized maintenance and major reports for the forthcoming fiscal year. Cause: Because the reporting requirements are limited to several reports and no deadline exists, there has been no request by NAU management to request detailed information within a certain deadline. There is no guidance in the management agreement to record discounts applied to revenue or the recognition of bad debt expense. Effect: Without adequate and timely detail to support expenses and no separate tracking of discounts and bad expense, management is limited in their review of expenses to ensure payments made to Sodexo are accurate and comply with the management agreement; specifically if expenses are reasonably consistent with the Annual Operating Projection. Recommendation: General ledger detail of expense line items should be requested monthly for review with adequate supporting documentation and/or explanation for unusual/significant activity noted by NAU administration. A deadline should be established within the management agreement for reporting requirements. Discounts should be reported in a contra-revenue account and bad debt expense should be separately recognized as opposed to being netted against revenue.


Audit Report

Page 9 of 11

Response: A contra-revenue account will be created to reflect discounts that are given for NAU Summer Camps and Conferences. A bad debt expense account (credit memos) will be created to capture accounts written-off; instead of being netted against revenue. This will be completed by Sodexo’s fiscal year-end of August 31, 2016. Detail of expense line items will be provided in the operations statement provided to NAU Management on a monthly basis. This will be completed by Sodexo’s fiscal year-end of August 31, 2016.

3. NAU Management oversight should be improved to ensure revenue and

expenses are recorded appropriately on the general ledger.

Condition: Net income reported on Sodexo Operating Statements are recorded in one revenue account on NAU’s general ledger as opposed to recording revenue and expense separately. The net loss reported on Sodexo Operating Statements are recorded in consulting expense on NAU’s general ledger. Criteria: Per the management agreement, payments made to Sodexo are a result of any deficit (net loss) recognized for the month; while payments made to NAU are a result of any surplus (net income) recognized for the month. While no directive exists regarding revenue and expense postings on NAU’s general ledger, recording the components that make up net income in their appropriate general ledger account (revenue and expense) will make the Status of Funds more accurate. Cause: Without a second review of the accounting of cash receipts (net income) and cash disbursements (net loss), revenue and consulting expense have been understated. Effect: Status of Funds reports (income statements) that NAU administration uses to assess the performance of Summer Camps and Conferences are not accurate. Per the Status of Funds, net income for July 2015 in the amount of $604,147 was inadvertently recorded in consulting expense resulting in a credit balance for an expense account. Our scope includes June 2015; however, the June 2015 net income recognized was properly accrued at June 30, 2015 and reversed on July 1, 2015. Accordingly, revenue and expense is understated by $46,177, which is the sum of total operating expenses for July and August 2015. Recommendation: July 2015 net income should be reclassified to miscellaneous operating revenue and expenses associated with July and August 2015 should be


Audit Report

Page 10 of 11

reclassified to consulting expense. Because June 2015 is zeroed out by the reversing entry, we do not recommend reclassifying the expense to consulting expense. A second review of general ledger recordings should be made to ensure its accuracy and completeness. Response: FY16 revenues and operating expenses will be reclassed in accordance with the recommended method above. The reclassification will be completed by June 30, 2016. Beginning with June 2016 activity, an additional review of the general ledger will be performed.


Audit Report

Page 11 of 11

Distribution:

Audit Committee, Arizona Board of Regents NAU Internal Audit Review Board Rita Cheng, President Mark Boyer, Director for Campus Services and Activities Administration Jennus Burton, Vice President for Finance and Administration Joe Cordova, Sodexo Unit Controller TC Eberly, Executive Director for Campus Services and Activities Administration Joanne Keene, Executive Vice President and Chief of Staff Jane Kuhn, Vice President for Enrollment Management and Student Affairs Jill Larson, Sodexo Sales Manager Michelle Parker, General Counsel Wendy Swartz, Associate Vice President and Comptroller Scott Thomson, Sodexo General Manager This report is intended for the information and use of the Arizona Board of Regents, NAU administration, the Arizona Office of the Auditor General, and federal awarding agencies and sub-recipients.



Student Employment Audit Report

June 2016



Northern Arizona University Audit of Student Employment

Audit Report June 21, 2016

Summary

Our audit of student employment at NAU is in the University’s Annual Audit Plan for FY

2016, as approved by the Arizona Board of Regents Audit Committee. The audit links to

NAU’s strategic goals of sustainability and effectiveness and of student success. This is

the first time student employment practices have been audited by Internal Audit.

Background: Student employees and graduate assistants provide a vital resource to

NAU. While their primary endeavor is their studies, many student employees are able to

fund their education as student workers, graduate assistants, and resident assistants. In

2015, NAU employed 4,666 student employees representing 187 departments. Salary

expense for student employees represents approximately 9% of NAU’s total salary

expense. The tables below show the gross salaries and hours worked for student

employees during the past three calendar years.

Total Salaries of Student Employees by Type

CY 2013 CY 2014 CY 2015

Student Workers

$12,889,088

$13,384,109

$12,881,068 Graduate Assistants 6,325,366 6,746,202 6,889,510 Federal Work Study 426,021 603,176 1,059,097

Total Salaries for Student Employees

$19,640,475

$20,733,487

$20,829,676

Total Hours of Student Employees by Type

CY 2013 CY 2014 CY 2015

Student Workers 1,272,577 1,429,725 1,348,480 Graduate Assistants 373,284 399,497 401,636 Federal Work Study 50,478 70,659 120,827

Total Hours for Student Employees 1,695,339 1,899,881 1,870,942


Audit Report

Page 2 of 15

Student employment responsibilities are decentralized. Some of the departments

responsible for student employment practices include:

1. NAU Career Development maintains “Jobs for Jacks/Handshake” for students searching and applying for employment.

2. Hiring departments post their vacancies to Jobs for Jacks/Handshake or elect to use alternative solicitation methods. In addition to advertising open student positions, hiring departments are responsible to create student employment job descriptions; select and hire student workers, residential assistants, and graduate assistants; provide specific departmental and task training; ensure mandatory university training has been completed, communicate job expectations; determine hourly pay rates; resolve student grievances; request background checks; monitor hours worked for compliance to NAU policies and regulations; and terminate student employees for unacceptable performance or at the end of their work assignment.

3. The Office of Financial Aid, within EMSA, administers NAU’s Federal Work Study program. It determines who is eligible for the Federal Work Study program and monitors students’ compliance to ongoing program requirements.

4. Human Resources is responsible for:

ensuring students are eligible to work;

processing ePARS (electronic personnel action requests) per departmental instructions;

ensuring required background checks are performed;

monitoring compliance with the Affordable Care Act compliance; and

processing payroll. Upon request, Human Resources will assist student employees and hiring departments in resolving grievances and disputes.

5. The Equity and Access Office ensures NAU meets its obligations regarding affirmative action in employment, equal opportunity, non-discrimination and harassment, and accessibility and reasonable accommodations for individuals with disabilities. The department provides mandatory Safe Working and Learning training to all new employees, including student workers. The office is also charged with investigating and resolving discrimination, harassment, and retaliation complaints.


Audit Report

Page 3 of 15

Nine of NAU’s fifteen ABOR-approved peer institutions report having a student employment office. A summary of the functions performed by those offices follows:

University

Location within University

Functions

Akron Financial Services and Student Employment

Posts jobs, assists students find jobs, maintains a student employment manual, and handles disputes between student workers and their supervisors.

Alabama Financial Aid and Human Resources

Human Resources helps post jobs, educates students on proper practices to apply for and start jobs, maintains workplace expectations for students, provides training or helps departments provide training. FWS is managed by Financial Aid.

Bowling Green

Career Center Hiring, payroll processing, payroll, training (works with Financial Aid on maintenance of the FWS annual allocation).

Kent State Career Center Hiring, development of student employment handbook, handles grievances after hiring department.

Maine Financial Aid Helps departments post jobs, provides services to student employees and potential student employees. Handles hiring paperwork, employee training, and employment policies. Manages FWS.

North Carolina at Greensboro

Career Services Helps students find jobs, manages hiring paperwork, and manages FWS. Provides training to supervisors on how to manage student employees.

Northern Illinois

Human Resources

Maintains documentation on student workers, administers payroll, provides training, and handles grievances after hiring department.

Southern Illinois Carbondale

Financial Aid Works with Payroll, Accounts Payable, and individual university hiring departments to support student workers. Student jobs are linked to the Student Life website.

Western Michigan

Career Services and Student Employment

Provides training for student employee supervisors, may meet with student employee and their supervisors to resolve grievances.


Audit Report

Page 4 of 15

Audit Objectives: The primary audit objectives for this review were to:

evaluate and assess NAU’s student employment practices for compliance to Federal regulations, and NAU policies and for consistency and fairness to student employees and

identify opportunities to improve procedures for hiring and administering student employment.

Scope: The scope of this audit focused on student employment policies and procedures

in effect as of March 31, 2016. Employment of graduate assistants, the Affordable Care

Act, and Employment Eligibility Verification were not within the audit scope.

Methodology: The following procedures were performed to accomplish the audit

objectives:

• Identified and met with primary departments responsible for administrating student employment;

• developed and distributed questionnaires to those primary departments who are charged with administrating student employment;

• analyzed the responses from 27 departments and noted their concerns; • identified gaps between NAU procedures and compliance to Federal regulations

and NAU policies; and

• researched student employment practices of peer institutions to identify alternative student employment practices that may benefit NAU.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Conclusion: Administration of student employment at NAU has significant opportunities

for improvement. NAU is subject to the following risks, primarily caused by the lack of a

centralized student employment office:

NAU may not be in compliance with the Americans with Disabilities Act (ADA) because the current job application and posting system is not accessible by students with particular disabilities. No effective alternative is provided for them to complete these processes.

The lack of consistent policies, practices and procedures for student employment makes it difficult to investigate complaints and ensure that students are not subject to discrimination.


Audit Report

Page 5 of 15

Without a well-documented hiring process and tracking of terminations, promotions and transfers, NAU cannot adequately comply with guidance from the Office of Federal Contract Compliance Programs (OFFCP) that universities include employees in their affirmative action plans and proactive programs.

Student employment practices vary by department, creating duplicate procedures, inefficient and inconsistent practices, and inadequate oversight.

Recommendations for improvement are discussed further in the report.

We recommend a centralized Student Employment Office be created at NAU to administer

student employment hiring and administration.

The control standards we considered during this audit and the status of the related control environment are provided in the following table.


Control Environment


Page No.


Not Applicable

Safeguarding of Assets Not Applicable

Authorization Procedures Not Applicable


NAU is aware of, and has established, student employment practices that are responsive to students and ensure regulatory requirements are met.

Opportunity for Significant Improvement

1 7

All students are provided the opportunity to apply for student employment.


1 7

Student employees are treated equitably and compensation is consistent.


1, 4, 5

7,10, 12

Supervisors of student employees are timely and adequately trained; and a handbook has been developed for reference.


1, 6 7, 13


Audit Report

Page 6 of 15


Control Environment


Page No.

Student employees are adequately trained and made aware of job expectations; and a handbook has been developed for reference.


1, 6, 7

7,13, 14

Applying for student employment is efficient for students.


1, 2 7, 8


Assurance is provided that NAU is in compliance with affirmative action and equal opportunity student employment policies and laws.


1, 3 7, 9

Assurance is provided that NAU is in compliance with disability and equal access laws.


1, 2 7, 8

We appreciate the assistance of all staff who responded to our questionnaires and

interviews, including representatives from multiple offices within Enrollment Management

and Student Affairs, the Equity and Access Office, Environmental Health and Safety,

Graduate College, Human Resources, Contract and Purchasing Services, and the

University College.

/s/ /s/ Penny Whitmore Senior Internal Auditor Northern Arizona University (928) 523-6459 [email protected]





Audit Report

Page 7 of 15


1. NAU should create a student employment office.

Condition: Many of the administrative functions relating to student employment would be

more effectively and efficiently performed by a centralized student employment office than

by hiring departments.

Criteria: Hiring and administration of student employees should be efficient and

effective. Hiring practices should:

1) facilitate compliance to federal regulations and NAU policies; 2) promote consistent compensation practices; 3) standardize steps in the hiring process, including the application for employment; 4) include a student-employee handbook and a supervisory handbook; 5) develop and implement an Affirmative Action Plan for student employees; 6) communicate student employment policies and procedures; 7) include awareness of leading practices via participation in student employment

associations 8) include a process to work with outside employers to obtain and post jobs; 9) standardize performance evaluation procedures; and 10) standardize resolution of student grievances.

Cause: Student employment practices have developed piecemeal over time, with no

central authority controlling them.

Effect: NAU student hiring and administration practices are inefficient, expose NAU to

discrimination complaints, and create extra work for hiring departments.

Recommendation: NAU should create a student employment office.

Response:

Finance and Administration: We concur and recommend that it be placed in EMSA within a student career services office.

EMSA: We agree. The student employment office will be placed within the career services center with heavy collaboration with Financial Aid to ensure we are in compliance with Title IV requirements. Career Services will be moving back to EMSA during FY17; due to this we request a minimum of one year to make


Audit Report

Page 8 of 15

necessary changes.

2. Students with disabilities should be accommodated in applying for vacancies when necessary.

Condition: Some students with disabilities are not able to independently search for and

apply for employment opportunities using Jobs for Jacks/Handshake. NAU does not

provide and communicate alternatives to accommodate students with disabilities

searching for student employment.

Criteria: The Americans with Disabilities Act (ADA) provides that employers are required

to provide accommodations to the known physical or mental limitations of applicants or

employees, unless the accommodation would result in an undue hardship on the

employer. No covered entity shall discriminate against a qualified individual with a disability

because of the disability of such individual in regard to job application procedures, the

hiring, advancement, or discharge of employees, employee compensation, job training,

and other terms, conditions, and privileges of employment. ADA, Public Law 101-336,

Section 102(a).

Section 504 of the Rehabilitation Act prohibits discrimination on the basis of disability in

programs or activities that receive Federal financial assistance from the U.S. Department

of Education. Title II of the Act prohibits discrimination on the basis of disability by state

and local governments.

Reasonable accommodations should be provided to students with disabilities to comply

with federal legislation and provide the largest pool possible of qualified student applicants.

According to the U.S. Department of Labor Office of Federal Contract Compliance

Program, online systems such as Jobs for Jacks/Handshake should utilize “universal

design” techniques. Other reasonable accommodations may include providing information

regarding job vacancies in a format accessible to individuals with vision or hearing

impairments, e.g. Braille, Telecommunications Devices for the Deaf (TDDs), readers, and

interpreters. Currently, no system can ensure accessibility in all scenarios; therefore,

federal regulations require that applicants be provided an equally effective alternative with

substantially equitable ease of use or be afforded the opportunity to request an

accommodation from a designated individual.


Audit Report

Page 9 of 15

Cause: When the online application and job posting system was selected, the vendor

agreed to meet appropriate accessibility standards. The vendor has not delivered on that

promise.

Effect: NAU may not be compliant with federal regulations and not all qualified students

are afforded the opportunity to apply for student employment.

Recommendation: NAU Career Development and Disability Resources should work with

the vendor to upgrade Jobs for Jacks/Handshake to accommodate disabled students

searching and applying for student employee openings. If not feasible, alternative

procedures should be identified and considered for implementation.

Response:

Finance and Administration: We concur and suggest that EMSA be asked to respond.

EMSA: EMSA will review Jobs for Jacks/Handshake and make a recommendation in this regards. EMSA will work with ITS to identify alternative software that is assessable.

3. There should be consistent and well-documented employment practices to assure that NAU is in compliance equal employment opportunity regulations and can comply with affirmative action requirements.

Condition: NAU has a system in place to ensure that all qualified applicants applying for

benefit-eligible positions have an equal opportunity for recruitment, selection, and

advancement. However, there is no assurance that NAU’s student employment practices

comply with affirmative action (AA) and equal employment opportunity (EEO) regulations.

Criteria: According to NAU’s Equity and Access Office (EAO), during the last few years

the federal government has informed university federal contractors of the need to include

student employees and graduate assistants in its affirmative action plan. (At present, the

University of Arizona and Arizona State University reportedly do not include student

employee in their affirmative action plans.) Universities have informed the government that

compliance will be difficult and require additional funding resources.

An affirmative action plan requires that the following be documented:


Audit Report

Page 10 of 15

Outreach to minorities, women, disabled students, and veterans;

minimum and preferred qualifications for each job being offered;

applications filled out by each student showing qualifications;

a confidential form is provided for each applicant to voluntarily indicate their race, sex, and disability and veteran status. The form is submitted directly to Equity and Access and not be seen by the supervisor;

how the applicants were ranked based on the required qualifications;

an explanation of any deviations from the ranked selection order. For example, an applicant withdrew;

a code assigned to each applicant not selected to indicate when and why they were no longer considered;

a listing of individuals who were hired; and employee hiring, transfers, promotions and terminations.

Cause: Incorporating student employees in NAU’s affirmative action plan would require

significant resources.

Effect: There is no assurance that NAU’s student employment practices comply with affirmative action (AA) and equal employment opportunity (EEO) regulations. NAU would have difficulty in disputing claims of discrimination since not all departments are documenting searches and retaining hiring, promotion, and termination records.

Recommendation: NAU should develop student hiring and administration procedures

that enable NAU to be in compliance with AA and EEO requirements.

Response:

Finance and Administration: We concur. HR would be happy to assist in areas where they can help.

EMSA Career Services (effective FY17) will work with Affirmative Action and HR to incorporate any necessary federal and state AA and EEO policies.

4. Student employment practices should be standardized.

Condition: Hiring departments and supervisors have developed sound student

employment practices, for the most part. However, practices often vary by department.

For example, some departments:


Audit Report

Page 11 of 15

require all their openings to be posted on Jobs for Jacks/Handshake while other departments rely on flyers, emails and word-of-mouth, or use a combination of methods;

utilize a hiring committee to ensure fair hiring practices while other departments meet and discuss fair hiring practices when filling positions;

have developed and use a hiring checklist to ensure that all hiring requirements have been fulfilled, i.e. required training has been taken, background checks have been requested, and the new employee packet has been completed and returned. Other departments do not use a checklist or are in the process of developing one;

require formal performance evaluations at set dates while other departments rely on continuing informal performance evaluations;

have developed formal disciplinary procedures while other departments have not; and

have developed student employment handbooks while other areas have not.

Criteria: NAU policies and procedures should exist and enable student employment to be

administered consistently across departments and according to Federal regulations.


central authority controlling them. As a result, hiring departments have taken on the

responsibility to develop job descriptions, fill open positions, evaluate performance, and

determine pay rates.

Effect: Inconsistent employment practices may result in; 1) failure to provide all interested

and qualified students the opportunity to apply for student employment, 2) a lack of

assurance that all student employees are being treated fairly, and 3) inefficient

departmental efforts.

Recommendation: NAU should standardize student employee hiring and administration

practices, and create the appropriate policies and procedures, communication, training

and tools to ensure that student employee hiring personnel have adequate support for

following consistent practices.

Response:

EMSA: We agree and per Recommendation 1 we will work to develop these practices over the next FY.


Audit Report

Page 12 of 15

5. Student compensation should be more consistent.

Condition: Compensation for student jobs is not consistent or equitable across the

University. For example, student custodians are hired by both Facility Services and

Resident Life for summer work. The student custodians who work for Residence Life are

given free housing (taxable) and wages; while student custodians working for Facility

Services are provided only wages.

Criteria: Student compensation across the University should be comparable, competitive

and correspond to the challenges of the job.



Effect: Some students may be compensated more than other students who are doing the

same or more difficult work. Student employees may leave jobs for other easier jobs, or

similar jobs that provide greater compensation.

Recommendation: A process should be developed to better ensure equitable

compensation for similar jobs across the University, especially within departments. Pay

ranges and any benefits should be published.

Response:

Finance and Administration: HR will participate in discussions and can provide compensation consulting assistance to the unit that will be responsible for administration and maintenance of student worker compensation and determining an equitable approach and guidelines. We suggest that high level student wage guidelines may be the best overall approach vs. any strict student compensation system where the administration and resources to manage might outweigh the benefit.

EMSA: Will work collaboratively with Admin & Finance on developing the compensation to ensure we comply with Title IX policy.


Audit Report

Page 13 of 15

6. A student employee handbook and a handbook for supervisors of student

employees should be developed.

Condition: A Student Employment Handbook developed by the Office of Scholarships

and Financial Aid is available but has not been distributed to all hiring departments.

According to Financial Aid, it is only intended to apply to the Federal Work Study program.

No student employment handbook has been prepared and distributed to all student

workers.

There is no supervisory handbook for supervisors to provide consistent direction in hiring,

communicating job expectations, ensuring mandatory training is taken, evaluating

performance, determining pay rates and merit increases, handling student grievances,

recommended disciplinary process, etc.

Criteria: Standardized student employment and supervisory handbooks should be

developed for reference and to promote consistent practices.



Effect: Consistent guidance is not provided to student employees and their supervisors

that provides guidance regarding hiring procedures, regulations and policies,

compensation, benefits and leaves, performance evaluation forms and guidelines,

disciplinary procedures, compensation rates, contacts and listing of other available

resources.

Recommendation: A student employee handbook that applies NAU-wide should be

developed and kept current. The handbook developed by the Office of Financial Aid would

be a good starting point. Evidence should be provide that reflects student employees are

familiar with the handbook and its contents.

Response:

Finance and Administration: HR will be glad to contribute to discussions in this area as appropriate. It is important to preserve the “at-will” nature of student employment and HR can assist with this. It is also appropriate to involve the Policy on Policy committee within the parameters of their charge. Presuming that the personnel hired by EMSA for the Student Employment/Career Services office also are


Audit Report

Page 14 of 15

responsible for resolving student employment grievances, HR will participate in the hiring process for personnel assigned to those tasks to help identify adequate skills and background. HR can also provide consulting assistance as needed to Student Employment/career Services personnel.

EMSA will work collaboratively with HR and Financial Aid to develop a student handbook.

7. A centralized system for tracking student training should be implemented.

Condition: There is no assurance that all mandatory NAU training is taken by student

employees. Supervisors request student employees to provide evidence of training taken

or the supervisors contact the training administrators directly to confirm training taken.

NAU does not presently have a comprehensive learning management system in place for

employee training.

Criteria: Evidence of all NAU training taken by students should be readily available for

review by departmental supervisors and potential employers.

Cause: Lack of a student employment office and lack of information technology support.

Effect: There is no efficient way to identify what training students have received.

Recommendation: A centralized system for tracking student training would be the most

effective solution for managing student training requirements, given the large volume of

student employees and transient nature of student work. Until the centralized system is

developed, we recommend that the hiring departments be made aware of their obligation

to maintain manual records of all student training.

Response:

Finance and Administration: We concur. The NAU department assigned student employment should communicate with departments to ensure they keep manual records until the ITS solution is launched.


Audit Report

Page 15 of 15

Distribution: Audit Committee, Arizona Board of Regents Internal Audit Review Board Rita Cheng, President Cynthia Anderson, Dean of Students, Student Life Jamie Axelrod, Director, Disability Resources Jennus Burton, Vice President for Finance and Administration Sarah Ells, Health/Safety Officer, Environmental Health and Safety Bjorn Flugstad, Vice President, Planning and Institutional Research Erin Grisham, Associate Vice President, Enrollment Management and Student Affairs Joanne Keene, Executive Vice President and Chief of Staff Jane Kuhn, Vice President, Enrollment Management and Student Affairs Emily McCarthy, Program Director, Career Development, University College Becky McGaugh, Executive Director, Contracting and Purchasing Services Priscilla Mills, Assistant Vice President, Equity and Access Office Nydia Nittman, Executive Director, Office of Scholarships & Financial Aid Michelle Parker, General Counsel David Spivey, Director, Graduate College Wendy Swartz, Associate Vice President and Comptroller Diane Verkest, Associate Vice President, Human Resources Maribeth Watwood, Dean, Graduate College



Information Technology General Controls Audit Report

August 2016



Northern Arizona University Information Technology General Controls

Audit Report August 15, 2016

Summary

Our audit of Information Technology General Controls is in the Northern Arizona

University Annual Audit Plan for FY 2016, as approved by the Audit Committee of the

Arizona Board of Regents. The audit links to NAU’s strategic goal of sustainability and

effectiveness. The area was previously audited in December 2012.

Background: General controls are controls that relate to the environment within which

computer-based application systems are developed, maintained and operated, and are

applicable to all applications. The objectives of general controls are to ensure the proper

development and implementation of applications and the integrity of program and data

files and of computer operations. Like application controls, general controls may be either

manual or programmed.

Common IT general controls are:

Logical access controls over infrastructure, applications, and data;

System development life cycle controls;

Program change management controls;

Data center physical security controls;

System and data backup and recovery controls;

Computer operation controls.

The IT environment being audited is Information Technology Services, which operates

and maintains information technology and telecommunications services in support of the

NAU mission and goals. Services include academic support, administrative systems

support, student services, telecommunications, and faculty and staff support and training.

Audit Objectives: The objectives of this review were to assess ITS controls in the

following areas:

Change management

Contingency planning

Logical access policies, standards, and processes Physical security

Problem management

Project Management

Source code / document version control

Technical support

http://en.wikipedia.org/wiki/Infrastructure


Audit Report

Page 2 of 5

Scope: The scope of our audit encompassed the examination and evaluation of the

internal control structure and procedures controlling information technology general

controls as implemented by ITS.

The scope also included a review of access rights assigned to users of PeopleSoft

applications for Human Capital Management, LOUIE (student and employee information

management system), and PeopleSoft Financials.

Methodology: We used control questionnaires and interviews to identify IT general

controls, then tested a sample of the controls.

The audit was conducted in accordance with the International Standards for the

Professional Practice of Internal Auditing.

Conclusion: Information technology general controls in the areas audited at Information

Technology Services are adequate. One audit recommendation was made.

Observation: ITS has significantly improved its change management procedures since

the previous IT General Controls audit in 2012.

NAU has also automated the process for assigning and removing logical access rights to

PeopleSoft applications, replacing a cumbersome manual system.

The control standards we considered during this audit and the status of the related

control environment are provided in the following table.

General Control Standard (The bulleted Items are internal control objectives that apply to the general control standards, and will differ for each audit.)

Control Environment

Recommen-dation No.

Page No.


Changes meet business requirements and are authorized.


Controls protect the integrity of program code.


Logical access to PeopleSoft applications is limited to authorized users



Audit Report

Page 3 of 5


Control Environment

Recommen-dation No.

Page No.


IT projects are effectively managed.


1 4

The root causes of problems are identified and addressed.


Procedures exist to help users report problems and perform more efficiently.



Access is managed based on business needs.


Disaster recovery/backup and recovery procedures enable continued processing despite adverse conditions.


Controls protect the physical security of information technology assets from individuals and from environmental risks



Not Applicable

We appreciate the assistance of the staff of Information Technology Services during the audit. /s/

Mark Petterson Chief Audit Executive (928) 523-6438 [email protected]



Audit Report

Page 4 of 5


1. The ITS Project Management Office is not managing IT projects effectively.

Condition: ITS has a project management framework for NAU information systems

development projects, but it has not been fully implemented and does not enable the

alinement of NAU information technology resources with NAU strategic goals.

Criteria: Information systems development projects should have project management

adequate to ensure all relevant project management tasks are completed.

Cause: A pervasive lack of financial and staffing resources exists within Information

Technology Services.

University culture assigns responsibility for successful implementation of enterprise

systems development projects only to ITS, rather than ITS and project stakeholders.

Stakeholders outside of ITS control some of the resources needed for successful project

completion but currently do not share responsibility for success.

Effect: The current project management staff of three individuals is inadequate to assign

a full-time project manager to each enterprise system development project. Project

managers only have time to deal with the most critical project management tasks, such

as identifying and assigning staffing resources to the project. Less critical project

management tasks are being handled informally or not at all.

The current project management practices:

fail to fully implement NAU’s well-designed project management framework

result in slow progress in changing NAU’s culture of informality in information

systems project management

increase the risk of incomplete or flawed systems implementation

result in Inadequate involvement in systems development by the user community.

Recommendation:

The organization and procedures of the Project Management Office should be reviewed

to enable :

o a full-time project manager to be assigned to each enterprise systems

development project


Audit Report

Page 5 of 5

o resources for project management consulting to be available to smaller information

systems development efforts.

Response: We agree with the audit recommendation as reported. Regarding the one

opportunity for improvement, we agree that project management staffing is not ideal for

our current project load. With the difficulty in funding new hires, we will need to find some

creative ways to improve our current process. One option that we are pursuing is to more

carefully align projects with strategic mission, so that we can focus scarce resources on

the most critical tasks. This may result in the delay of some projects, but should provide

superior results for the chosen projects, with a positive impact on IT, project management,

and functional office staffing resources. We will look for other ways to improve our current

process, and will report progress when requested.

Distribution:

Audit Committee, Arizona Board of Regents

Internal Audit Review Board

Rita Cheng, President

Steve Burrell, Chief Information Technology Officer

Jennus Burton, Vice President for Finance and Administration

Bjorn Flugstad, Vice President, Planning and Institutional Research

Joanne Keene, Executive Vice President and Chief of Staff

Michelle Parker, General Counsel

Wendy Swartz, Associate Vice President and Comptroller

This report is intended for the information and use of the Arizona Board of Regents, NAU

administration, the Arizona Office of the Auditor General, and federal awarding agencies

and sub-recipients.



Aquatic and Tennis Center Audit Report

October 2016



Northern Arizona University Aquatic and Tennis Complex Construction Contract

Audit Report October 27, 2016

Summary

Northern Arizona University contracted with Haydon Building Corp. (HBC) to

construct an Aquatic and Tennis Complex to replace the Wall Aquatic Center. Our

audit of this construction project is included in NAU’s Fiscal Year 2016 Annual

Internal Audit Plan, as approved by the Arizona Board of Regents Audit

Committee. New construction is required to accommodate student enrollment

growth and enhance students’ learning experiences. The audit links to ABOR’s

strategic goal of promoting student learning and success.

Background: The project is being delivered through the Construction Manager at

Risk (CMAR) method. Construction administration and project management are

being provided by Facility Services.

The Aquatic and Tennis Complex is used by NAU student-athletes, other members

of the NAU community, and Olympic-class athletes. The facility is home to the

Lumberjacks swimming and diving team and tennis teams. NAU Athletics shares

and operates the facility in conjunction with NAU Campus Recreation. The

123,341-square foot facility replaces the old 50,074-square foot aquatic center.

The aquatic complex includes an Olympic-size pool, separate diving pool, elevated

stadium seating, dry land training area, locker rooms, and program support space.

The tennis complex has six indoor courts, which are equipped with umpire chairs,

benches, separation nets and backdrop curtains; and features spectator seating,

a large scoreboard, and training and support space and informal lockers. The

indoor portion of the Aquatic and Tennis Complex was substantially complete and

opened in February 2016. The outdoor portion of the Aquatic and Tennis Complex

includes six outdoor tennis courts and an outdoor multipurpose athletic field that

are currently under construction and are expected to be substantially completed in

October 2016. The debt service is funded from Systems Revenue and Refunding

Bonds Series 2014.

The pre-construction contract agreement with the CMAR was executed in June

2013. A notice to proceed for construction services was issued in April 2014.

Design professional services were provided by Sink Combs Dethlefs for

$1,998,804. Haydon’s pre-construction costs were $303,941. The guaranteed

maximum price for construction, excluding pre-construction and architectural

costs, is currently at $39.2 million.


Audit Report

Page 2 of 11

Audit Objectives: The primary objectives of this review were to determine if:

contract terms are applied as written;

charges are adequately supported by actual costs incurred by the CMAR;

the subcontractor selection process is consistent with ABOR policies;

proposed change orders are sufficiently documented; and

fees are applied as specified by the construction contract. Scope: The scope of this audit was the project construction phase from inception

through February 29, 2016 (Pay Application 23). We relied on Facility Services’

expertise for the construction technical aspects and to determine whether NAU

received the contracted scope of work. Accordingly, the audit scope did not include

any on-site inspections to assess construction methods, materials, or compliance

with design specifications. Facility Services provided a tour of the aquatic and

indoor tennis facility.

Methodology: The audit objectives were accomplished using the current Tri-

University construction audit program (August 1, 2013 edition), which includes:

Reconciling construction payments, as recorded in NAU’s financial system, to applications for payments.

Verifying that pay applications are supported by the contractor’s internal financial records.

Performing a detailed review of transactions charged to General Conditions and other reimbursable costs to ensure they are allowable and adequately supported.

Verifying subcontractors were selected according to contract requirements and ABOR procurement policies.

Confirming that overhead and fees on proposed change orders are calculated consistently and per the contract. Determining whether GMP adjustments are properly approved by NAU.

Assessing whether proposed change orders provide sufficient information to validate price-reasonableness and, where appropriate, rates are consistent with the subcontractor contracts.

Verifying that charges for bonds, insurance, and sales taxes are documented and per the contract.

Ensuring that usage of contingency funds and allowances are properly approved.


Audit Report

Page 3 of 11

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing.

Conclusion: Construction of the Aquatic and Tennis Complex was adequately

controlled by Facility Services, but opportunities for improvement exist as

described in the audit recommendations. When construction of the outdoor tennis

courts and multipurpose field is complete, there are several outstanding items to

complete before project close out:

obtaining final lien waivers and notices that the CMAR released retainage funds to subcontractors

verifying that all punch list items were resolved

confirming that liability insurance, bonds, and taxes are charged to the project based on actual costs

evaluating project results and the performance of the CMAR.

Observation: We noted that beginning with pay application #4 for services

rendered through July 31, 2014, hourly rates as authorized per the CMAR contract

for CMAR’s supervision personnel did not agree to hourly rates charged under

general conditions. Hourly rates charged were higher than authorized hourly rates

for the project coordinator, mechanical coordinator, superintendent 3 and a general

employee. A change order will be issued to properly authorize the increase in

hourly rates from pay application #4 to current.

Opportunities for improvement are reflected in the remainder of the report. The

areas we reviewed during this audit and the status of each are provided in the

following table.


Audit Report

Page 4 of 11


Control Environment


Page No.


Contractor billings and change orders are supported by the contractor’s job cost ledger.


1 6

The contractor’s job cost ledger is supported by sub-ledgers that facilitate analyses and reviews, such as equipment rental charges, payroll schedules, and subcontractor payment ledgers.


2 8

Adequate documentation is provided to support charges made to General Conditions with the pay applications and General Conditions are allowable per the contract.


Allowances and contingencies are accurately tracked and properly approved.


Charges for indirect costs such as fees, taxes, and insurance are supported or accurately calculated.


1 6

Subcontractor change order proposals are submitted with sufficient information to determine price reasonableness.


2 8


The overall contract is clear, effective, and efficient to administer.


2 8

Allowable costs are sufficiently defined in the contract and are efficiently processed.


2 8



The contract and ABOR selection process for subcontracted work is followed and the subcontracts are supported by the bid awards.


Change orders are priced per the contract and are properly approved.


2 8


Audit Report

Page 5 of 11

We appreciate the assistance of the staff of Haydon Building Corp. and Facility Services during the audit. Management is supportive of our recommendations and has actively begun

working to implement their identified action items.

/s/ /s/ Karletta Jones Senior Internal Auditor Northern Arizona University (928) 523-4136 [email protected]





Audit Report

Page 6 of 11

Audit Results, Recommendations, and Responses

1. The invoices for builder’s risk insurance and the job cost detail ledger were not provided timely by the CMAR.

Condition: Amounts paid by the CMAR for Builder’s Risk Insurance could not be verified as invoices were not provided by the CMAR until the Internal Audit department requested them as part of the audit. Builder’s Risk Insurance is required of all general contractors to protect the interests of NAU and contractors from physical loss or damage to materials, fixtures and/or equipment being used in the construction of a building. Charges included on the pay applications could not be verified timely as the job cost detail ledger was not provided by the CMAR until the Internal Audit department requested them as part of the audit.

Criteria: Section 2.1.14 of the CMAR contract states: “With respect to all Work

performed by CMAR and its Subcontractors and Consultants, CMAR, its

Subcontractors and Consultants, shall keep full and detailed accounts and

exercise such cost controls as may be necessary for proper financial management,

using accounting and control systems in accordance with generally accepted

accounting principles and subject to review by Owner.” The General Contractor’s

job cost ledger provides a detailed account as it captures all costs associated with

the construction project. The job cost ledger supports the contractor billings and

change orders.

All construction costs should be verifiable to ensure the billings paid by NAU are

accurate and complete.

Cause: Builder’s Risk Insurance is charged on a monthly basis per each pay

application; however, the CMAR did not provide invoices or calculations to support

the builder’s risk charges until the project was substantially complete.

The CMAR’s failure to provide a job cost ledger in a timely fashion was attributed

to problems related to an accounting system conversion during the project

Effect: Consistent with their insurance policy the CMAR calculated builder’s risk

monthly premiums on the total cost of the project. Builder’s risk premiums as

calculated by the CMAR and verified by the auditor from inception through


Audit Report

Page 7 of 11

February 29, 2016 were $36,522. Builder’s risk totaled $94,940 per pay

application #23, from inception to February 29, 2016. The charges per the pay

applications were more than the monthly premiums; resulting in NAU overpaying

on builder’s risk insurance in the amount of $58,418 as of February 29, 2016. Per

the insurance policy, the builder’s risk coverage extends through May 1, 2016;

however, per Section 6.3.5 of the CMAR contract, coverage should be provided

and maintained “until written notice of Substantial Completion from the Owner”,

which was February 8, 2016 for the indoor facility portion of the project.

Because two accounting systems were used, the account detail to support direct

costs, indirect costs and fees could not be timely generated.

Recommendation: Facility Services should obtain supporting documentation

related to Builder’s Risk insurance expenses and the Job Cost Detail Ledger as

the project progresses with the option to escalate when the CMAR is not providing

the requested information.

Facility Services should verify the insurance coverage period against the notice of

Substantial Completion for the indoor facility portion of the project and verify

overpayment once the project is complete for builder’s risk, which will impact taxes.

Response:

Job Cost Ledger:

Per the recommendation, Facility Services will begin requesting a fully detailed job

cost ledger with each monthly payment application. It should include detail of all

general conditions, subcontractor costs, and indirect costs.

Builder’s Risk:

NAU will issue Haydon a deductive change order for the difference between the

total amount paid to Haydon for builder’s risk and the amount of their actual costs,

including the offset in applicable taxes.


Audit Report

Page 8 of 11

2. Facility Services should improve its authorization of rates to properly verify costs charged to construction projects.

Condition: The audit identified several situations where Facility Services can improve its verification of project costs:

a) While testing change orders, we noted most subcontractor agreements did not state labor rates. Accordingly, subcontractor labor was not supported by documentation sufficient to verify the labor rates charged were appropriate and in accordance with approved rates agreed upon between the general contractor and subcontractor.

b) NAU did not obtain a listing of equipment expected to be used on the project

for each subcontractor. The listing should include the fair market value of each item at the time it was used and is contractually required to ensure that equipment rental charges are not excessive. Because no equipment rental listing was provided, equipment rental rates could not be verified to determine if appropriate and properly authorized.

c) Per Diem (i.e. travel and hotel) was charged by several subcontractors,

however subcontractor agreements did not state approved per diem rates. Instead the contract and subcontractor agreements outlined general conditions as 10% and the fee as 5%. To be consistent with CMAR General Condition’s billings, subcontractor general conditions should include per diem, but were separately billed. General conditions and per diem charged separately appear to be a duplicate charge. Both charges are then considered in the 5% fee, which result in the fee being overstated. Of the change orders sampled, we noted total per diem charged in the amount of $6,780 in addition to the general condition percentage of 10% and fee of 5%.

Criteria: Facility Services should ensure negotiated rates are approved by NAU

management. This provides authorization for amount of costs to be charged to the

project by the owner. These authorized rates are instrumental in the timely

verification of the costs charged to the project.

Cause: Project costs related to subcontractor labor rates, equipment rental rates

and subcontractor per diem rates were inadequately outlined per the contract.

Instead, Facility Services relied on reasonableness tests to verify these project

costs.


Audit Report

Page 9 of 11

Effect: Although the existing process allows for the CMAR to negotiate lower rates,

there is no consistent approval of rates to be charged to the project via initial

subcontractor contract and/or change orders.

Recommendation: Facility Services should ensure the contract is appropriately

updated to verify the reasonableness of all costs and distinction between

subcontractor general conditions and subcontractor per diem. Additionally, with

each negotiation, rates for labor, equipment and per diem should be approved by

NAU. These approved rates should then be used to verify the costs charged to

the project.

Response:

a) This contract version did not specify the CMAR to require labor rates for subcontractors within their subcontracts. The reason the CMAR gave for not requiring labor rates within all subcontracts was to enable them the ability to negotiate labor rates throughout the project. Facility Services and the Design Professional review all labor rates within proposed change orders for reasonableness noting that there is a wide range of what is considered an industry standard for a labor rate (i.e. craft level labor rates for a general “laborer” may be $12/hour whereas a typical labor rate for an elevator technician may be as high as $280/hour). We may improve our process by including language in the contract requiring the CMAR provide labor rates for all subcontracts. We will discuss with the Tri-U construction group including language in the CMAR contract that would require the CMAR to provide labor rates for all subcontracts.

b) As far as the equipment rates, this contract version did not specify the CMAR to require equipment rates for subcontractors within their subcontracts. At the time of GMP negotiation with Haydon, we were aware that Haydon was not going to charge any “in-house” equipment rental and that any equipment rentals would be procured either through the subcontractors as part of a competitive bidding process, or through a rental equipment company such as RCS or Sunstate, also through competitive bidding process, therefore we didn’t need to include a rental equipment pricing list in the GMP Amendment. When subcontractors included equipment rentals in their change order requests, we did compare these rates to equipment rates from rental equipment vendors; to RS Means rates


Audit Report

Page 10 of 11

and to equipment rates provided on other CMAR projects and found them to be market competitive and reasonable. RS Means is a division of Reed Business Information that provides cost information to the construction industry so contractors in the industry can provide accurate estimates and projections for their projected costs. In the future, we will ask the CMARs to provide a list of the specific pieces of equipment their subcontractors are planning on using on their specific projects, and to provide the market value of such equipment so that we can better verify that the cost of renting equipment doesn’t exceed their market value.

a) Per diem was included in the CMAR contract at a rate of $125/week/onsite employee for the CMAR. This contract did not specify the CMAR to require Per diem rates for subcontractors within their contracts, but the terms of the CMAR contract indicates that the only allowed line items for subcontractors C.O. are material, labor, equipment, GCs (capped at 10%), fees (capped at 5%) and taxes. This creates the situation that CMARs are allowed to include per diem in GCs, but subcontractors are not. The same contract language applies to ASU and UA, and their subcontractors typically don’t have to deal with out of town travel. In our case, it seems that we do have added cost due to labor workers having to be out of town to complete the work. We will discuss with the Tri-U construction group including language in the CMAR contract that would require the CMAR to provide per diem rates for all subcontracts.


Audit Report

Page 11 of 11

Distribution: Audit Committee, Arizona Board of Regents Internal Audit Review Board Rita Cheng, President Jennus Burton, Vice President for Finance and Administration Agnes Drogi, Director of Planning, Design and Construction, Facility Services Bjorn Flugstad, Chief Financial Officer Joanne Keene, Executive Vice President and Chief of Staff John Morris, Associate Vice President, Facility Services Michelle Parker, General Counsel Kathleen Viskocil, Project Manager, Facility Services Wendy Swartz, Associate Vice President for Financial Services and Comptroller This report is intended for the information and use of the Arizona Board of Regents, NAU administration, the Arizona Office of the Auditor General, and federal awarding agencies and sub-recipients.



Accounts Payable Audit Report

October 2016



Northern Arizona University Accounts Payable

Audit Report October 27, 2016

Summary

Our audit of Accounts Payable is in NAU’s Annual Audit Plan for FY 2017. An audit of Purchase Orders was done in FY 2010 and an audit of Accounts Payable using data analytics was done in FY 2015. This audit expands on the FY 2015 review by performing detailed transaction testing. The audit links to NAU’s value of integrity and its strategic goal of sustainability and effectiveness. Background: All funds coming into NAU are considered public funds and are subject to

State regulations. Use of public funds is restricted to expenses that promote the public’s

interests. Public funds may not be expended for gifts and personal expenses. NAU has

established policies that supplement State regulations and define the funds and

restrictions that apply to common disbursements. For FY 2016, 31,843 transactions were

processed, excluding purchasing card transactions. These expenses are categorized by

fund as follows.

Fund

FY 16 Expenditures

(excludes P-Cards)

State $ 23,631,961

Local-Designated 31,008,435

Local-Auxiliary 14,818,583

Grants 3,298,650

Unexpended Plant 58,244,210

Agency 37,821,941

Total FY 2016 $168,823,780

Accounts Payable is a unit within Contracting and Purchasing Services (CPS). It reviews

invoices and requests for payment to ensure that the amounts agree with the amounts

approved by department business units. Prior to authorizing payment, units are

responsible for ensuring all forms required for payment and receipts are attached per

NAU policies.

Accounts Payable is part of the disbursement cycle that also includes purchasing,

receiving, and payment oversight. Departmental business units are required to ensure

purchases comply with State and University policies. They are required to enter

requisitions, purchase orders, and receiving reports electronically into PeopleSoft


Audit Report

Page 2 of 8

Financials and retain approved requisition, purchase order, receiving documents and

related documentation to provide evidence of compliance. For allowable purchases over

$5,000, CPS oversees procurement of items in accordance with established policies and

procedures.

The Comptroller’s Office develops disbursement policies and procedures that supplement

State regulations. It maintains functional oversight of NAU’s electronic document storage

system, OnBase. As part of its compliance reviews and purchasing card analyses, the

Office reviews invoices and purchasing card documentation stored in OnBase. The

Comptroller’s Office also reviews purchasing and disbursement data via queries built in

ACL software.

Accounts Payable may authorize payments to vendors in one of the following ways:

Purchase Order. Payment is authorized on purchase orders for goods and services once

the requesting department electronically prepares a receiving report and Accounts

Payable receives an invoice from the vendor.

Check Requests. Check requests are used to pay third parties for which no Purchase Order has been set up and are processed using a single payment voucher in PeopleSoft. Specifically, check requests are used to: 1) reimburse students, 2) reimburse interviewee expenses, 3) pay for authorized non-employee travel costs, and 4) disburse revenue collected by NAU to vendors. Check requests for student reimbursements, interviewee expenses, and travel for non-employees are generally processed under a generic vendor code (the “Single Payment Vendor”), while check requests made to vendors are processed under the vendor’s unique vendor code. Audit Objective: The objective of this review was to assess NAU’s Accounts Payable

processes for efficiency and effectiveness.

Scope: The scope of our audit included FY 2016 Accounts Payable transactions related

to the purchase of goods and services from external sources. Purchasing card

transactions and employee reimbursements were not reviewed.

Methodology: The following procedures were performed to accomplish the audit

objectives:

distributed and reviewed questionnaires to CPS staff to gain an understanding of NAU’s disbursement cycle;


Audit Report

Page 3 of 8

interviewed CPS personnel as needed to ensure an understanding of the processes used to administer Accounts Payable;

evaluated the Accounts Payable process and procedures for efficiency, effectiveness and compliance with State regulations; and

judgmentally selected 350 transactions from PeopleSoft Financials to determine if purchases were allowable.

The audit was conducted in accordance with the International Standards for the

Professional Practice of Internal Auditing

Conclusion: NAU’s Accounts Payable processes are effective and efficient. Accounts

Payable processes are accurately posting dollar amounts to PeopleSoft Financials.

Purchase orders and vendor invoices are efficiently and timely processed in PeopleSoft

Financials; and the implementation of OnBase enables supporting documentation to be

efficiently archived and accessed.

Some opportunities for improvement were noted:

Library subscriptions should be renewed using purchase orders.

The OnBase document imaging system should be used to store supporting documentation for all payments authorized by Accounts Payable.

An appropriate description for payments made using Check Requests for student reimbursements should be reflected in transaction detail reports.

Management is supportive of our recommendations and has actively begun working to

implement their identified action items. These recommendations are discussed in the

remainder of the report.

Observations: Accounts Payable is utilizing the capabilities of PeopleSoft Financials

effectively and efficiently for payments made using purchase orders. The decentralized

Accounts Payable model in use requires NAU to rely on sound internal controls at the

department level. Audit plans to review departmental controls during future departmental

audits.

Contracting and Purchasing Services has drafted an Accounts Payable form which will

be the official document to pay speakers and performers. It will replace the current form


Audit Report

Page 4 of 8

used to authorize payment to speakers and performers. The new Accounts Payable form

will allow the department to indicate if travel will be reimbursed.

During the audit, NAU’s Policy, CMP 421-02, Interviewee and Non-Employee

Reimbursements, was revised by the Comptroller’s Office to correspond to the State of

Arizona Accounting Manual, Section 65, Vendor and Other Non-employee Travel, which

states that reimbursements are to be based on actual receipts, not to exceed State meal

reimbursement rates.

The control standards we considered during this audit and the status of the related control

environment are provided in the following table.


Control Environment


Page No.


Voucher payments are timely and accurately posted to PeopleSoft Financials.


Documentation supports the charges posted to PeopleSoft Financials.



Purchase requisitions and receipts are matched to purchase orders prior to payment.


The Accounts Payable process is efficient.


All relevant supporting documentation is retained in a central repository and records are easily identified.


2, 3 6, 7

The document retention process is efficient


Usage of check requests is limited and does not replace the need for purchase orders.


1 6


Audit Report

Page 5 of 8

We appreciate the assistance of the staff of Contracting and Purchasing Services.

/s/ /s/ Penny Whitmore Senior Internal Auditor Northern Arizona University (928) 523-6459 [email protected]





Audit Report

Page 6 of 8


1. Library subscriptions should be renewed using purchase orders.

Condition: Seven sampled items, representing library subscriptions and totaling

expenses of $89,760 were paid using only Check Requests. One vendor was paid

$1,243,475 during FY 2016 without a purchase order.

Criteria: Subscriptions over $5,000 should be processed using a purchase order per

University procurement policies.

Cause: Prior to the implementation of PeopleSoft Financials, the Cline Library directly

uploaded subscription renewals to the financial system and requested payment using

Check Requests.

Effect: Library subscriptions that total over $5,000 are not procured in compliance with

University procurement regulations.

Recommendation: CPS should work with the Cline Library to ensure that purchasing

policies for procurements of library subscriptions are followed.

Response: Contracting and Purchasing Services and the Cline Library have

implemented the recommendation.

2. Supporting documentation for disbursements should be retained in a central repository.

Condition: Not all documents supporting payment of transactions that have been

authorized by Accounts Payable are retained in OnBase.

Accounts Payable files paper copies of invoices and supporting documentation for payments made using a Check Request.

There is no evidence in OnBase of approved departmental purchase requisitions and purchase orders that may provide details regarding the terms and conditions of the services or quality and quantity of the goods purchased.

Purchases of bottled water require approval from Facility Services to ensure they are not a personal expense. However, the approval is a purchasing document and retention is required at the department level for departmental purchases that are


Audit Report

Page 7 of 8

less than $5,000 and in Purchasing if the purchase is greater than $5,000. There is no evidence of approval from Facility Services stored in OnBase.

NAU’s Business Food-Meal Purchase Authorization form is required before Accounts Payable authorizes payment but the document is not always obtained or uploaded to OnBase to provide evidence of management approval.

Criteria: OnBase should be the central repository for all documentation supporting

payments authorized for payment by Accounts Payable.

Cause: OnBase functionality to upload check request documentation, requisitions,

purchase orders, receiving reports, and other supporting documentation has not been

developed.

Effect: Processes to ensure compliance with State regulations and University policies

are inefficient and inconsistent.

Recommendation: OnBase functionality should be developed to allow all relevant

supporting documentation to be uploaded into OnBase.

Response: Non-PO documentation in OnBase is expected to be available with the roll

out of “quick voucher” functionality in PeopleSoft Financials. We anticipate to go-live in

spring, 2017.

3. An appropriate description for payments made using Check Requests for student reimbursements should be reflected in transaction detail reports.

Condition: Student reimbursements represent 32 of the 65 Check Request payments

sampled using the Single Payment Vendor code. Student reimbursements are not

identifiable from other payments made using the Single Payment Vendor code in the

Transaction Detail reports. All payments using the Single Payment Vendor code reflect

the identical vendor ID number and descriptions. The student’s ID (in lieu of a vendor

name or ID) is not reflected in the PeopleSoft Transaction Detail report.

Criteria: Student reimbursements should be descriptive in the Transaction Detail report.

Cause: Accounts Payable is not entering a description for payments when using the

Single Payment Vendor code


Audit Report

Page 8 of 8

Effect: It is inefficient to research student reimbursements in PeopleSoft.

Recommendation: Accounts Payable should enter a description for Check Request

payments. This information may also help to segregate student reimbursements from

other third party reimbursements.

Response: As of October 26, 2016, Accounts Payable changed its business process to

require entry of the description for all payments against Check Requests. AP is working

with Information Resource Management department to see if the vendor information can

be included in the Transaction Detail Report. AP will update this response when we

determine if it can be added.

Distribution:

Audit Committee, Arizona Board of Regents Internal Audit Review Board Rita Cheng, President Jennus Burton, Vice President for Finance and Administration Bjorn Flugstad, Chief Financial Officer Joanne Keene, Executive Vice President and Chief of Staff Carol Luckey, Assistant Director, Contracting and Purchasing Services Becky McGaugh, Executive Director, Contracting and Purchasing Services Michelle Parker, General Counsel Wendy Swartz, Associate Vice President and Comptroller This report is intended for the information and use of the Arizona Board of Regents, NAU administration, the Arizona Office of the Auditor General, and federal awarding agencies and sub-recipients.

Issued by: Sara J. Click, CPA, Chief Auditor


SPEED Deferred Maintenance and Building Renewal Projects

February 2016 FY15 - #12

Submitted to: Christopher M. Kopach, Assistant Vice President Facilities Management

Copies to: Institutional Internal Audit Review Board Audit Committee, Arizona Board of Regents Andrew C. Comrie, Senior Vice President for Academic Affairs and Provost Gregg Goldman, Senior Vice President for Business Affairs and Chief Financial Officer Laura Todd Johnson, Vice President, Legal Affairs and General Counsel Robert R. Smith, Vice President, Business Affairs Peter Dourlein, Assistant Vice President, Planning, Design and Construction Jon Dudas, Senior Associate to the President and Secretary of the University Duc D. Ma, Interim Associate Vice President, Financial Services Karen Williams, Interim Chief Information Officer



The University of Arizona Page 1 of 8 February 2016

Summary

Our audit of Phase II and III Stimulus Plan for Economic and Educational Development

(“SPEED”) Deferred Maintenance and Building Renewal (“DM/BR”) projects was

included in our approved Fiscal Year (“FY”) 2015 Audit Plan. Phase I was reviewed as

part of our Fiscal Year 2010 Audit Plan, and audit report FY10 - #05 was issued in

January 2010.

The SPEED initiative supports the “Engaging” and “Innovating” pillars of the University’s

Never Settle strategic plan by providing urgently needed funding to extend the life of

and modernize facilities to help meet the education needs of the future. Administration

and project monitoring for the SPEED DM/BR projects is provided by Facilities

Management (“FM”).

Background: The SPEED funding was designed to help spur the State’s economy by

issuing bonds to fund capital projects. University revenues cover 20% of the debt

service, with the State paying the remaining 80% out of Arizona Lottery proceeds.

In February 2009, the Legislature’s Joint Committee on Capital Review (“JCCR”)

reviewed the three universities’ fire and life safety SPEED project submissions and

allocated $68 million for UA’s projects. The most critical projects, totaling $16 million,

were completed under Phase I. The remaining $52 million was used to complete Phase

II and III projects (covered by this audit). The Phase II and III projects were divided into

10 categories of work with a total of 15 UA financial accounts that included 163 projects.

(See table below.)

Category of Work

No. of Accounts

No. of Projects

Project Costs

Interior/Exterior Building Components 2 18 $18,431,987

Heating, Ventilation and Air-Conditioning 2 30 14,560,593

Arizona Health Sciences Critical Improvements 1 21 5,963,981

Mechanical System Repairs & Replacements 1 49 5,579,228

Building Structural Components 2 5 2,385,000

Fire Alarm and Fire Sprinkler Systems 1 4 1,990,844

Elevator/Code Compliance Upgrades 1 10 986,819

Electrical Code Upgrades 2 6 834,584

Football Stadium Structural Repairs 2 2 737,640

Critical Roofing Repairs 1 18 598,948

Total 15 163 $52,069,624



The SPEED DM/BR projects reviewed were awarded using the following types of

procurement methods:

• Sole-Source Provider: A sole source exists when there is a need for a specific

item or service that is only available from one source. For example, systems that

are integrated across campus, such as fire detection, fire suppression, and

access control and security, necessitate the use of a single contractor or service

provider. Sole-source documentation is prepared and only one contractor

prepares a bid.

• Sealed Bid: Projects that exceed an aggregate dollar amount of $100,000 are

awarded on the basis of sealed competitive proposals or bids from various

qualified contractors who respond to a specific scope of work. A purchase order

is then awarded to the contractor with the lowest responsible bid.

• Job Order Contracting (“JOC”): JOC construction contractors are selected

through a qualifications-based selection process in response to a Request for Proposal (“RFP”) solicitation that is issued on a five-year cycle. A shortlist of

qualified contractors for specific services (e.g., mechanical, electrical) is ranked,

and upon the successful negotiation of project-specific work, a Work Order and

Notice to Proceed are issued. Work Orders for renovation and alteration projects

cannot exceed $2M. Once a JOC contract is issued, any change in the contract

price, contract time, or scope of work must be made by a written and approved

change order. Exhibit A of the Tri-University’s standard JOC agreement

prescribes specific methodology for calculating change orders, including

limitations on contractor and subcontractor fees.

Audit Objectives: To determine whether contractor billings for the SPEED DM/BR

projects are adequately supported and in accordance with contract provisions, including

whether:

• internal controls were in place and operating effectively to ensure requests for

cost-proposals/quotes, bids, and contractor selections complied with University

procurement policies and procedures;

• contractor requests for payment were adequately supported and did not exceed

the purchase order amount;

• bond and insurance coverage was in compliance with the terms of the contract;

• change orders (“CO”) were priced according to the contract terms; and

• opportunities for process improvements exist.

Scope: Our audit of the SPEED DM/BR projects included all Phases II and III projects

completed between June 2011 and October 2014 totaling $52 million.



Methodology: Our audit objectives were accomplished through:

• reviewing applicable University procurement and expenditure policies and

procedures;

• discussing and corresponding with University representatives from FM,

Procurement and Contracting Services (“PACS”), and Planning, Design and

Construction (“PD&C”);

• examining PACS’ project files, including sole-source justifications, JOC

processes and agreements, Request for Proposals/Bids, and Purchase Orders;

• verifying all required insurance coverage and bonds were maintained during the

project;

• preparing a control schedule of project purchase orders, COs, and payments;

• reconciling purchase orders and payments and comparing to the detailed

supporting invoices or contractor payment applications;

• reviewing COs and supporting documentation to ensure changes were

reasonable and approved; and

• recalculating the fee, bonds and insurance, and taxes charged on COs.

Sample Selection Methodology:

• To select accounts for review, we used ACL Analytics to randomly select 5

(30.3%) of the 15 Phase II and III accounts. The 5 sample accounts contained 51

projects, from which we judgmentally selected 11 sample projects for review. The

11 projects represented 28 purchase orders awarded to various vendors/

contractors.

• Our objective was to select at least 50% of the dollar amount for each of the five

sample accounts, with an overall minimum of 25% coverage for all Phase II and

III projects. The 11 sample projects represent approximately $14 million (27%) of

the $52 million.

Conclusions: Based on our audit work, we found that University processes for

procurement of Phase II and III DM/BR projects complied with University policies and

that financial transactions generally complied with the terms of the contracts.

Specifically, we concluded that the contractor selection process complied with

University policies and procedures, including the requirement for maintaining insurance

and payment and performance bonds. We ascertained that all transactions were

sufficiently supported and payments were based on actual costs incurred. Our review of

COs revealed that the COs represented a legitimate change in the scope of work, and

credits were received where applicable. However, not all revised JOC contractual



amounts were accurate and/or priced in accordance with Exhibit A. Additional details

can be found beginning on page 6.

The audit identified an opportunity for improvement that could further enhance FM’s

management of future projects. We suggested to FM management that subaccounts be

established within UAccess to assist in accounting for individual project costs. As

reflected in the table on page 1, the 163 Phase II and III SPEED DM/BR projects were

managed under 15 UAccess accounts based on categories of work. Each project has

separate accountability requirements. Because the costs were intermingled within one

account, they were not easily identifiable to a specific project. As suggested, FM began

using subaccounts in FY 2015 and will use them for future projects.

According to the Institute of Internal Auditors International Professional Practices

Framework, an organization is expected to establish and maintain effective risk

management and control processes. These control processes are expected to ensure,

among other things, that:

• the organization’s strategic objectives are achieved;

• financial and operational information is reliable and possesses integrity;

• operations are performed efficiently and achieve established objectives;

• assets are safeguarded; and

• actions and decisions of the organization are in compliance with laws,

regulations, and contracts.

Our assessment of these control objectives as they relate to the SPEED DM/BR

projects is on the following page.



General Control Objectives

Control Environment

Audit Result

No. Page

Achievement of the Organization’s Strategic Objectives

• Strategic objectives were met by extending the life and quality of UA facilities for current and future students, staff, employees, and visitors.



• Contractor billings were adequately supported by actual costs incurred by the contractors.


• Change orders were priced and approved according to contract requirements.


1 6


• UA payments to contractors did not exceed the contracted amount.



• The contractors provided the contracted scope of work.



• Bonds and insurance coverage was in compliance with the terms of the contract.


• The contracts were managed to ensure contractors complied with contract terms.


We appreciate the assistance of FM, PACS, and PD&C personnel during the audit.

___________/s/___________ _________/s/___________

Deborah S. Corcoran, CCA, CIA Auditor-In-Charge (520) 626-0185

[email protected]

Sara J. Click, CPA Chief Auditor

(520) 626-4155 [email protected]





Audit Results, Recommendations, and Responses

1. Change Orders were not accurately priced.

Condition:

Sixteen (67%) of the twenty-four change orders reviewed1 contained errors related

mainly to allowable fees. As a result, the University of Arizona overpaid two JOC

contractors a net amount of $16,260.

Criteria:

• Paragraph 28.3 of the 2012 Job Order Contract states, “The cost or credit to the

Owner resulting from a change in Work shall be determined in one or more of the

following ways:

“A. By unit prices from the Unit Price Book specified. Unit prices, from a unit

price book (i.e. R.S. Means, etc.), proposed on the Proposal form and

included in the Contract are not subject to further overhead and profit

adjustments. The Contract Sum will be adjusted by the direct extension of the

number of units and the unit prices. Contractor Fee will be added, and then

adding the insurance, bonds, and tax to compute the total cost.

“B. By mutual acceptance of a lump sum properly itemized and supported by

sufficient substantiating data to permit evaluation as a non-prepriced item in

accordance with the Contract Documents and in the format as described on

Exhibit A, Change Order Pricing Format.”

• Exhibit A of the JOC Contract states that contractor fees shall be “actual

percentages based on and supported by records of the applicable Subcontractor

and/or Contractor.” PD&C developed the JOC 2012 Contractors’ Information chart

that established allowable fees for JOC contractors who were awarded a 2012 JOC

agreement.

Causes:

• FM staff were not aware of all JOC contract requirements and stipulations, including

(1) the JOC 2012 JOC Contractors’ Information chart that established profit and

overhead fees for individual contractors, and (2) the contractually prescribed

methodology for pricing change orders.

1 Ten of the twenty-eight sample-selected purchase orders had a total of 24 change orders, valued at $1,354,045. Of

the 24 change orders, 7 were non-JOC contracts and 17 were JOC contracts.



• Although FM had procedures in place to coordinate with the architect to determine if

change order costs were reasonable, the procedures did not include a validation

process to ensure all costs, including contractor profit and overhead fees, were

accurate and priced in accordance with Exhibit A.

Effect:

Without specific procedures in place to ensure accurate change order pricing, the

University is at risk for paying more than the allowable contract amount.

Recommendations:

1) FM should initiate action to recoup change order under/overpayments identified

during the audit.

2) Management should consider reviewing the remaining 14 change orders for the

two contractors to determine whether other overpayments exist and seek

reimbursement accordingly.

3) FM management should coordinate with PD&C to obtain immediate training to

become familiar with existing construction contract delivery methods, to include

JOC and Construction Manager at Risk agreements. Thereafter, training should

occur at least annually and/or as changes are made to agreements. FM staff such

as project managers, business services personnel, and appropriate associate

directors should attend the training.

4) FM should strengthen existing procedures for validating change order amounts.

The procedures should include a review of allowable contractor fees to ensure the

correct fees are applied.

Management Response:

1) Implemented: May 2016. It was FM’s recommendation to reach out to our JOC

Contractors to recoup the overpayment charged for the profit and overhead on the

change orders. Consequently, the meeting has taken place with the contractor,

and they have agreed to reimburse the University for the overpayment.

2) Target Implementation Date: May 2016. FM Business Services has reviewed the

remaining 14 change orders and determined that there was only one overpayment

of the profit and overhead totaling $76.90 to a contractor. FM is in the process of

invoicing the contractor for that total.



3) Target Implementation Date: June 2016. FM is in the process of coordinating a

training in the near future and scheduling annual refresher training with all those

involved in the JOC and Construction Manager at Risk process.

4) Implemented: April 2016. FM immediately initiated a two-step process in which

before the change order is approved, FM Business Services recalculates the

overhead and profit amount to make sure the fees are within the limitations

prescribed in the Tri-University Standard JOC negotiated agreement. After it has

been verified that the appropriate profit and overhead percentages are being used,

authorization is issued to the Project Manager to move forward with the change

order.

Issued by: Sara J. Click, CPA, Chief Auditor


Health Sciences Education Building, Finish Shell Space Construction Contract

April 2016 FY16 - #06

Submitted to: Robert R. Smith, Vice President for Business Affairs Peter Dourlein, Assistant Vice President, Planning, Design & Construction Jennifer Andrews, Project Manager, Special Facilities - Phoenix Biomedical Campus

Copies to: Institutional Internal Audit Review Board Audit Committee, Arizona Board of Regents Andrew C. Comrie, Senior Vice President for Academic Affairs and Provost Jon Dudas, Senior Vice President, Senior Associate to the President and Secretary of the

University Gregg Goldman, Senior Vice President for Business Affairs and Chief Financial Officer Laura Todd Johnson, Senior Vice President, Legal Affairs and General Counsel Duc D. Ma, Interim Associate Vice President, Financial Services Karen A. Williams, Interim Chief Information Officer


Health Sciences Education Building, Finish Shell Space

The University of Arizona Page 1 of 6 April 2016

Summary

Our audit of the Health Sciences Education Building, Finish Shell Space (HSEB SS)

construction contract was included in our approved Fiscal Year 2016 Audit Plan. The

University of Arizona (UA) contracted for the HSEB SS tenant improvement project with a

construction phase Guaranteed Maximum Price (GMP) of $9 million. Construction projects

have been identified as strategic, high-risk areas for the universities. Charges to the project

may not comply with the negotiated contract, resulting in overcharges and cost overruns.

Construction administration and project monitoring for UA is provided by Planning, Design

and Construction (PD&C). Since 2009, we have completed nine audits of construction

contracts administered by PD&C.

Background: HSEB is a 265,000-square foot building located

on the Phoenix Biomedical Campus (PBC) at 7th Street and

Van Buren. HSEB was completed in July 2012; however,

45,371 SF of shell space remained temporarily unfinished.

Completion of the built-out space included a Lecture Hall on

the 1st floor; an expanded Simulation Center, a new Learning

Studio, and classroom space on the 3rd and 4th floors; and office and administrative support

space on the 5th floor.

The HSEB construction project is part of the $376 million PBC, Phase II project. One

request for qualifications (RFQ) was issued, and the contract was awarded to DPR/Sundt

(A Joint Venture). The original contract and amendments included the following

construction sub-projects:

• HSEB,

• Vivarium,

• Arizona Biomedical Collaborative II (ABC 2) building, and

• Phoenix Union High School Renovation.

Separate GMP and design documents were prepared for each sub-project. As the project

progressed, the Phoenix Union High School Renovation was put on hold due to budget

constraints. The ABC 2 building was funded and renamed the Biomedical Sciences

Partnership Building. This project is currently under construction and will be substantially

complete in December 2016 with occupancy in January 2017.

At its March 2013 meeting, the ABOR Business and Finance Committee granted Project

Approval for $17.9 million for the HSEB SS project.1 Funding was provided through the

sale of Stimulus Plan for Economic and Educational Development (SPEED) revenue

1 Approximately $8.8 million of the $17.9 million approved for the HSEB SS project was put on hold until NAU finalized plans for their space, leaving a total of $9.1 million for this phase of the project.



bonds, which are to be repaid 80% from State lottery proceeds and 20% from University

funds.

The cost of the project was shared by UA and Northern Arizona University (NAU). Once

needs were identified and costs estimated, the cost split between UA and NAU for tenant

improvement of the shell space was based upon square footage costs on a floor-by-floor

basis. Project costs were first calculated per floor and then divided based on square

footage assigned to either NAU or UA. The split was then based upon percentage of total

construction costs. The percentage was determined to be approximately 75.8% for UA

(covered by this audit) and 24.2% for NAU. See table below for cost breakout.

GMP Description UA NAU Total

Pre-Construction Phase Fee $57,607 $33,833 $91,440

Construction Phase GMP 6,847,616 2,189,923 9,037,539

Total Pre-Construction and Construction GMP

$6,905,223 $2,223,756 $9,128,979

HSEB was built using the Construction Manager at Risk (CM@Risk) project delivery

method, and the HSEB SS project was delivered through continuation of the CM@Risk

originally selected for HSEB. The CM@Risk selected for HSEB was DPR/Sundt (A Joint

Venture), hereinafter referred to as “DPR/Sundt.” The contract with DPR/Sundt included

pre-construction design-phase services as well as construction-phase management,

including coordinating all subcontracted work.

The contract included an approved sub-contractor selection plan that allowed for Core

Team Partners to be selected by a Quality Based Selection (QBS) process. This process

eliminates the typical request for three subcontractor competitive bids. The QBS selection

is based on a subcontractor’s qualifications, which include: successful experience with the

CM@Risk; successful experience with the UA, NAU, or the City of Phoenix; skill in

providing early conceptual estimating and value design options; and financial strength.

The following table lists the top five subcontractors by subcontract dollar amount. One of

the five, DPR Drywall, was awarded lump sum subcontracts, as stipulated in the contract,

for self-performed work.

Trades Description

Subcontractor Original GMP

Amount Net

Adjustments Final GMP

Amount

Mechanical UMEC, Inc. $1,379,309 $207,425 $1,586,734

Finishes DPR Drywall $1,295,022 $152,126 $1,447,148

Electrical Cannon & Wendt $1,261,324 ($34,346) $1,226,978

Finishes Barrett-Homes $587,194 $26,596 $613,790

Openings Walters & Wolf $447,140 $80,215 $527,355



The Notice to Proceed was issued December 23, 2013, and construction work began in

January 2014. The contract called for substantial completion by June 30, 2014. PD&C is

satisfied with the quality of the work and that the contractor completed work during the

required timeframe, issuing a Certificate of Substantial Completion dated July 1, 2014.

Audit Objectives: To determine whether financial transactions relating to construction

activity for the HSEB SS project complied with the terms of the contract, including whether:

• contractor billings were adequately supported by actual costs or subcontractor

estimates, plus overhead, profit, and fees as specified by the construction contract;

• general conditions expenses were charged to the project in accordance with contract

provisions;

• contingency funds were managed in accordance with contract requirements;

• Change Orders were priced according to the contract terms and were properly

approved;2

• the CM@Risk provided the contracted scope of work;

• insurance coverage during construction was in compliance with the terms of the

contract;

• quality assurance and control procedures were implemented in accordance with the

contract terms; and

• opportunities for process improvements exist.

Scope: Our audit of the HSEB SS project included all construction-phase expenses

incurred by DPR/Sundt from the start of the contract in December 2013 through August

2015, the last pay application processed prior to commencement of the audit.

We relied on PD&C’s expertise for the construction technical aspects and, therefore, our

scope of work did not include any on-site inspections to assess construction methods,

materials, or compliance with design specifications. We also did not include any costs

associated with the project that were not part of the CM@Risk contract, including

architectural fees or PD&C internal costs.

Methodology: Our audit objectives were accomplished through:

• preparing a control schedule of the initial GMP, internal adjustments, and payment

applications to ensure payments to the CM@Risk did not exceed the approved

GMP;

• reviewing all 14 UA construction-phase payment applications and comparing the

summary information in the payment application to the detailed supporting invoices

or payment applications from the subcontractors to DPR/Sundt;

• recalculating the fee, bonds and insurance, and taxes applied against the GMP to

verify accuracy of indirect construction costs;

2 We found that there were no Change Orders executed for UA’s portion of the contract.



• reconciling the job cost ledger against invoices and pay applications;

• reviewing the itemized list of General Conditions and Requirements and examining

pay application line items and supporting documentation to ensure General

Conditions and Requirements items were not included as expenses in pay

applications;

• reviewing UA payments to vendors other than DPR/Sundt to ensure the expenses

were not included in the CM@Risk contracted scope of work;

• reviewing quality control processes, issues, and resolutions;

• verifying all required insurance coverage and bonds were maintained during the

project;

• selecting and reviewing a random sample of contingency expenditures to ensure

that all uses of the contingency fund are made in accordance with the contract;

• ensuring the subcontractor bidding process was performed in compliance with

contract terms;

• reviewing the third party assessment of costs for self-performed work areas to

ensure reasonableness and compliance with contract terms;

• reviewing subcontracts and bid documents for the three largest (by final contract

dollar amount) subcontractors to ensure the contract terms were consistent and in

compliance with the CM@Risk contract;

• examining project close out documents to ensure punch list items were resolved and

a substantial completion certificate was issued in a timely manner; and

• discussing the project with representatives from PD&C and DPR/Sundt to obtain

additional information and clarification.

Conclusions: Based on our audit work, the financial transactions relating to construction

activity, by both DPR/Sundt and PD&C, complied with the terms of the contract.

Specifically, the Schedule of Value line items were based on actual costs and supported

with back-up documentation, and contingency funds were managed in accordance with

contract requirements. Additionally, the CM@Risk provided the contracted scope of work;

insurance coverage during construction was in compliance with the terms of the contract;

quality assurance and control procedures were implemented in accordance with the

contract terms; and close-out documents completed to date were in order.3

During this project, the CM@Risk utilized a field management software tool, BIM 360TM

Field, to manage quality control issues from initial identification through final punch list

resolution. The mobile app facilitated real-time reporting through the use of cloud-based

collaboration and reporting to and from field personnel and office/project managers, thereby

improving quality, safety, and project visibility.

This construction project was part of an umbrella contract signed in 2009, prior to

development of the current Tri-University construction contract. Therefore, the General

3 A contractor evaluation had not been completed since the project was not yet finalized.



Conditions and Requirements expenses were fixed at $1,208,626 (13% of the total GMP)

for which no supporting documentation was required. The revised standard Tri-University

contract now requires all General Conditions and Requirements expenses to be based on

actual costs and documented with receipts, invoices, and/or purchase orders, allowing for

more auditable expenses.

During this audit, we identified a $15,050 expense for final cleaning that is traditionally a

part of General Conditions and Requirements. However, the CM@Risk excluded final

cleaning from the General Conditions and Requirements. The CM@Risk believed this to

be an additional expense and transferred contingency funds to an added line item for the

final cleaning expense while $10,000 of the fixed general conditions amount remained

unspent. Although final cleaning costs are normally included in generally accepted General

Conditions and Requirements, the 2009 construction contract did not specify expenses to

be included in the General Conditions and Requirements fixed amount. Since the revised

Tri-University standard construction contract eliminated the option for fixed amount General

Conditions and Requirements and requires those expenses to be itemized and supported,

this issue should not occur in the future.

As noted in a previous construction contract audit, the current standard Tri-University

contract requires retainage to be withheld from contractor payments. However, ABOR

Policy 3-804, Professional Services and Construction Services Procurement, dated 6/2006,

permits the CM@Risk to provide a substitute security in lieu of retainage. Since this has

become a fairly common practice, the Tri-University contract committee should consider

including contract language that allows the CM@Risk the option to substitute security for

retainage. If the committee elects to revise the contract to permit the contractor to

substitute security for retainage, the committee should evaluate whether existing monitoring

practices are sufficient to ensure the required amounts are deposited into security escrow

accounts.

According to the Institute of Internal Auditors International Professional Practices

Framework, an organization is expected to establish and maintain effective risk

management and control processes. These control processes are expected to ensure,

among other things, that:

• the organization’s strategic objectives are achieved;

• financial and operational information is reliable and possesses integrity;

• operations are performed efficiently and achieve established objectives;

• assets are safeguarded; and

• actions and decisions of the organization are in compliance with laws, regulations,

and contracts.

Our assessment of these control objectives as they relate to the HSEB, Finish Shell Space

construction contract is on the following page.



General Control Objectives

Control Environment

Recommendation

No. Page

Achievement of the Organization’s Strategic Objectives

• Strategic objectives were met by providing state-of-the-art facilities that help the university achieve its research and educational goals.



• Contractor billings were adequately supported by actual costs incurred by the CM@Risk.


• General Conditions were charged to the project in accordance with contract provisions.


• Contingency funds were managed efficiently and effectively.


• Change Orders were priced and approved according to contract requirements.

Not Applicable


• Quality control procedures were effective in ensuring compliance with the contract.



• The CM@Risk provided the contracted scope of work.



• Insurance coverage during construction was in compliance with the terms of the contract.


• The contract was managed to ensure the CM@Risk complied with all terms of the contract.


We appreciate the assistance of both PD&C and DPR/Sundt representatives during the

audit.

_____________/s/_____________ _____________/s/____________

Deborah S. Corcoran, CCA, CIA Auditor-In-Charge (520) 626-0185

[email protected]

Sara J. Click, CPA Chief Auditor

(520) 626-4155 [email protected]

