University of California Audit and Communications Planregents.universityofcalifornia.edu/regmeet/may16/a6attach1.pdf · 30/6/2016 · Communications and Planned Interactions

pwc.com

University of California Audit and Communications Plan

www.pwc.com

For the Year Ending

June 30, 2016

Attachment 1

PricewaterhouseCoopers LLP, 488 South Almaden Blvd, San Jose, CA 95110 T: (408) 817 3700, F: (408) 817 5050, www.pwc.com/us

Members of The Regents Committee on Compliance and Audit University of California

May 2, 2016

Dear Members of the Committee on Compliance and Audit:

We are pleased to have the opportunity to meet with you on May 10, 2016 to present our

2016 Audit Plan for the University of California (the “University”). This report presents to

you our audit and communications plan as well as a summary of our understanding of

expectations and responsibilities between us, our audit approach, service deliverables, audit

and reporting timetable and other matters. Discussion of our plan with you ensures our

engagement team members understand your concerns, and that we agree on mutual needs

and expectations to provide the highest level of service quality. Our plan has been developed

to provide the University with an efficient, high quality audit which addresses the key risks

and business issues of the organization.

The higher education environment continues to be complex, with increasing expectations

about performance, accountability, and value from many different constituents, including

students, parents, regulators, donors, and federal and state governments. Our goal has and

continues to be understanding and delivering upon your expectations and providing you with

the best possible service and value.

In addition, we have included our most recent thought leadership publications that we

believe you will find helpful – Perspectives in Higher Education 2015, which provides a

summary of the more pressing issues impacting the higher education sector, as an

attachment to this plan.

We are pleased to be again serving as the University’s independent auditor. We appreciate

the opportunity and look forward to meeting with you to present this report, address your

questions and discuss any other matters of interest to the Committee on Audit and

Compliance. Please feel free to contact Michael Schini at (408) 817-4345 or Michael

MacBryde at (415) 498-7140 with any questions you may have.

Very truly yours,

University of California Report to the Committee on Compliance and Audit

PwC 2016 Audit and Communications Plan 3

Contents

Executive Summary.................................................................................................... 4

Our Audit Objectives ...................................................................................................7

Business, Regulatory and Other Changes Impacting Our Audit ............................. 8

Our Audit Approach and Risk Assessment ............................................................. 10

Our Deliverables ........................................................................................................ 13

Client Service Team Composition ............................................................................ 14

Multi-location Audit Coordination ........................................................................... 17

Audit Timeline .......................................................................................................... 20

Mutual Understanding of Responsibilities .............................................................. 21

Communications and Planned Interactions ........................................................... 23

Materiality and Independence ................................................................................. 24

Perspectives on Fraud Risk ...................................................................................... 25

Proposed Fees ........................................................................................................... 27

Required Communications with the Audit Committee .......................................... 28

Appendix A 2016 Service Commitments ..................................................................................... 32

Appendix B Audit Strategy ........................................................................................................... 35

Appendix C Approach for Areas of Significant Risk ................................................................... 39

Appendix D

Relevant Pronouncements and External Guidance................................................ 43

Appendix E

Perspectives in Higher Education 2015



Executive Summary This executive summary is provided to highlight the key points in this service plan such as our

assessment of significant risks and new events impacting the 2016 audit. The remainder of

our service plan provides additional detail on these items as well as the PwC client service

team, an overview of our top-down, risk-based audit approach, our audit responses to

significant risk, and our plan for continuous, two-way communication and reporting to the

Committee and management. The University of California system and its stakeholders expect

us to deliver a high quality audit and that is our number one goal as your auditor. PwC has a

significant focus on audit quality and continuous improvement in our audit processes-- we

are continually standardizing, simplifying and automating through technology to enhance

audit quality while improving the experience for you as well.

You also expect an audit that makes the best use of your time. So as we enter our planning

activities for the 2016 audit, we look at how we can audit more efficiently while delivering

quality and keeping you apprised of the audit and financial reporting impacts caused by

changes to your organization, operating environment, regulatory developments and new

accounting standards.

Current year considerations--what’s new for 2016

As you know, we were formerly the auditors of the University of California but have not

served in this role for the past two years. Although we have had a two year break in service,

we have brought back a significant number of members from our past team who will allow us

to build upon things that have worked well in previous years and enhance our approach from

lessons learned. The commonality of our team leadership will allow a smooth transition back

to PwC. On the other hand, we will commit to bring a fresh perspective to our audit from

selected new team members and also enhancements in the PwC audit approach over the past

two years.

Our efforts will include (some of which we have already begun to perform):

Building upon our previously obtained understanding of the University’s processes,

controls and relationships throughout the University to reduce management’s time

supporting the audit. In fact, we have already begun to coordinate the 2016 audit with

the many stakeholders and locations and plan to utilize work across teams to avoid

duplication in procedures performed.

Enhancing our project management tools and techniques to manage our audits most

effectively.

Ensuring continuous communication with management throughout the audit process to

avoid late surprises.

Focusing on phasing of our audit work throughout the year to balance the workload and

reduce year-end crunch.



Accelerating our Uniform Guidance federal award audit procedures to better leverage the

compliance work into our financial statement audit and to ensure a succinct conclusion to

the Uniform Guidance audit.

Incorporating information technology (IT) and data management tools to improve our

engagement management capabilities allowing us to be more efficient on the

engagement.

Significantly upgrading our audit documentation capabilities through technology to

standardize audit procedures and documentation templates which also allows us to be

more efficient.

Looking forward: The impact of business, regulatory and financial

reporting changes

We will continue to bring a forward looking perspective to the audit and adapt it to the

changing facts and circumstances in your business and regulatory environment. Below we

highlight some of the changes that will impact your audit from 2016 and beyond.

Regulatory developments, such as the impact of the first full year of compliance with the

Uniform Guidance. For 2016, OMB's Uniform Guidance requires all entities that receive

federal funding to implement a formal control framework (such as COSO) and requires

that, as part of our audit, the implementation of this framework is tested. As new

documentation becomes available, we will review it, perform walkthroughs and provide

feedback where appropriate. This also impacts the controls we identify and are required

to test to ensure that the organization meets its compliance requirements over the use of

federal funds.

Two other changes will impact the 2016 audit process. The first expands the scope for

independent auditors, requiring the independent auditor to test at least one Type B

program (non-research or non-student financial aid programs that are less than a

prescribed materiality). The second expands the information required to be included on

the data collection form that will impact the procedures we are required to perform.

Significant IT implementations, such as UCPath, will continue to impact our audit scope.

During and after implementation, we will continue to hold discussions and perform

procedures, as applicable, to ensure the effectiveness of IT controls and consider the level

of reliance we can derive for audit support.

Significant transactions have accounting and reporting implications. We will advise you

of the accounting and reporting impacts of such transactions so you can make more

informed decisions and eliminate surprises.

There are numerous new Governmental Accounting Standards Board (GASB)

pronouncements that will require implementation in 2016 and beyond. In fiscal year

2016, the University has implemented GASB 72, ‘Fair Value Measurement and

Application’ and GASB 80, ‘Blending Requirements for Certain Component Units’ which



we cover in more detail in section ‘Assessing New Accounting Pronouncements’. For all

future pronouncements, refer to Appendix D. We will continue to work with you to

implement and assess the impacts of these new GASB pronouncements on your financial

reporting as part of our audit plan.

Our transition timeline

Using the information we have gained during our recent discussions with management,

leveraging our prior knowledge of the University, as well as including recurring team

members, we believe we are in a position to “hit the ground running” with respect to the 2016

audit.

Our accelerated transition plan will ensure we are fully coordinated with each location as well

as the Office of the President (UCOP) over the next 60 days. We emphasize close

coordination with you and continuous communication throughout the transition. In addition,

by remaining flexible throughout the transition process and deploying resources

appropriately we will make sure the process is as seamless as possible. We will work with

management to ensure that our audit is well planned and executed to ensure a smooth and

“no surprises” transition.



Our Audit Objectives As the University’s auditor, we are responsible for reporting on numerous financial statements. In performing our audits for 2016, our primary objectives are as follows:

■ Perform an audit of the University of California consolidated financial statements,

University of California Retirement System financial statements, including the University

defined benefit retirement plans, University retirement savings program and report on the

University of California Retirement Plan’s Schedule of Cash Contributions, University’s

Captive Insurance Company, bond opinion related to UCLA Medical Center debt

agreement and each of the five University Medical Centers, in accordance with generally

accepted auditing standards (GAAS) and, as applicable, Government Auditing Standards

(GAS). In connection with our audits, we will obtain reasonable rather than absolute

assurance about whether the financial statements are free of material misstatement,

whether caused by error or fraud.

■ Perform an audit of the University’s compliance with federal award requirements (OMB

Uniform Guidance) in accordance with GAS.

■ Communicate in writing to management and the Committee all material weaknesses and significant deficiencies identified during the audit. In addition, communicate in writing to management all deficiencies in internal control, of consequence, over financial reporting identified during the audits.

■ Complete other communications required under professional standards to the Committee on a timely basis.

In meeting these objectives, we will do the following:

■ Consult with management on a timely basis regarding accounting and financial reporting issues and ensure all matters of significance are reviewed and discussed at the Office of the President and relevant location level.

■ Coordinate efforts with management to ensure that all significant financial statement components are subject to sufficient audit coverage.

■ Evaluate changes in the University, risk profile and internal controls to determine the nature, timing and extent of our testing of controls and substantive tests.

■ Provide relevant expertise to facilitate the resolution of important issues.

■ Report the results of our work to management and the Committee, including constructive observations relating to the University’s financial processes and controls.

We note that the campus foundations have separate audits of their financial statements and the auditor’s reporting on those foundations is directed to the individual foundation audit committees. Accordingly, this Audit and Communications Plan is not focused on the specifics of the campus foundations.



Business, Regulatory and Other Changes

Impacting Our Audit

Our 2016 audit plan has been updated to reflect our prior years' experience, changes in the

University and current regulatory developments. In forming our 2016 audit plan, we factored

in our experience from our most recent 2013 audit of the University, including further

enhancing our risk-based approach to the audit and our scoping of significant locations and

accounts. We have also taken a "fresh look" at our audit approach and considered areas of the

audit that we can perform more efficiently, while still achieving the same effectiveness. We

actively keep current with the University through the actions detailed below:

Monitoring Regulatory Developments

■ Continuing to monitor developments in federal and state hospital reimbursement mechanisms and their potential effect on the University's Medical Centers;

■ Monitoring developments in government contracting regulations and their potential effect on federal contracts held by the University;

■ Identifying other regulatory developments which could either affect our audit procedures under a risk-based approach or have longer term implications; and

■ Working with management to assess the impact of future technical pronouncements on the University's various financial statements.

Capital Spend / Significant IT Implementations

■ Monitoring capital and IT spend for audit implications--with the continuing amount of

capital spending, including significant new construction and IT projects (e.g., UCPath,

EPIC), we will obtain an understanding of the University’s capital spending programs,

evaluate the risks and controls associated with the various programs, and assess the design

of those controls. We also consider and evaluate any IT system changes and their impact

to our audit scope and consider discrete testing of these expenditures.

Advising on Significant Transactions

■ We will provide input to management on the potential accounting impact and reporting

treatment for significant transactions such as Merced 2020 and UCLA’s sale of its royalty

interest connected with a leading prostate cancer medication, Xtandi to Royalty Pharma.

This will help management make informed decisions and eliminate surprises.

Assessing New Accounting Pronouncements

Understanding the effect of new GASB standards--the GASB continues to be active in

standard setting and has a full agenda of projects as detailed in Appendix D. The University is

implementing two new GASB pronouncements in fiscal year 2016, GASB 72, ‘Fair Value



Measurement and Application’ and GASB 80, ‘Blending Requirements for Certain

Component Units’. Refer below for a summary of these two new pronouncements.

Statement No. 72, ‘Fair Value Measurement and Application’ GASB Statement No. 72, Fair Value Measurement and Application, establishes a hierarchy of

inputs to valuation techniques used to measure fair value. That hierarchy has three levels.

Level 1 inputs are quoted prices (unadjusted) in active markets for identical assets or

liabilities. Level 2 inputs are inputs—other than quoted prices—included within Level 1 that

are observable for the asset or liability, either directly or indirectly. Finally, Level 3 inputs are

unobservable inputs, such as management’s assumption of the default rate among underlying

mortgages of a mortgage-backed security. This Statement requires additional analysis of fair

value if the volume or level of activity for an asset or liability has significantly decreased. It

also requires identification of transactions that are not orderly. This Statement requires

disclosures to be made about fair value measurements, the level of fair value hierarchy, and

valuation techniques. Governments should organize these disclosures by type of asset or

liability reported at fair value. It also requires additional disclosures regarding investments in

certain entities that calculate net asset value per share (or its equivalent).

The requirements of this Statement will enhance comparability of financial statements among

governments by requiring measurement of certain assets and liabilities at fair value using a

consistent and more detailed definition of fair value and accepted valuation techniques. This

Statement also will enhance fair value application guidance and related disclosures in order to

provide information to financial statement users about the impact of fair value measurements

on a government’s financial position.

Statement No. 80, ‘Blending Requirements for Certain Component Units’ GASB Statement No. 80, Blending Requirements for Certain Component Units, improves

financial reporting by clarifying the financial statement presentation requirements for certain

component units. This Statement amends the blending requirements established in

paragraph 53 of Statement No. 14, The Financial Reporting Entity, as amended. This

Statement amends the blending requirements for the financial statement presentation of

component units of all state and local governments. The additional criterion requires

blending of a component unit incorporated as a not-for-profit corporation in which the

primary government is the sole corporate member. The additional criterion does not apply to

component units included in the financial reporting entity pursuant to the provisions of

Statement No. 39, Determining Whether Certain Organizations Are Component Units.

The requirements of this Statement enhance the comparability of financial statements among

governments. Greater comparability improves the decision usefulness of information

reported in financial statements and enhances its value for assessing government

accountability.



Our Audit Approach and Risk Assessment

Our Audit Strategy is based on:

■ The use of a top-down, risk-based approach to planning and conducting the audit; and

■ The application of well-reasoned professional judgment.

These principles allow us to develop and execute our audit strategy in an effective and efficient manner.



Significant Risks

The designation of significant risks which is required by the professional auditing standards, ensures that we place appropriate emphasis and testing on those areas most likely to cause a material financial reporting misstatement. Accordingly, as part of our audit planning, we identify certain audit areas as subject to significant risk of material financial reporting misstatement in the financial statements based on our knowledge of the University and the industries in which it operates. Such audit areas are subject to inherent or specific risks and complexities, critical accounting policies and/or significant judgments and estimates, as further described in the University’s consolidated financial statements, and are key considerations as we develop our current year audit approach. We identified the following significant risks:

Management override of controls - This is a required significant risk on all audit engagements. We perform testing on the appropriateness of journal entries and other adjustments, significant accounting estimates, and significant and/or unusual transactions to address this risk.

Fraud risk in revenue - As discussed in this document, in the section titled, Perspectives on Fraud Risk and Responsibilities, we have a presumption to consider the fraud risk in revenue as significant, which includes grants and contracts, educational activities and patient service revenue.

Valuation of alternative investments - The University has complex investments that are recorded at fair value. The underlying assumptions used to value certain of these investments may be judgmental and subject to risk that amounts received in settlement differ significantly from fair value measurements.

For further information on the implications on our audit associated with these risks, refer to Appendix C.

Elevated Risks

In addition to the significant risks identified above, we have identified the areas below that are not considered significant risks but are areas of focus during the audit due to materiality of the balance or complexity/judgment involved in the accounting. Such audit areas are subject to material accounting policies and/or judgments and are considerations as we develop our current year audit approach. For the current year, these consist of the accounting, reporting and controls over construction.

Lastly, we have additional areas of audit emphasis, which are those areas where we do perform procedures due to their size, complexity or judgment. These include:

■ Accounting and reporting for actuarially determined estimates (retirement plans and retiree health benefit obligations).

■ Accounting for receivables and allowances such as pledges and medical center receivables.



■ Determination of which entities are to be included as component units under GASB reporting guidelines due to their significance and the nature of the University's relationship with the entities.

■ Notes, bonds payable and commercial paper liabilities.

■ Presentation and disclosure of the financial statements.

■ Treatment of related party transactions with the University, as applicable to the separately-issued financial statements of the medical centers and benefit plans.

Uniform Guidance Reporting and Compliance Risk

Although not considered a significant risk from a financial reporting standpoint, we also focus

our audit procedures on regulatory compliance, including healthcare reimbursements, federal

grants, and continued focus on compliance processes and controls over the University's

federally sponsored research and financial aid programs. These procedures are performed in

connection with our OMB Uniform Guidance audit due to the reputational risk and potential

legal ramifications associated with non-compliance.

Additional procedures are required for performing an audit of compliance with requirements

applicable to each major federal program in accordance with GAS. At the time of preparing

this report, we expect that two major programs (research and development and student

financial aid) will be subject to our OMB Uniform Guidance audit for the year ending

June 30, 2016. We expect that one or two additional programs requiring audit as part of the

2016 Uniform Guidance work will be identified as part of the preparation of the 2016

Schedule of Expenditures and Federal Awards.

Refer to Appendix B for a summary of how we develop our audit strategy and

execute our audit.



Our Deliverables

As part of our service to the University, we provide advice on emerging accounting and reporting issues and provide certain other services. Refer to the table below for a listing of services we expect to provide. Prior to commencing any other services, we are required to obtain preapproval from the Committee or the Committee's designee pursuant to the University’s preapproval policy for its independent auditor.

Audit Opinions ■ Report on the financial statements of the University of California

■ Report on the financial statements of the five Medical Centers

■ Report on the University of California Retirement System

■ Report on the University of California Cash Contributions to the Retirement System

■ Report on the financial statements of the University Captive Insurance Company

■ Bond opinion related to UCLA Medical Center debt agreement

■ Reports in accordance with OMB Uniform Guidance, including:

- Internal Control over Financial Reporting and on Compliance and Other Matters Based on an Audit of Financial Statements Performed in Accordance with Government Auditing Standards

- Compliance with Requirements That Could Have a Direct and Material Effect on Each Major Program and on Internal Control Over Compliance

Internal Control

Observations

■ Report to the Committee on control and process deficiencies and

observations, including material weaknesses and significant deficiencies (Regents Letter)

■ Reports to the campus Chancellors on control and process deficiencies and observations (Chancellor Letters)

Agreed-Upon

Procedures

■ Agreed-upon Procedures related to the University’s Mortgage

Origination Program and Supplemental Home Loan Program

■ Agreed-upon Procedures on Intercollegiate Athletic Departments

(NCAA requirements) for six campuses

Other Services ■ Review of consolidated Form 990-T of the Regents of the University of California and University of California Retirement Plan

■ Reviews in connection with bond offerings

■ Accounting consultations and other assistance associated with emerging accounting and reporting issues and complex transactions

■ Financial reporting observations

Committee

Reporting

■ Audit and communications plan

■ Results of audits and required communications



Client Service Team Composition

While everyone on our team listed below has relevant industry experience in either higher

education/not-for-profit, healthcare, benefit plans or investments, we wanted to specifically

highlight team members with previous experience serving the University of California as

denoted with an asterisk below.

Mike Schini*

Engagement Partner

Mike Schini*

Partner

Lindsay Alexovich*

Senior Manager

Gwen Spencer*

Partner

Matthew Petroski

Director

Mike Schini*

Partner

Mike MacBryde*

Partner

Billy Kim*

Senior Manager

Ann Kennedy*

Partner

Dan Puts*

Senior Manager

Mike Schini*

Partner

Ralph DeAcetis*

Director

Kevin Mitchell*

Senior Manager

Jeffrey Fox

Partner

Chris Chung*

Director

Thomas Wadsworth*

Director

Mike MacBryde*

Partner

Kevin Mitchell*

Senior Manager

John Mattie* National industry leader Higher Education

Tim Weld* National industry leader Health care

Christa Dewire Quality Review Partner

Jim Henry* Senior Relationship Partner

Retirement

Plans Taxes Financial

Statements Investments Government

compliance

Information

Systems Medical

Centers

Medical Center teams Irvine, Davis, Los Angeles, San Diego, San Francisco Partners:

Mike MacBryde* Dave Merriam* Sara Hyzer Managers:

Kevin Mitchell* Billy Kim*

Rick Wang* Alex Daly Tanya Suryoutomo

Campus teams Berkeley, Davis, Irvine, Los Angeles, Merced, Riverside, San Diego, San Francisco, Santa Barbara, Santa Cruz Partners:

Mike Schini* Mike MacBryde* Jill Tregillis Bacon* Dave Merriam* Suzanne Fradette Sara Hyzer Managers:

Billy Kim*

Sara Mijares*

Jessica Kennedy*

Richard Pineda*

Brett Baker

Scott Dudzik

Morgan Wilson



Key Engagement Team Members

In selecting our team, we focused on those team members with significant, relevant industry

experience in areas that are important to the University – the Medical Centers and the benefit

plans. We also made every effort to select team members with prior experience serving the

University of California as highlighted in the table above. All partners and managers have

relevant higher education and/or healthcare experience from past university audits and, in

almost all cases, other relevant experience.

Mike Schini, Engagement Leader and Signing Partner

Mike leads and directs our overall engagement team and will sign our audit opinion. He is your primary point of contact and speaks for the firm for all technical decisions and matters related to the audit. Mike will meet regularly with the Committee and be in frequent contact with Office of the President management.

Mike MacBryde, Coordinating Audit Partner & Medical Center Audit Partner

Mike MacBryde will work to support Mike Schini and the overall University engagement team

by focusing on identifying and implementing ways to enhance the effectiveness and efficiency

of the audit. In addition, Mike will lead the Medical Center audit teams and be the focal point

through which all Medical Center matters are addressed and resolved. Mike and the Medical

Center teams will work closely with Mike Schini on specific Medical Center-related issues as

they arise.

Ann Kennedy, Investments Audit Partner

Ann will resume leading the PwC audit team that serves the Office of the Chief Investment Officer. This team is responsible for performing all audit procedures over the investment portfolios managed by the Office of the Chief Investment Officer. Ann and her team will work closely with Mike Schini on investment issues that may affect the University and UCRS audits.

Jeffrey Fox, IT Controls Partner

Jeffrey will lead the IT Controls team. This team is responsible for addressing risks associated with your IT systems and controls, as well as identifying areas within your IT environment that can assist with enhancing the quality and efficiency of our audit.

Christa Dewire, University Quality Review Partner

Christa will serve as the Quality Review Partners of the University. In this role, she will provide an independent view of the engagement team's judgments related to auditing and technical accounting matters. She will independently assess the audit plan and its execution, including the quality of the financial statements and the appropriateness of our reports.



Relationship Support

Jim Henry, Senior Relationship Partner and PwC’s U.S. Leadership Team Member

A member of the firm’s U.S. Leadership Team and Strategy Committee and current Market Managing Partner for PwC’s Northern California practice, Jim will resume serving as the Senior Relationship Partner on the University engagement. Jim provides the University with access to an independent leadership resource.

John Mattie, PwC’s U.S. Higher Education Leader and Tim Weld, PwC’s U.S. Healthcare Leader

John and Tim will be resources to you and your engagement team on complex industry issues

as well as to be available to the Committee and management to discuss national trends and

hot topics.

Use of Specialists

The University operates in a highly complex environment, requiring additional expertise beyond traditional audit resources. During the course of the audits, we will utilize our functional experts to evaluate key areas of your business risks— such as the valuation of self-insured risks and insurance accruals, the valuation of pension and postemployment benefit obligations, valuation of certain investments, and third party settlements. Drawing upon their best practice knowledge, our team will provide points of view related to your business, industry and regulatory compliance.

These specialists also will ensure that we have the right resources to achieve our audit objectives. Accordingly, our PwC engagement team will include the following specialists who will work with our audit teams and management at your business units to assist us in executing our audit:

Area of expertise Description of service

Financial Services Valuation Assistance with the evaluation of the fair value of investments and related disclosures

Self Insurance Review of actuarially determined balances and actuarial models involving self insurance reserves

Compensation and Benefit Plans

Review actuarial assumptions related to compensation programs and benefit plans

Healthcare Reimbursements Review third party account transactions subject to complex rules and interpretation

Information Technology Review and testing of IT and application controls

Healthcare Compliance Provide guidance to Medical Center audit teams and the University regarding healthcare compliance requirements

Regulatory Compliance Review the University's Uniform Guidance report and provide perspective on federal agencies' monitoring and expectations of award recipients



Multi-location Audit Coordination

PwC has adopted a consistent approach for our audit procedures at all University and University related entities. We have developed standardized reporting templates and common audit programs and approaches to achieve consistency and effectiveness. As a result, our reporting structure allows for local teams who understand the unique aspect of each entity but who work within the framework of a common reporting structure.

We have taken the following steps to ensure the overall quality of audit engagement:

■ Prepared and communicated a centrally determined audit scope and plan.

■ Established a framework for continuous communications throughout our engagement teams.

■ Adherence to engagement timelines to achieve your reporting objectives.

■ Achieved continuity across the majority of engagement team from our most recent audit of fiscal 2013.

The multi-location engagement team is aligned to the University's geographical organization and mirrors the management control structure of your organization. This structure, coupled with centralized engagement management, leverages the expertise of our local professionals who can respond directly to questions at each location. The following depicts the organization and flow of information among the different component audit teams.



Office of the President and Office of the Chief Investment Officer– Audit procedures are performed as necessary at these locations in order to opine on the financial statements of the University. We also take into consideration in our audit scope for these locations the requirements of the medical centers audits, the UCRS audit and the audits of the campus foundations. In particular, the investment work we perform at the Office of the Chief Investment Officer has a wide-sweeping impact on the various University components.

Medical Centers and UCRS - As described throughout this document, we perform audits of the stand-alone financial statements for the five medical centers and the University Retirement System which consists of multiple benefit plans. We rely on those stand-alone audits for purposes of the audit of the University’s consolidated financial statements and fiduciary fund financials.

Campuses – We perform specific audit procedures at the campus locations as needed to achieve sufficient coverage to express an opinion on the University's financial statements. We are in the process of determining which locations we will be attending and will update the Committee when that is complete.



Foundations – The audits of the ten campus foundations are performed by separate foundation audit teams. However, as the combined financial statements of the campus foundations are presented discretely in the University’s financial statements, we coordinate with and rely upon the work performed by the campus foundation teams.

Regardless of the extent of audit procedures performed at a location, each location has an assigned partner and manager. Accordingly, our engagement teams have established local points of contact to facilitate the completion of scheduling and planning to support local audit requirements as well as discussion of issues of local interest.

For further discussion of our audit strategy refer to Appendix B.



Audit Timeline

We have developed the following reporting timeline that facilitates the University meeting all of its legal and regulatory requirements. As you can see below, this timeline spans the entire year and represents our commitment to the University throughout the year.

Key Procedures Performed Timing of Procedures

Transition

■ Meet with management to introduce PwC teams and update our

understanding at the in-scope locations

■ Review predecessor auditor’s work papers

■ April - May 2016

■ May 2016

Planning and Audit Management

■ Meet with management to understand the University's activities

and assess risk; and obtain update of operating plans and activities

■ Ongoing throughout the year

■ Assess key audit risks and materiality ■ April 2016

■ Complete understanding of controls and preliminary scoping

of accounts, processes and locations

■ April – May 2016

■ Meet with the Committee to discuss service plan ■ May 2016

■ Coordinate with PwC engagement teams and issue instructions for

the audits of the University and Medical Center financial

statements and benefit plans and Uniform Guidance testing

procedures

■ April – May 2016

Execution and Audit Management

■ Provide consultations on major issues and developments ■ Ongoing throughout the year

■ Perform testing of key monitoring, internal accounting and

management controls

■ May – June 2016

■ Evaluate nature, timing and extent of substantive procedures based

on controls testing


■ Perform substantive audit procedures at interim for both financial

statements and Uniform Guidance audits


■ Perform substantive audit procedures at year end for both financial

statements and Uniform Guidance audits

■ August – October 2016

Completion and Audit Management

■ Issue audit opinions and related financial statements ■ October 2016

■ Meet with the Committee to communicate results of year-end audit

and internal control recommendations

■ November 2016

■ Agreed-upon Procedures related to the sale of Mortgage

Origination Program and Supplemental Home Loan Program loans

■ October 2016

■ Agreed-upon Procedures on Intercollegiate Athletic Departments ■ November 2016

■ Issue Report on Uniform Guidance Compliance ■ February 2017



Mutual Understanding of Responsibilities

PwC Responsibilities

Our responsibility is to express opinions, based upon our audits, on the University's consolidated financial statements, the University of California Retirement System financial statements; and the five Medical Center financial statements. We conduct our audits in accordance with GAAS and GAS. Those standards require that the auditor obtain reasonable rather than absolute assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Accordingly, a material misstatement may remain undetected. Also, an audit is not designed to detect error or fraud that is immaterial to the financial statements. An audit includes obtaining an understanding of internal control sufficient to plan the audit and to determine the nature, timing and extent of audit procedures to be performed. An audit is not designed to provide assurance on internal control or to identify all significant deficiencies. However, as your auditor, we are responsible for ensuring that Committee is aware of any significant deficiencies or material weaknesses that come to our attention.

Our responsibility with respect to other information in documents containing audited financial statements is to read such information and consider whether the information or the manner of its presentation is materially inconsistent with information appearing in the basic financial statements.

Our responsibility with respect to Committee communications is to convey those matters that have come to our attention as a result of the performance of our audit.

Our audit does not relieve management of its responsibilities with regard to the financial statements.

We also are responsible for issuing several agreed upon procedures reports, for purposes of

the Mortgage Origination Program and Supplemental Home Loan Program as well as agreed

upon procedures at six of the ten campuses covering the National Collegiate Athletic

Association Bylaws. These agreed upon procedures engagements and resulting reports are

performed in accordance with the attestation standards established by the American Institute

of Certified Public Accountants. These procedures do not constitute an examination, but

rather are procedures designed in conjunction with the specified parties receiving the reports.



Management’s Responsibilities

As part of the audit process, management is responsible for the following:

■ Preparing the University’s, Medical Centers’, and benefit plans’ financial statements in accordance with generally accepted accounting policies.

■ Establishing and maintaining effective internal control over financial reporting.

■ Identifying and ensuring that the University complies with the laws and regulations applicable to its activities.

■ Making all financial records and related information available to PwC.

■ Providing PwC with a letter that confirms certain representations made during the audits.

■ Adjusting the financial statements to correct material misstatements and affirming to PwC in the representation letter that the effects of any uncorrected misstatements aggregated by PwC during the current engagement pertaining to the latest period presented are immaterial, both individually and in the aggregate, to the financial statements taken as a whole.

Committee’s Responsibilities

As part of the audit process, the Committee is responsible for the following:

■ Oversee the reliability of financial reporting including the effectiveness of internal control

over financial reporting.

■ Review and discuss the annual financial statements for the University, the Medical Centers

and the benefit plans and determine whether they are complete and consistent with

operational and other information known to Committee members.

■ Understand significant risks and exposures and management's response to minimize those

risks.

■ Understand the audit scope and approve audit and non-audit services.


Communications and Planned Interactions

Our Communications Plan with Management

We communicate with management both in writing and verbally continuously throughout the year. Examples of our ongoing communications include:

■ Issues identification and resolution

■ Meetings with management at Office of

the President, Office of the Chief

Investment Officer, local campuses and

Medical Centers

■ Planning and scoping discussions

■ Internal Audit planning and coordination

■ Discussions of interim audit findings

■ Review of draft financial statements

■ Year-end clearance meetings

Our Communications Plan with the Committee

Our communications with the Committee are designed to comply with standards established by the American Institute of Certified Public Accountants.

Our formal communications will occur via periodic meetings with the Committee at various stages during the year. As part of these meetings we will communicate with the Committee our service approach and audit plan, and our views on risks and controls, including those over financial reporting and governance. In addition, we will present the results of our audits upon completion.

In addition to our scheduled meetings, we are also available, at any time, to respond to Committee members' questions.

Our Interaction with Internal Audit

Although our objectives and responsibilities are necessarily different from those of Internal Audit, the efforts of both our organizations are very much complementary and provide a combined program of balanced audit coverage for the University. We will meet with Internal Audit to update our understanding of their recent activities and discuss our risk assessment and audit approach.

We consider Internal Audit to be an effective and important element in the University’s overall internal control environment. We complete certain procedures when relying on their work, as follows:

■ Review on a timely basis Internal Audit reports and management responses.

■ Understand the Internal Audit plan, including the nature, timing and extent of work.

■ Consider the impact of Internal Audit findings on our audits.


Materiality and Independence

Materiality

We consider both quantitative and qualitative factors in our assessment of materiality. We also assess the metrics used by the users of the financial statements in determining the appropriate base for calculating materiality.

Materiality is defined as ‘the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.’

We identify and assess the risk of material misstatement at:

■ The overall financial statement level, and

■ In relation to classes of transactions, account balances and disclosures.

Our determination of materiality is a matter of professional judgment, and is affected by our perception of the financial information needs of users of the financial statements. Therefore, the benchmark we use to calculate materiality varies based on the audit being performed.

For the University’s consolidated financial statements, we use total expenditures as our benchmark. Industry practice is to apply a percentage of 1% to 3% of this benchmark of total expenditures to calculate overall materiality.

For the University’s medical centers’ financial statements, we use total operating revenues as our benchmark. Industry practice is to apply a percentage of 1% to 3% of this benchmark of total operating revenues to calculate overall materiality.

For the University’s benefit plans, we will use either total assets or net assets as our benchmark. Industry practice is to apply a percentage of 0.5% to 3% of these benchmarks to calculate overall materiality.

Independence

As auditors of the University, we are subject to a variety of standards to ensure our independence, including American Institute of Certified Public Accountants, Governmental Accountability Office and internal PwC standards. Our quality control processes include confirmation of independence by professional staff and training and are established to ensure our continuing independence.

We hereby confirm our independence of the University for the fiscal year ending June 30, 2016. We will reconfirm our independence at the completion of our June 30, 2016 audits for the University.


Perspectives on Fraud Risk

We have a responsibility to plan and perform our audits to obtain reasonable assurance about

whether the financial statements are free of material misstatement, whether caused by error

or fraud. In order to fulfill that responsibility, as part of our audits, we are required to gain an

understanding of the risk of material misstatement due to fraud at the University and

perform certain procedures to respond to the fraud risks identified.

The oversight responsibilities of senior management and the Committee and PwC’s

responsibilities are outlined below.

Management Responsibilities ■ Design and implement programs and controls to prevent,

deter and detect fraud (antifraud programs)

■ Ensure that the University's culture and environment

promote honesty and ethical behavior

■ Perform a risk assessment that specifically includes the risk

of fraud addressing incentives and pressures,

opportunities, and attitudes and rationalization

■ Assess management override of controls and communicate with the Committee

Conditions Generally Present

Incentive/Pressure

Reason to commit f raud

Attitude/Rationalization

Character or set of ethical values that allow

a person to knowingly and intentionally commit

a dishonest act

Opportunity

Circumstances exist such as the absence

of controls, ineffective controls or ability

for management to override controls

that allow f raud to occur

Why

Commit

Fraud?

Attitude/Rationalization

Fraudulent Financial

Reporting

Misappropriation

of Assets

Attributes Contributing to Increased Fraud Risk

Size, complexity and ownership attributes of the University

Type, signif icance, likelihood and pervasiveness of the risk

Types of Fraud


Committee Considerations ■ Evaluate management’s identification of fraud risks, implementation of antifraud measures, and creation of appropriate “tone at the top”

■ Ensure that senior management implements appropriate fraud deterrence and prevention measures to better protect investors, employees and other stakeholders

■ Investigate any alleged or suspected wrongdoing brought to its attention

■ Challenge management in the areas of non-routine, related party and inter-company transactions

PwC’s Role ■ Plan and perform the audit to provide reasonable assurance that the financial statements are free of material misstatement, whether caused by fraud or error

■ Evaluate whether the University's programs and controls that address identified risks of material misstatement due to fraud have been suitably designed and placed in operation

■ Evaluate management’s process for assessing effectiveness of antifraud programs and controls

■ Evaluate fraud of any magnitude on the part of senior management and the impact on the control environment

PwC’s Procedures In order to fulfill our responsibilities related to fraud, we plan to perform the following procedures:

■ Inquiries of management, the Chair of the Committee, Internal Audit and others related to knowledge of fraud or suspected fraud, the fraud risk assessment process and how fraud risks are addressed by the University

■ Disaggregated analytical procedures, primarily over revenue

■ Incorporate an element of unpredictability in the selection of the nature, timing and extent of audit procedures to be performed annually

■ Identify and select journal entries and other adjustments for testing

■ Evaluate estimates ad assumptions used by management that could have a material impact on the financial statements

■ Review Internal Audit reports and remain alert for matters that are indicators of fraud


Proposed Fees

The University is an important client of PwC, and our fees reflect our commitment to our

long-term relationship with the University. Our deep understanding of higher education

organizations and more specifically, of the University, enable us to perform the audit

efficiently and within a compressed timeframe. These factors contribute to a competitive,

cost effective audit. Our proposed fees listed below are inclusive of all out-of-pocket expenses.

Deliverable June 30, 2016 Fee

Consolidated Audit 1 ,405,050$

Federal Grants and Contracts 47 6,200$

NCAA Agreed-Upon Procedures 17 1,690$

Consolidated Form 990T 10,551$

Medical Center Audits 1 ,620,050$

Retirement Plan Cash Contributions 5,695$

UCLA Medical Center Bond Opinion 2,232$

Retirement System Audits 247 ,37 5$

Mortgage Origination Program Agreed-Upon Procedures 37 ,510$

Captive Insurance Company 56,420$

T otal 4,032,7 7 3$


Required Communications with the Audit

Committee

Matter to be communicated Auditor’s response

Relationships between PwC (or any affiliates of the Firm) and the University(and its affiliates) and other matters that might reasonably be thought to bear on independence

We carefully monitor the independence of our team members. Should we become aware of an independence breach or new circumstance that would affect our ability to complete the audit, we will inform you immediately.

There were no relationships or other matters identified that might reasonably be thought to bear on independence.

Communications plan Our communications plan described above provides an overview of the form, timing and expected general content of communications with management and the Committee on Compliance and Audit.

Significant issues discussed with management prior to appointment or retention

There were no significant issues discussed with management in connection with the appointment of PwC.

Terms of the audit engagement The terms of the audit engagement, including the objective of the audit and management's and our responsibilities, are set forth in our engagement letter dated April 20, 2016.

Obtain information relevant to the audit

We will inquire of the Committee on Compliance and Audit about whether it is aware of matters relevant to the audit and about the risks of material misstatement.

Summary audit strategy We will communicate to the Committee on Compliance and Audit the planned audit strategy, including the timing of the audit and the significant risks identified. Matters included in the overall audit strategy include, among other matters, involvement of specialists and the extent of use of the work of internal audit. Refer to Appendix B for a summary of our overall audit strategy.


Matter to be communicated Auditor’s response

Perspectives on fraud risks We will inquire of the Committee on Compliance and Audit to obtain its views on the risk of fraud and whether the Audit Committee has knowledge of any fraud, alleged fraud, or suspected fraud affecting the entity.

We will discuss how the Committee exercises oversight of the entity’s assessment of the risks of fraud and the entity’s antifraud programs and controls (specifically as it relates to the potential for management to override controls).

As you are aware, an audit conducted in accordance with generally accepted standards is designed to consider the risk of fraud that could be material to the financial statements, but it is not designed to detect all instances of fraud. From time to time, we may became aware of immaterial instances of fraud through our inquiries or other procedures. To the extent such instances are significant, we will inquire of management to ensure that these matters have been reported to you under existing reporting protocols. We will inform you of any matters of fraud that is potential material to the financial statements or those that may involve members of senior management.

30

© 2016 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP, a Delaware

limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a

separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with

professional advisors.

Appendix A

Appendix A



2016 Service Commitments

To provide a high quality and efficient audit, we must understand the University's needs and expectations. Our ongoing meetings with management and the Committee are a key part of the audit process in ensuring we obtain that understanding. Below is a summary of those key ongoing expectations and our related responses based on initial discussions with management of the University and our existing knowledge of the University. We welcome your feedback regarding our performance at any point.

Our service commitments for the 2016 audit

In preparing for this year's audit, we have listened to your input on what is most important to you as it relates to your needs and expectations for the audit. Below are the commitments we are making to you related to delivering a quality audit in accordance with professional standards. Throughout the year, we plan to revisit these commitments and evaluate our progress with you and welcome your feedback on how we can best work together.

What we heard about your needs and expectations

Our commitment to the University of California

Engagement team Assign industry focused resources and maintain team continuity of senior team members at key locations

Provide direct access to Jim Henry, Senior Relationship Partner, PwC industry leaders John Mattie and Tim Weld and other specialists, as needed throughout the year

Audit performance

Conduct a 2016 audit debrief with the University to co-ensure a successful audit for 2017

Execute a high quality audit with no surprises through effective project management, timely partner and manager involvement throughout the audit process and regular contact with management and the Committee

Work proactively with management on transactions and technical issues

Deliver an audit that reflects the complexities of the University’s business and risks

Optimize the work of Internal Audit by understanding its activities and sharing our external audit scope with them

Coordination, communication and project management

Communicate proactively and continuously with management and the Committee

Hold regular status update meetings with Peggy Arrivas and Ruth Satorre throughout the year/ weekly meetings with all team leads during year-end

Meet with the Internal Audit teams to discuss significant findings and upcoming plans

Meet with IT management throughout your organization to further our understanding of the University’s activities, communicate the status of our audits and to assist us with the identification of issues and risks

Work closely and meet regularly with our component audit engagement teams to monitor accounting issues arising and ensure timely issuance of deliverables

Actively coordinate with all locations to eliminate duplication of efforts by providing the results of certain audit procedures that are performed at Office of the President to these teams, as applicable



What we heard about your needs and expectations

Our commitment to the University of California

Seek feedback regarding our performance from the Committee on Compliance and Audit, senior management and other key accounting/finance personnel at least annually

Business insights Overview

Hold quarterly business strategy and update meetings with Nathan Brostrom

Hold periodic regulatory and compliance update calls with Sheryl Vacca

Through IT Audit Partner Jeffrey Fox and other specialists, provide views on the University’s IT implementations including the effectiveness of controls within core applications

Share industry leading practices to assist the University with the development of a global set of IT controls that can be leveraged across campuses and medical centers

Help implement new GASB pronouncements that will be effective in 2016 or near future

Share audit observations and thought leadership around process improvement ideas and regulatory matters

Invite management to attend technical training sessions as well as relevant industry-specific seminars

Share insights with the Committee gathered from our Center for Board Governance

Provide access to PwC specialists who bring valuable input to topics important to the University such as in the areas of IT, investments, pensions, workers compensation and medical center receivables

New Health Economy

Leverage our Healthcare thought leadership and bring our healthcare leaders to the University Medical Centers including, at your request, participating in CEO/CFO periodic meetings

Invite Medical Center CFOs to PwC’s Academic Medical Center CFO Roundtable Emerging Technical Issues Briefings

Leverage Martha Garner, who serves as National Technical Accounting Director for Higher Education and

Healthcare and has been exclusively servicing higher education and healthcare entities in her national role for more

than 25 years, to provide technical advice and advice on emerging GASB pronouncements and ensure the timely

resolution of technical issues for the University

Annual Regulatory Update

Ralph DeAcetis (our Higher Education and Uniform Guidance Regulatory Managing Director) will provide a briefing on the latest developments from Office of Management and Budget, the Department of Education, and other key federal initiatives that may impact the University’s federal award programs.

Mike MacBryde (your lead Healthcare Partner) will cover healthcare regulatory compliance and reimbursement updates

Appendix B

Appendix B



Audit Strategy

Developing Audit Strategy

Top-Down Risk Assessment

Our audit approach is based on the application of well-reasoned professional judgment. We identify audit risks first by considering the business and its environment, and then by considering the key risks related to the significant accounts and relevant assertions, locations or business units and significant processes. Key risks are audit risks that require special audit consideration.

Where applicable, we also obtain an understanding of management's risk assessment. The result is the development of an audit strategy tailored to the risk conditions of the University and focused on identifying and testing only those key controls that are relevant to preventing or detecting material misstatements of the financial statements, whether caused by error or fraud.

Risk-Based Scoping Considerations

Fundamental to our top-down, risk-based audit approach is an understanding of:

■ The size and complexity of the business and its components.

■ The existence and effectiveness of entity-level and information technology general controls (“ELCs and ITGCs”) in our determination of the nature, timing and extent of testing.

■ The existence and effectiveness of internal controls.

We scale our audit approach by considering the size and complexity of the business and management's monitoring of controls and business processes. By appropriately scaling the audit, we consider the control environment in which the University operates, which has a pervasive impact on our assessment of the controls necessary to address material risks of misstatement.

Early in the audit process, we assess ELCs and the University’s use of IT. ELCs are controls that may be operational throughout the entire organization, both at a corporate and business unit/management unit level. Our evaluation of the effectiveness of ELCs and the level of precision at which they operate can result in increasing or decreasing the testing that we otherwise would have performed on controls at the process, transaction or application levels. Accordingly, we emphasize the upfront identification and testing of ELCs, which can have a significant impact on the nature, timing and extent of our controls testing.

Generally, IT is a critical element in developing the audit plan. The assessment of IT considers the level and complexity of controls automation, system complexity, platforms used, approach to security and the security architecture, known problems, and the nature and volume of transactions. This understanding assists in determining the approach to auditing the effectiveness of automated controls and ITGCs.



Determining Significant Accounts and Locations

Once we have completed our initial risk assessment and gained an understanding of ELCs and ITGCs, we will determine the most effective and efficient way to obtain audit evidence using well-reasoned professional judgment. This determination begins at the financial statement level by identifying significant accounts and disclosures, considering the relevant assertions related to those accounts and disclosures, and identifying the significant processes and key controls.

Determining Significant Accounts

The determination of whether an account or disclosure is significant to the audit of the financial statements is based on whether there is a reasonable possibility that the account could contain a misstatement that, individually or when aggregated with others, could have a material effect on the financial statements. In addition to quantitative metrics, risk factors such as the following contribute to our determination of the significance of an account or disclosure:

■ Size and composition of the account ■ Accounting and reporting complexities associated with the account or disclosure

■ Susceptibility of misstatement due to errors or fraud

■ Exposure to losses in the account

■ Volume of activity, complexity and homogeneity of the individual transactions processed through the account or reflected in the disclosure

■ Possibility of significant contingent liabilities arising from the activities reflected in the account or disclosure

■ Nature of the account or disclosure ■ Existence of related party transactions in the account

■ Changes from the prior period in account or disclosure characteristics

■ Knowledge obtained in prior audits

For those accounts and disclosures deemed significant, we identify relevant financial statement assertions and the significant processes and then identify the key controls which serve to prevent or detect a material misstatement.

Determining Locations

The scoping of locations is based on the risk of material misstatement. In determining the locations or business units at which to perform tests of controls, we assess the risk of material misstatement of the financial statements associated with the location or business unit and correlate the amount of audit attention devoted to the location or business unit with the degree of risk.



Executing Audit Strategy

We execute our audit strategy using the following process:

■ Understanding, evaluating and assessing the design of controls through inquiry, observation, inspection and reperformance, including walkthroughs.

■ Gathering evidence by execution of controls testing through our own work and substantive testing.

■ Evaluating the results of our testing, including reassessing risk and the sufficiency of evidence.

Assessing the Design of Controls We evaluate and assess the design of controls with information obtained from various sources including our interaction with management, knowledge obtained from past audits, performing walkthroughs where deemed appropriate and different combinations of inquiry, observation, and inspection. Our controls testing provides us with evidence of the design and operating effectiveness of controls, including those related to the prevention or detection of fraud. Our controls testing approach is dependent on the work of internal audit and their competence and objectivity. Gathering Evidence

We obtain sufficient competent evidence through a combination of our own audit procedures and reliance placed on the work of internal audit. We ensure an efficient audit by focusing only on those key controls that prevent or detect material misstatements of the financial statements, whether caused by error or fraud. For those identified key controls, we test operating effectiveness. Our method of testing will depend, amongst other things, on the risk of misstatements that the controls are intended to prevent or detect, the inherent risk associated with the related account and assertion, the control's complexity and other factors affecting the risk associated with the control. As the risk of material misstatement increases, the amount of audit evidence needed increases.

We assess the effectiveness of internal control and the nature of risk associated with an account in determining the nature, timing and extent of substantive procedures. The nature and degree of risk is the key determinant in how much additional audit evidence should be obtained from analytical procedures (such as trend or ratio analysis), tests of details (such as vouching third-party source documentation) or a combination of these procedures.

Evaluating Results

Our risk assessment is a pervasive process in which we continuously evaluate the nature, timing and extent of testing and determine whether we have obtained sufficient competent evidence. We evaluate evidence from the work of others, and our independent tests of controls and substantive audit evidence. The results of certain tests may lead to changes in our risk assessment, which may either increase or reduce the procedures performed.

Completion

Prior to the issuance of our audit opinion on the various financial statements, we will perform audit completion activities, including the evaluation of internal control deficiencies; the review of the financial statements, including the adequacy and reasonableness of presentation and footnote disclosures; and the performance of other audit procedures as required by professional standards.

Appendix C

Appendix C



Approach for Areas of Significant Risk

As described in the Our Audit Approach and Risk Assessment section of this document, our integrated audit approach is a top-down, risk-based approach, and we continually reassess audit risks throughout the audit process.

Higher risk areas, in our judgment, require special audit consideration because of the nature of the risk (higher inherent risk), the likely magnitude of potential misstatements (including the possibility that the risk may give rise to multiple misstatements) and the likelihood of the risk occurring.

We have obtained an understanding of your financial, accounting, business and information system strategies in order to assess audit risks at the University. The following list summarizes audit risks and our approach for the 2016 financial statement audits and the procedures we will perform to reduce the related audit exposure. It is not intended to be a complete listing of all risks or all procedures that we perform in connection with our audits.

Audit Area Risk Factors Audit Implications/ Approach

Valuation of alternative investments

■ Investments may not be valued appropriately.

■ Given the size of the University’s portfolio, that it includes non-readily marketable securities, and the inherent risks and complexity of this area, our audit continues to place significant emphasis on the University's investment portfolio.

■ Valuation of securities, including non-marketable securities, such as private equity funds, real estate limited partnerships and hedge funds, are inherently more complex to value.

■ Obtain an understanding of the processes and procedures in place to ensure the existence and valuation of investments.

■ Test the operating effectiveness of key controls within the investments cycle, including due diligence and monitoring controls.

■ Assess the financial reporting risk inherent in each fund based on the level of transparency into each investment.

■ Consider the experience and expertise of individuals responsible for the accuracy of the fair value of investments.

■ Understand and evaluate service organizations used.

■ Confirm fair values of securities, on a sample basis.

■ Obtain audited/reviewed financial statements for selected non-readily marketable securities.

■ Review all important reconciliations and year end portfolios for evidence of non-recorded transactions and contracts; confirm material pending trades and other liabilities.




Fraud risk in

revenue

■ We have a responsibility

to plan and perform our audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.

■ Gain an understanding of the

material risks of fraud at the University and perform audit procedures to address those risks, including management interviews, testing of journal entries, disaggregated revenue analytics and incorporating unpredictability into our audit work.

■ See "Perspectives on Fraud Risk and Responsibilities" section of this document.

Grants and

contract revenue; and educational activities

The University receives

significant funding from various agencies. The University must continue to comply with compliance regulations of federal agencies.

■ Obtain sponsored research contracts

to gain comfort on the existence of the revenues received.

■ Test compliance with allowable cost principles for federally funded sponsored research programs in accordance with OMB Uniform Guidance, “Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal awards” and other specific grant requirements.

■ Perform analytical review of revenues.

■ Assess and test key compliance controls; test compliance with material compliance requirements applicable to major programs.

Medical Center

patient service revenue

■ Revenue transactions are

not processed in the proper period.

■ The environment surrounding billing, collecting and determining reserves continues to be complex.

■ Accounts may not exist.

■ Perform patient revenue testing,

verifying the existence of patient charges.

■ Supplement our tests with analytical procedures on all key areas.

■ Assess the reasonableness of management’s estimates for contractual allowances and bad debts by evaluating the current year’s methodology, assessing the adequacy of the prior year’s estimates and substantive analytics.

■ Utilize our Healthcare Reimbursement Specialists to assist




us in our testing of contractual allowances.

Management

override of controls

■ Financial statements

could be materially misstated.

■ Misappropriation of assets.

■ Evaluate the design and operating

effectiveness of internal controls as well as perform substantive tests of details for significant risk areas including testing journal entries.


Appendix D



Relevant Pronouncements and External

Guidance

GASB Pronouncements

In addition to GASB 72 and 80 that were discussed above, the following GASB

pronouncements are effective in fiscal 2016 but are not expected to have a

significant impact on the University.

GASB Statement No. 73, Accounting and Financial Reporting for Pensions and

Related Assets That Are Not within the Scope of GASB Statement 68, and

Amendments to Certain Provisions of GASB Statements 67 and 68

The requirements of this Statement extend the approach to accounting and financial

reporting established in Statement 68 to all pensions, with modifications as necessary to

reflect that for accounting and financial reporting purposes, any assets accumulated for

pensions that are provided through pension plans that are not administered through trusts

that meet the criteria specified in Statement 68 should not be considered pension plan assets.

It also requires that information similar to that required by Statement 68 be included in notes

to financial statements and required supplementary information by all similarly situated

employers and non-employer contributing entities.

This Statement also clarifies the application of certain provisions of Statements 67 and 68

with regard to the following issues:

Information that is required to be presented as notes to the 10-year schedules of

required supplementary information about investment-related factors that

significantly affect trends in the amounts reported

Accounting and financial reporting for separately financed specific liabilities of

individual employers and non-employer contributing entities for defined benefit

pensions

Timing of employer recognition of revenue for the support of non-employer

contributing entities not in a special funding situation.

The requirements of this Statement will improve financial reporting by establishing a single

framework for the presentation of information about pensions, which will enhance the

comparability of pension-related information reported by employers and nonemployer

contributing entities.

The requirements of this Statement that address accounting and financial reporting by

employers and governmental nonemployer contributing entities for pensions that are not

within the scope of Statement 68 are effective for financial statements for fiscal years

beginning after June 15, 2016 (fiscal 2017), and the requirements of this Statement that

address financial reporting for assets accumulated for purposes of providing those pensions

are effective for fiscal years beginning after June 15, 2015 (fiscal 2016). The requirements of

this Statement for pension plans that are within the scope of Statement 67 or for pensions



that are within the scope of Statement 68 are effective for fiscal years beginning after June 15,

2015 (fiscal 2016).

GASB Statement No. 76, The Hierarchy of Generally Accepted Accounting

Principles for State and Local Governments

The objective of this Statement is to identify—in the context of the current governmental

financial reporting environment—the hierarchy of generally accepted accounting principles

(GAAP). The “GAAP hierarchy” consists of the sources of accounting principles used to

prepare financial statements of state and local governmental entities in conformity with

GAAP and the framework for selecting those principles. This Statement reduces the GAAP

hierarchy to two categories of authoritative GAAP and addresses the use of authoritative and

nonauthoritative literature in the event that the accounting treatment for a transaction or

other event is not specified within a source of authoritative GAAP. This Statement supersedes

Statement No. 55, The Hierarchy of Generally Accepted Accounting Principles for State and

Local Governments.

The requirements in this Statement improve financial reporting by (1) raising the category of

GASB Implementation Guides in the GAAP hierarchy, thus providing the opportunity for

broader public input on implementation guidance; (2) emphasizing the importance of

analogies to authoritative literature when the accounting treatment for an event is not

specified in authoritative GAAP; and (3) requiring the consideration of consistency with the

GASB Concepts Statements when evaluating accounting treatments specified in

nonauthoritative literature. As a result, governments will apply financial reporting guidance

with less variation, which will improve the usefulness of financial statement information for

making decisions and assessing accountability and enhance the comparability of financial

statement information among governments.

Statement No. 76 is effective for the University for the year ending June 30, 2016.

GASB Statement No. 79, Certain External Investment Pools and Pool

Participants

This Statement addresses accounting and financial reporting for certain external investment

pools and pool participants. Specifically, it establishes criteria for an external investment pool

to qualify for making the election to measure all of its investments at amortized cost for

financial reporting purposes. An external investment pool qualifies for that reporting if it

meets all of the applicable criteria established in this Statement. The specific criteria address

(1) how the external investment pool transacts with participants; (2) requirements for

portfolio maturity, quality, diversification, and liquidity; and (3) calculation and

requirements of a shadow price. Significant noncompliance prevents the external investment

pool from measuring all of its investments at amortized cost for financial reporting purposes.

Professional judgment is required to determine if instances of noncompliance with the

criteria established by this Statement during the reporting period, individually or in the

aggregate, were significant.



If an external investment pool does not meet the criteria established by this Statement, that

pool should apply the provisions in paragraph 16 of Statement No. 31, Accounting and

Financial Reporting for Certain Investments and for External Investment Pools, as

amended. If an external investment pool meets the criteria in this Statement and measures all

of its investments at amortized cost, the pool’s participants also should measure their

investments in that external investment pool at amortized cost for financial reporting

purposes. If an external investment pool does not meet the criteria in this Statement, the

pool’s participants should measure their investments in that pool at fair value, as provided in

paragraph 11 of Statement 31, as amended.

This Statement establishes additional note disclosure requirements for qualifying external

investment pools that measure all of their investments at amortized cost for financial

reporting purposes and for governments that participate in those pools. Those disclosures for

both the qualifying external investment pools and their participants include information

about any limitations or restrictions on participant withdrawals.

The requirements of this Statement are effective for reporting periods beginning after June

15, 2015, except for certain provisions on portfolio quality, custodial credit risk, and shadow

pricing. Those provisions are effective for reporting periods beginning after December 15,

2015.

The following GASB pronouncements will have an effect on the University

beginning in fiscal 2017 or beyond:

GASB Statement No. 74, Financial Reporting for Postemployment Benefit Plans

Other Than Pension Plans

The objective of this Statement is to improve the usefulness of information about

postemployment benefits other than pensions (other postemployment benefits or OPEB)

included in the general purpose external financial reports of state and local governmental

OPEB plans for making decisions and assessing accountability. This Statement results from a

comprehensive review of the effectiveness of existing standards of accounting and financial

reporting for all postemployment benefits (pensions and OPEB) with regard to providing

decision-useful information, supporting assessments of accountability and interperiod equity,

and creating additional transparency.


GASB Statement No. 75, Accounting and Financial Reporting for

Postemployment Benefits Other Than Pensions

The primary objective of this Statement is to improve accounting and financial reporting by

state and local governments for postemployment benefits other than pensions (other

postemployment benefits or OPEB). It also improves information provided by state and local

governmental employers about financial support for OPEB that is provided by other entities.

This Statement results from a comprehensive review of the effectiveness of existing standards



of accounting and financial reporting for all postemployment benefits (pensions and OPEB)

with regard to providing decision-useful information, supporting assessments of

accountability and inter-period equity, and creating additional transparency.

Statement No. 75 is effective for the University for the year ending June 30, 2018. The

University plans to adopt this Statement early for the year ending June 30, 2017.

GASB Statement No. 77, Tax Abatement Disclosures

Tax abatements are widely used by state and local governments, particularly to encourage

economic development. This Statement requires disclosure of tax abatement information

about (1) a reporting government’s own tax abatement agreements and (2) those that are

entered into by other governments and that reduce the reporting government’s tax revenues.

This Statement requires governments that enter into tax abatement agreements to disclose

the following information about the agreements:

Brief descriptive information, such as the tax being abated, the authority under which

tax abatements are provided, eligibility criteria, the mechanism by which taxes are

abated, provisions for recapturing abated taxes, and the types of commitments made

by tax abatement recipients.

The gross dollar amount of taxes abated during the period

Commitments made by a government, other than to abate taxes, as part of a tax

abatement agreement.

Governments should organize those disclosures by major tax abatement program and may

disclose information for individual tax abatement agreements within those programs.

Tax abatement agreements of other governments should be organized by the government that

entered into the tax abatement agreement and the specific tax being abated. Governments

may disclose information for individual tax abatement agreements of other governments

within the specific tax being abated. For those tax abatement agreements, a reporting

government should disclose:

The names of the governments that entered into the agreements

The specific taxes being abated

The gross dollar amount of taxes abated during the period.


Statement No. 78, Pensions Provided through Certain Multiple-Employer

Defined Benefit Pension Plans

The objective of this Statement is to address a practice issue regarding the scope and

applicability of Statement No. 68, Accounting and Financial Reporting for Pensions. This

issue is associated with pensions provided through certain multiple-employer defined benefit

pension plans and to state or local governmental employers whose employees are provided

with such pensions. Prior to the issuance of this Statement, the requirements of Statement 68



applied to the financial statements of all state and local governmental employers whose

employees are provided with pensions through pension plans that are administered through

trusts that meet the criteria in paragraph 4 of that Statement.

This Statement amends the scope and applicability of Statement 68 to exclude pensions

provided to employees of state or local governmental employers through a cost-sharing

multiple-employer defined benefit pension plan that (1) is not a state or local governmental

pension plan, (2) is used to provide defined benefit pensions both to employees of state or

local governmental employers and to employees of employers that are not state or local

governmental employers, and (3) has no predominant state or local governmental employer

(either individually or collectively with other state or local governmental employers that

provide pensions through the pension plan). This Statement establishes requirements for

recognition and measurement of pension expense, expenditures, and liabilities; note

disclosures; and required supplementary information for pensions that have the

characteristics described above.


Statement No. 81, ‘Irrevocable Split-Interest Agreements’ The objective of this Statement is to improve accounting and financial reporting for

irrevocable split-interest agreements by providing recognition and measurement guidance for

situations in which a government is a beneficiary of the agreement. This Statement requires

that a government that receives resources pursuant to an irrevocable split-interest agreement

recognize assets, liabilities, and deferred inflows of resources at the inception of the

agreement. Furthermore, this Statement requires that a government recognize assets

representing its beneficial interests in irrevocable split-interest agreements that are

administered by a third party, if the government controls the present service capacity of the

beneficial interests. This Statement requires that a government recognize revenue when the

resources become applicable to the reporting period.


Statement No. 82, ‘Pension Issues’ The objective of this Statement is to address certain issues that have been raised with respect

to Statements No. 67, Financial Reporting for Pension Plans, No. 68, Accounting and

Financial Reporting for Pensions, and No. 73, Accounting and Financial Reporting for

Pensions and Related Assets That Are Not within the Scope of GASB Statement 68, and

Amendments to Certain Provisions of GASB Statements 67 and 68. Specifically, this

Statement addresses issues regarding (1) the presentation of payroll-related measures in

required supplementary information, (2) the selection of assumptions and the treatment of

deviations from the guidance in an Actuarial Standard of Practice for financial reporting

purposes, and (3) the classification of payments made by employers to satisfy employee (plan

member) contribution requirements.


Appendix E

www.pwc.com

Perspectives in higher education 2015

2015

PwC

Table of contents

Introduction ......................................................................................................................................................................... 1

Changing student demographics ........................................................................................................................................ 2

Evolving audit committee practices ................................................................................................................................... 5

Succession planning for executive leadership ................................................................................................................... 7

Regulatory compliance ...................................................................................................................................................... 10

Institutional compliance ................................................................................................................................................... 16

Cybersecurity .................................................................................................................................................................... 20

Information technology .................................................................................................................................................... 22

Shared services: A source for administrative efficiency ................................................................................................. 25

The outlook from Washington ......................................................................................................................................... 28

Contributors ....................................................................................................................................................................... 31

PwC 1

Introduction

The pace of change within higher education continues to intensify. In the past year alone, we have seen the release

of new and proposed financial accounting pronouncements and enhanced federal regulatory requirements, coupled

with increased expectations around overall institutional performance from multiple constituents including

students, parents, faculty, donors, and the government.

In this edition of “Perspectives in higher education,” we have highlighted some of the most pressing challenges—

and the related opportunities—facing colleges and universities. From a financial and regulatory perspective,

institutions continue to debate the topics of implementing shared service centers and other business models and

practices to enhance efficiency, while at the same time examining organizational structures to manage regulatory

compliance. From an operational perspective, other key issues have emerged that demand the attention of

management and the board, including protecting from cyber-related risks and strengthening audit committee

practices.

In this dynamic environment, institutions are being challenged to continue to embrace change and stay focused on

their long-term institutional strategy. In that light, this edition also provides a glimpse into changing student

demographics and how they may impact the strategy and cost of an institution, as well as some thoughts on how to

ensure effective succession planning for executives. Additionally, the federal government continues to challenge

the way education in the United States is delivered and paid for, which is requiring all institutions to rethink their

strategy over the next five to 10 years. In our section on the outlook from Washington, we have highlighted several

of the proposed policy areas where boards and institutions should devote attention.

While each institution has their own unique set of issues, all educational institutions are currently contending with

a number of shared challenges. Notwithstanding the challenges within the industry, the U.S. higher education

system remains the envy of many countries. To maintain this global position, institutions must be proactive in

encouraging dialogue among their many different constituents on how to best position themselves to succeed in the

years ahead.

As a leader in providing audit, tax, and advisory services to the higher education and not-for-profit industry, PwC

has been honored to work with many of the nation’s premier educational institutions in addressing their most

pressing challenges. Our contributors to this paper are working with your peers on regulatory, tax, risk, and

operational issues and are in an excellent position to share trends, insights and perspectives. While this document

is not meant to be comprehensive, it draws upon our understanding of the diverse nature of higher education

institutions that have complex educational, research, and clinical activities, and we hope that it will serve as a broad

platform for discussing these issues.

I invite you to contact me at (646) 471-4253 with any questions or comments you may have.

John A. Mattie

National Higher Education and Not-for-Profit Practice Leader

PwC 2

Changing student demographics

Background

The profile of the today’s typical incoming college freshman is vastly different than that of 50 years ago. What was

predominantly a class of recent high school graduates from the U.S., has evolved into a group highly diversified in

race, age, and country of origin. As a result, individuals who were once considered non-traditional students have

become more and more the “traditional students.”

With the average student profile changing dramatically at many higher education institutions, colleges and

universities are reconsidering many of the practices and services that they provide to their students and alumnae.

The changing student profile has caused colleges and universities to change the way they serve students—including

curriculum adjustments, different lodging and dining options, and a broader level of services. A more diverse class

produces more diverse alumnae. As a result, institutions are changing the way they offer job assistance programs

and how they fundraise.

Educational institutions’ business models continue to be challenged with reducing costs, improving service, and

increasing the value to their students. Changing demographics and declines in high school graduates in the

Northeast and California have institutions concerned for the first time in two decades about attracting and

retaining students.

Impact on educational institutions

As the student profile evolves, institutions are tasked with understanding the impact diversity, demands of

students, and increases in non-traditional learners will have on their overall strategic student profile plan.

Changing demographics

Consider that in the next five years, public and private high school graduates will increase by more than 96,000

students—and in the next 10 years that number will grow to more than 250,000 additional high school graduates.1

With increases at this pace, why are college and university administrators concerned about enrollment at their

institutions? One reason is that the growth in high school graduates is not consistent across the country. The

traditional higher education hubs in the Northeast, Illinois, and California will experience the largest declines in

graduating high school seniors in the next five years. Enrollment in these states will experience a decline in

graduating high school seniors of approximately 3%, or more than 22,000 students.2

More than half of four-year private institutions reported that they were unable to meet their enrollment goals for

the fall of 2014.3 This is clearly impacted by the decline in graduating high school seniors. However, the inability to

meet enrollment goals goes beyond those enrollment numbers.

1 Brian T. Prescott and Peace Bransberger (2012). Knocking at the college door: Projections of high school graduates (eighth edition). Boulder, CO: Western Interstate Commission for Higher Education. Retrieved from http://www.wiche.edu/pub/knocking-8th-and-supplements. 2 Brian T. Prescott and Peace Bransberger (2012). Knocking at the college door: Projections of high school graduates (eighth edition). Boulder, CO: Western Interstate Commission for Higher Education. Retrieved from http://www.wiche.edu/pub/knocking-8th-and-supplements. 3 Noel-Levitz (2014). Fall 2014 New Student Enrollment and Retention Outcomes at Four-Year Institutions. Coralville, Iowa: Noel-Levitz. Retrieved from www.noellevitz.com/BenchmarkReports.

http://www.wiche.edu/pub/knocking-8th-and-supplements

http://www.wiche.edu/pub/knocking-8th-and-supplements

PwC 3

Mobility tracking indicates that more than 50% of first-year students attend a college or university within 100 miles

of their home. These rates increase further when the student is either African American or Hispanic and/or they

are coming from a low-income family.4 The demographics indicate that the fastest growing high school graduates

by ethnicity are Hispanic and Asian.

A 2002 National Center for Education Statistics report indicated that nontraditional students (i.e., students who do

not enter into college in the same year that they completed high school, attends college part-time, works full-time,

or is considered financially independent from their legal guardian) make up 73% of all students enrolled in

undergraduate programs. Additionally, 39% of all undergraduates are 25 years or older. Nontraditional students

tend to attend a college or university close to home.

With trends such as these, it is becoming more difficult for colleges and universities to attract students outside of

their traditional recruiting radius. These difficulties are more evident in Northeast and West Coast colleges and

universities.

Dining

Retention studies show that college dining is an important factor that is identified and studied in student

satisfaction. Students and staff desire a cafeteria that provides a welcoming atmosphere with all of the food options

that students had when they lived at home. Improvements to dining programs include renovations of existing

areas, creation of multiple dining facilities across campus, entering into contracts with various franchises to provide

more dining options, providing healthier food options, and instilling a sustainability program through eco-friendly

dining or local and organic dining. The demands from students are diverse and correlate with the diversity of the

student.

Lodging

Students are no longer complacent with facilities that have not been updated. Off campus housing options have

significantly increased in many college locations, resulting in institutions needing to build or renovate their existing

dorm spaces in order to meet the increasing student expectations. Statistics have shown that students who live on

campus are much more likely to be retained and graduate timely.

In order to meet student demands, institutions are redesigning new student housing, and are remodeling older,

traditional residence halls to include modern conveniences of home. Institutions are designing more single rooms,

providing private or semiprivate bathrooms, and significantly improving wireless access in dormitories.

Academic curriculum

Traditional cultural views continue to dominate the curriculum in higher education. As students become more

diverse, institutions are addressing views from different genders, ethnicities, and social classes. Specifically,

increasing diversity and globalization of the student base has triggered a change in curriculum to better understand

other cultures and backgrounds.

Technology

College students are more tech savvy than ever. Current traditional college-aged students do not remember a time

before smart phones. Noel-Levitz’s, “2013 Marketing and Student Recruitment Practices Benchmark Report for

Four-Year and Two-Year Institutions” identified through its survey of high school seniors, that the modes of

communication they consider “very effective” include text messaging and web site searches using their smart

4 John H. Pryor, et.al. (2012). The American freshman: National norms fall 2012. Los Angeles, CA: Higher Education Research Institute. Retrieved from http://www.heri.ucla.edu/monographs/theamericanfreshman2012.pdf

http://www.heri.ucla.edu/monographs/the

PwC 4

phone. Yet only 50% of colleges and universities send text messages and have a web site that is optimized for

mobile browsers. This stresses the importance for recruiting and teaching practices to keep pace with emerging

and popular technologies.

Financial aid

Students attending colleges have become more financially savvy. College-bound students have the internet at their

disposal and better understand the cost of attendance. Hence, financial aid has increasingly become an important

driver as to why a student selects a university. A study performed by the Parthenon Group identified the financial

aid process as a key area of potential improvement. The financial aid process often influences parents’ and

students’ first impressions of a college or university. Poorly organized financial aid departments and procedures

can lead to lasting dissatisfaction with an institution. Conversely, a well-run financial aid department that is

prepared to effectively communicate financial aid guidelines and decisions can be a factor in a prospective student’s

decision to enroll.

Our perspective

Students will continue to demand and desire better academic programs, services, amenities, and facilities. The traditional “one size fits all” service strategy that colleges and universities have embraced for decades is no longer attainable. As students’ backgrounds, academic and financial needs become more diverse, so do the services and costs required to attract and retain them. Therefore, it is critical that institutions have a strong understanding of their overall mission and diversification strategy.

Management and boards should be focused on their strategic student profile plan in both the short-term and in the next five to 10 years. Several of the more critical questions institutions should ask include:

What is the student demographic that the institution attracts? What is the driving influence for students’ decisions to attend the institution?

How do changing enrollment demographics, based on where the institution draws students, impact the institution’s two-, five- and 10-year enrollment numbers?

Is there something that the institution could change that would attract additional students? Would these changes and additional students result in a net increase or decrease in net income? If changes result in a decrease in net income, are the changes critical to the strategic student profile plan?

Has the institution polled both enrolled students and students who chose not to enroll to gain an understanding of the basis for their decision to attend or to not attend the institution? Do those results align to the strategic student profile plan?

Has the institution identified the services that students value most?

These types of questions about changing student demographics should be at the forefront of conversations when strategic decisions are being made by senior management and trustees.

PwC 5

Evolving audit committee practices

Background

The business and regulatory landscape continues to evolve at a rapid pace for educational institutions and certain other not-for-profit organizations. As such, audit committees have continued to transform and evolve in response to the changing environment in which their institutions are operating. Faced with increasing rules, regulations, and related compliance requirements, as well as a dynamic information technology environment, the depth and range of audit committee oversight is greater than ever.

Changing regulations and increasing compliance responsibilities will continue to require not-for-profits to reassess policies and procedures and increase the level of monitoring. Information technology risks in mobile computing, cloud-based technologies, cybersecurity, data privacy, and social media are increasing at a rapid rate. Keeping pace with technological change and the implementation of effective risk mitigation is proving to be challenging.

The changing business environment continues to create both challenges and opportunities for organizations. As institutions seek to maintain a competitive edge and explore new strategies, managing associated risks is essential.


As audit committee responsibilities have expanded to encompass additional oversight roles, their members have had to prioritize agendas and allocate time to maximize audit committee effectiveness.

The number and background of members on not-for-profit audit committees continues to be important to ensure appropriate coverage of information. The average not-for-profit audit committee has five to seven members. Many not-for-profit audit committees require at least one financial expert. Audit committees are re-assessing their definition of financial expert and incorporating elements of institutional risk and compliance in the definition. Increasingly, a greater number of audit committee members possess a broad knowledge of accounting, financial reporting, regulatory and institutional risk and compliance skills to ensure they understand the financial reporting process, financial statements, and related business risks.

Depending upon the size of the not-for-profit organization, many not-for-profit audit committees are meeting between three and six times per year. It is imperative to ensure the meeting is scheduled long enough to appropriately discuss issues and matters of importance. Some committees utilize agendas that include the meeting time expected to be devoted to each topic. It is also best if there is time built in for flexibility to extend discussions as needed. Other administrative considerations include advance preparation, limiting formal presentations, and focusing on a detailed discussion of key risk areas with the right individuals present to discuss the topic at hand.

In order to increase the efficiency of the committee, many are now using consent agenda items. Under this approach, committee members are expected to have read the materials and, if there are no questions, the committee does not have to discuss more routine topics. In addition, many committees are utilizing advance briefing materials to aid in advance preparation. The best briefing materials strike the right balance—communicating the information the committee needs, yet avoiding extraneous detail.

Ongoing education is important to enabling audit committee members to excel in their oversight roles. The financial statements of not-for-profit organizations are distinct from those of any other industry. Therefore, audit committee members will require industry education to ensure they have a clear understanding of the results presented in the financial statements and to make sure they are asking the right questions of the particular organization. In addition to the financial statement presentation, members need to be educated on regulatory and compliance risks unique to not-for-profits, and how the institution is addressing those risks.

PwC 6

Our perspective

The role of audit committees has become increasingly demanding. Leading audit committees are setting a strong tone at the top, owning their agenda, building strong relationships with internal and external auditors and compliance offices, and evaluating their informational needs and their own performance.

Many committees are considering changing their name from the Audit Committee to the Risk, Compliance and Audit Committee to give credence to the increased responsibilities regarding risk mitigation and institutional compliance.

Given the increased demands and expectations being placed on audit committees it is more important than ever to ensure the audit committee charter is updated periodically and explicitly states the responsibilities of the committee. Increasingly the audit committee charter includes more risk-related topics, including reviewing the results of compliance and regulatory audits conducted by third parties, reviewing hotline call activity including ensuring appropriate disposition of hotline calls, and reviewing and approving the compliance office (or equivalent) annual audit plan.

Audit committee meeting topics have also evolved over the past few years, with a clear shift in focus from the more traditional audit and financial topics to more risk-based topics. Agenda topics should now include such areas as conflict of interest, information technology, global operations, campus and student safety and intellectual property management. Determining which topics are most appropriate should be based on key risks identified through an enterprise risk management (ERM) process.

Specifically related to ERM, audit committees often have ultimate responsibility for overseeing the ERM program and ensuring management has sound practices in place to monitor the various types of risks. Audit committees should be updated at least annually on the ERM process at their institution. Ideally, a form of the update should include a discussion of the top risks the committee is charged with monitoring. It is important that the audit committee understand the reason for the exclusion of risks which were present in the past or inclusion of new risks, as well as the change in perceived severity of certain risks within the institution. It is also good practice to update the full board periodically on priority institutional risks and management’s mitigation plan.

Finally, it is a leading practice for audit committees to evaluate their own performance annually. This can be accomplished by comparing the activities performed against the charter, which allows the committee to take remedial action if necessary in the event an item was missed. Some committees also compare their own activities to leading practices of other institutions as seen through publications, surveys, seminars, and conferences. It is also valuable for committee members to discuss their performance among the members, as well as with management and others within the organization.

For further information on evolving audit committee practices in higher education, please reach out to your PwC partner or manager or any of the contributors to this Perspectives publication and ask for our recent whitepaper titled, “Next on the Agenda.”

PwC 7

Succession planning for executive leadership

Background

Executive leadership in higher education is on the precipice of change as many leaders at colleges and universities

are quickly approaching retirement age. According to a recent report by the American Council on Education, 58%

of college presidents are older than 61. This is a significant change from the mid-1980s, when only 14% of college

campus presidents were 61 or older. 5 Presidential tenures also have decreased in length. In 2011, the average

tenure of a college president was seven years, a decrease of 18% from just five years prior.6 In another survey,

conducted in 2013 by the National Association of College and University Business Officers, the proportion of chief

financial officers age 65 or older doubled from 5.4% in 2010 to 11.2% in 2013, and 37% of those individuals planned

to leave their position in the next four years.7 Yet another survey of chief information officers conducted in 2013

indicated that at least 50% of the current higher education CIO’s planned to retire within the next 10 years.8 Other

key higher education roles could also experience significant turnover including provosts, internal audit directors,

budget officers, and other vice presidents at institutions.

Given the aging leadership pool, educational institutions should focus on their succession planning processes and

transition readiness. Institutions would be wise to take a cue from the corporate environment, where executive

succession planning is a routine topic with boards of directors. Corporations frequently engage their directors to

gain perspectives on developing and establishing the proper criteria for future leadership. Once these criteria are

established, the organization’s current talent pool is often inventoried and assessed to evaluate whether or not there

are internal candidates that could be mentored to eventually step into leadership roles. These organizations then

provide training and experiences, so that individuals are challenged and are developing their professional skill sets.

Keeping the succession plan refreshed is also a key part of the process. Corporations frequently revisit the criteria

initially established to ensure it remains aligned with the organization’s strategic goals and current objectives.

The attention given to succession planning in the corporate world is not as common in higher education. Given the

unique skill set needed to operate successfully in the higher education environment, however, integrated succession

planning processes and ongoing dialogue is needed by the board of trustees and other members of senior

management. Ineffective planning can open an institution to a multitude of risks, including the loss of talent to

other institutions, under-staffed or vacant positions for large gaps of time, and challenges recruiting faculty or

donors. How an institution goes about selecting and grooming the next generation of successful leaders is a

question that higher education institutions should focus on now more than ever.


Senior executives at educational institutions have a variety of backgrounds, from former academics to business

leaders to politicians. Given the broad spectrum of the potential talent pool available, institutions are pursuing

5 http://www.acenet.edu/the-presidency/columns-and-features/Pages/All-Deliberate-Speed.aspx 6 http://www.acenet.edu/the-presidency/columns-and-features/Pages/All-Deliberate-Speed.aspx 7 https://www.insidehighered.com/news/2013/07/16/business-officer-survey-predicts-major-turnover-cfos 8 https://www.insidehighered.com/advice/2014/04/11/essay-urges-colleges-consider-succession-planning-cios

http://www.acenet.edu/the-presidency/columns-and-features/Pages/All-Deliberate-Speed.aspx

http://www.acenet.edu/the-presidency/columns-and-features/Pages/All-Deliberate-Speed.aspx

https://www.insidehighered.com/advice/2014/04/11/essay-urges-colleges-consider-succession-planning-cios

PwC 8

different paths to fill key executive roles. Many institutions employ an external search firm to facilitate their

pursuit of the proper executive. External searches cast a wide net, and use of these searches may bring a talent pool

that is not readily available internally at an institution. However, an external search for a senior executive may take

12 months or longer. Other institutions have started to develop formal internal development programs to groom

the next generation of executives. These development plans include such initiatives as mentoring strategies,

executive education programs, and rotations among various departments. Although the time to groom an executive

can be extensive, well-developed programs ensure an ongoing pipeline of talent within an institution.

Certain colleges and universities are also proactively involving the board of trustees to assist with generating

succession plans and thinking more broadly in terms of the talent pool that is available within an institution.

Trustees are assisting with answering such questions as:

What are the key positions that will need to be filled in the future, such as presidents, executive vice

presidents, provosts, chief financial officers, chief technology officers, chief investment officers, and other

vice presidents within the institution?

What are the key traits of leaders who have moved up and across the institution?

How can a succession plan be integrated into existing initiatives at the institution?

When will the resources be needed?

How long will it take someone to become acclimated to the institution’s culture?

What are the capabilities and competencies of the institution’s current talent pool?

What are the pivotal roles required to execute the institution’s strategy?

Which roles are the most challenging for recruiting talent?

What are the key factors for success in the institution?

These questions and others are at the forefront of discussions that certain institutions are having as they focus more

closely on leadership transitions. By going through a process of methodically evaluating questions such as these,

institutions are starting to outline and formalize their succession plans.

Our perspective

Succession planning should be a priority in order to build the right team to support the institution’s mission and

culture. Colleges and universities that are able to make a connection between the strategic focus of the institution,

their internal talent pool and their external recruiting pipeline will have the unique opportunity to shape their

future leaders. A systematic identification and definition of the necessary skills, knowledge and experience will

strengthen a thoughtful succession planning process. The following steps should be considered as plans are being

developed:

Identify key executive positions, such as the president, chief financial officer, chief technology officer, chief investment officer, provost, and other vice president roles, that will need to be filled in the future. Consider the roles of the current leadership team and whether or not any additional roles need to be added.

Align the institution’s strategic plan with its succession plan, including identifying the key traits of leaders who have moved up. The institution should evaluate how the strategic plan differs from other similar institutions, and pinpoint the qualities needed in its key executives to successfully implement the plan.

Evaluate the business strategy to identify talent needs by taking an inventory of any new strategic projects or initiatives. This should be done for both short-term and long-term goals. As a part of this inventory, specifically identify the types of talent needed to enable strategic changes as well as what core competencies are required to be successful in the specific role.

PwC 9

Project future needs for talent by creating a timeline. The timeline should incorporate when the resources will be needed, how long it will take to develop skill sets, and how long it will take someone to become acclimated to the institution’s culture.

Assess the current talent pool and conduct a gap analysis between what capabilities and competencies are present in an institution’s current talent pool versus the roles that need to be filled in the future. To the extent there are gaps identified, the institution should then proceed to identify which roles are the most challenging for recruiting talent, and consider what the market will look like and how it will affect the institution’s ability to acquire talent to fill the gaps.

Develop a talent acquisition strategy or, if one already exists, evaluate how it is working by reviewing the cost of the strategy and how it currently impacts employees. The talent acquisition strategy should consider key stakeholders.

Implement/monitor the succession plan, and as a part of that, identify who the decision makers are, and how the plan can most successfully be rolled out to a broader group. The plan should be monitored by developing key metrics that the talent pool should be measured against.

Ultimately, current executives and trustees should consider what has made the leaders of the educational

institution successful. Individuals identified as future leaders need to be sponsored so that they gain the training

and experience needed to execute their roles well. Opportunities to guide initiatives imperative to the core mission

of the educational institution or lead key strategic projects will allow individuals to “raise their game,” gaining

exposure to other key stakeholders and developing their ability to manage a multitude of tasks. In addition,

building a robust and thoughtful succession plan is a critical element of an institution’s enterprise risk

management. The inherent risks surrounding inadequate transition plans at the executive level are many, and

must be factored into the overall risk mitigation plans at an institution.

Implementing more formalized succession planning strategies will enable institutions to be proactive in developing

their future leaders and recruiting the top talent for their organization.

PwC 10

Regulatory compliance

Background

The regulatory spotlight continues to be focused on educational institutions. Congressional attention on colleges

and universities, both not-for-profit and for-profit, have challenged institutions to seek ways to improve operations,

maintain compliance and reduce costs. The SEC expects institutions to provide reliable information to

bondholders, and the IRS expects revenues to be appropriately spent. The Office of Management and Budget also

recently issued significantly revised compliance and audit requirements as part of President Obama’s goal to

modernize and streamline regulations and to focus on the elimination of fraud, waste, abuse, and improper

payments.

In light of such regulatory initiatives, educational institutions are under ongoing pressure to demonstrate their

compliance and accountability. The impact of actual or perceived failure of an institution to identify and manage

compliance functions could lead to a damaged reputation among various stakeholders, administrative or financial

sanctions imposed by regulators, and the potential for fines and penalties.

Most institutions are struggling to respond to the changing and increasing regulatory requirements, as well as the

continuing political and public focus. Adhering to these requirements and responding to regulatory scrutiny have

been difficult for many educational institutions and have strained internal resources. Colleges and universities are

continually implementing new policies and procedures and modifying existing financial and information systems to

accommodate new and revised regulations. This has resulted in the need for more data collection and enhanced

training.


The following is a high-level summary of selected accounting, reporting and regulatory matters on which

educational institutions are currently focusing their resources — or may need to focus their attention.

Financial accounting requirements The standard-setting authority for the financial statements of higher education institutions is divided between the

Financial Accounting Standards Board (FASB) for private institutions and the Governmental Accounting Standards

Board (GASB) for public institutions. The FASB works closely with the Not-for-Profit Advisory Committee (NAC), a

standing committee established in 2009 to ensure that the concerns of not-for-profit entities are considered when

developing new standards. The various standard setters involved in the higher education industry results in a lack

of comparability between public and private institutions and increases decision-making complexity for boards,

management, bondholders, and regulators attempting to understand the similarities and differences among

institutions regarding factors such as financial condition, business risks, and cash-flow prospects. Differences in

accounting for similar transactions by similar types of entities increase the risk that misstatements in financial

statements might arise and heightens the potential for misunderstanding reported information. Currently, both the

GASB and FASB have projects on their technical agenda that have the potential to significantly impact higher

education institutions, and could further diverge the accounting standards applicable to higher education

institutions compared to accounting standards applicable to other business entities.

FASB Standard Setting Update

In recent years the FASB’s technical agenda has been centered on the major convergence projects with the

International Accounting Standards Board (i.e., overhauling lease accounting, revenue recognition, financial

PwC 11

instruments, etc.). As these projects are winding down, the FASB’s agenda has been re-prioritized with a number of

new projects, as well as resurrecting older projects which were put on the back burner during the push for

convergence.

In 2014, the FASB kicked off its simplification initiative, the objective of which is to reduce cost and complexity

while maintaining or improving the usefulness of the information required to be reported in the financial

statements. A few of the FASB’s early proposals have been met with some resistance as simpler accounting

standards do not necessarily mean that determining how to simplify the standards will be easy, or that the impacts

will be inconsequential. Preparers should monitor these projects and assess the proposed changes during the

standard setting process to determine if there are any unintended consequences of the proposed simplification

items.

On April 22, 2015, the FASB issued an exposure draft of the Accounting Standard Update of the Financial

Statements of Not-for-Profit Entities (the “Proposal”). The Proposal, which originated based on feedback from the

NAC, is intended to improve the financial reporting of all not-for-profit (“NFP”) entities and focuses on net asset

classification requirements and information provided in financial statements about liquidity, financial performance

and cash flows. Underlying the Proposal is a newly-defined intermediate operating measure that would be required

for all NFPs. The operating measure would align the classification within the statement of activities with how

transactions are reported in the statement of cash flows.

While some of these proposed changes reflect areas of reporting that are unique to not-for-profit organizations,

others deal with changing aspects that are fundamental to the underlying U.S. reporting model, for example, the

proposed changes to the cash flow statement and required operating measure. At present, all of FASB’s

constituents – SEC registrants, private companies, and not-for-profit entities – use the same basic financial

reporting model, tailored as necessary to reflect unique characteristics or needs of a particular constituency. The

FASB is in the early stage of deliberations for changes to the for-profit entities financial reporting model. We

believe that educational institutions, and their audit committees, should familiarize themselves with the FASB

proposal, as several of the proposed changes represent significant changes from current financial reporting and

could be a sign of potential change commercial enterprises may be required to comply with in the future.

For further information on the impact of the exposure draft of the Accounting Standard Update of the Financial

Statements of Not-for-Profit Entities, please visit PwC’s website for the “Point of View” document titled “The

financial reporting framework: Could changes to the not-for-profit model impact for-profit entities?”

http://www.pwc.com/en_US/us/cfodirect/assets/pdf/point-of-view-not-for-profit-standard-reporting-changes.pdf

GASB Standard Setting Update

The GASB’s technical agenda includes a variety of different projects, many of which will directly impact public

higher education institutions. Some of the more significant projects include: accounting and reporting for

irrevocable trusts, blending requirements for business type entities, lease accounting, post-employment benefits

and asset retirement obligations. The GASB also has recently issued Statement 72, Fair Value Measurement and

Application, which will substantially align the fair value concepts between FASB and GASB preparers and will

require the majority of investments to be reported at fair value.

Currently, one area in which the accounting and reporting principles remain largely converged between public and

private institutions relates to property, plant and equipment, including leasing transactions. The GASB is currently

following the FASB in re-examining the lease accounting guidance. In November 2014, the GASB issued a

preliminary views document outlining views on lease accounting. While the proposal is similar to the FASB’s

proposed lease accounting standard in many ways, it diverges in terms of expense recognition. With the GASB

opting for a single model, meaning that all expenses associated with leasing transactions would be recognized

similar to capital leases today, the FASB has decided on a dual model similar to what we have today.

PwC 12

Importance of Stakeholder Engagement

Given the significant and potential impact on higher education institutions of the projects on both the FASB’s and

GASB’s agendas, the activities of the Boards should be closely monitored. Institutions should contribute to the

process to help enhance the overall efficiency of standard-setting by providing input on what could be unintended

consequences of the proposed changes. Early participation in a standard’s development can greatly impact the

direction and ultimate outcome and quality of the final standard. Feedback on the specific impacts of a proposed

standard to an institution is particularly valuable to the standard setting Boards and can help ensure the needs of

higher education financial statement preparers and users are appropriately reflected.

IRS items

President’s Proposed FY16 Budget: There have been a number of legislative proposals in the past year that

could potentially impact colleges, universities and other tax-exempt entities. Earlier this year, President Obama

announced his proposed budget for FY16. The budget contains numerous proposals affecting tax-exempt

organizations, including colleges and universities. The proposed budget must be approved by Congress before

taking effect, but it does reflect some areas of interest that have been addressed in other proposals as well. The

proposed budget includes:

Requiring that colleges and universities report on IRS Form 1098-T amounts paid rather than amounts

billed for qualified tuition and related expenses

Disallowing the deduction for contributions that entitle donors a right to purchase tickets to sporting

events. Currently, donors may deduct 80% of any such contribution

Placing a 28% cap on charitable deductions

Limiting the exclusion of tax-exempt interest for municipal bonds to 28%

Providing an exception to the private business limits on tax-exempt bonds for research arrangements

Form 1098-T: In recent years the IRS has directed increased scrutiny to colleges’ and universities’ 1098-T filings.

This scrutiny includes issuing notices and proposed penalties for each return with missing or incorrect TIN

information. The penalty for filing an incomplete or incorrect Form 1098-T is $100 per form with a maximum

penalty of $1,500,000 per year ($500,000 for organizations with average annual gross receipts of $5 million or

less).

Affordable Care Act: Under the employer shared responsibility provisions, employers having 50 or more full-

time-equivalent employees) must offer affordable, minimum value health coverage to their full-time employees or a

shared responsibility payment, which may apply if one or more of its full-time employees receives a premium tax

credit to assist the employee in obtaining insurance on a health insurance exchange. Starting in early 2016

(reporting on 2015), employers are required to provide a Form 1095-C to each full-time employee and other

employees covered under a self-insured health plan, and to file Form 1094-C with the IRS, transmitting to the IRS

copies of the Forms 1095-C. It is critical for employers to understand the requirements, as these reports will be

used by the IRS to enforce the employer mandate.

Employers need to prepare the required data and design the ongoing reporting process now in order to be ready for

2016 reporting. The information required to complete the forms for 2016 relates to monthly snapshots of employee

status and healthcare coverage offered in 2015. Employers need to focus now on the information that will be

required, how the information will be obtained and reported, and the various reporting options that may be

available.

PwC 13

Final Section 501(r) Regulations: Internal Revenue Code (IRC) Section 501(r) imposes requirements that

nonprofit, tax-exempt hospitals, including academic medical centers, must satisfy in order to remain tax-exempt.

The Final Regulations address financial assistance policies, billing and collection practices, limitations on charges,

and community health needs assessments. The final regulations differ in some ways from earlier IRS guidance.

Organizations that operate hospitals should carefully review the final regulations, assemble a team, and develop a

plan to ensure the hospital meets all requirements.

Federal award compliance and audit requirements

On December 26, 2013 OMB published its “Sweeping Reform” guidance, “Uniform Administrative Requirements,

Cost Principles, and Audit Requirements for Federal Awards” (the Uniform Guidance document). This represents

the culmination of a process undertaken by OMB to accomplish several objectives. These objectives include

streamlining existing federal administrative, cost, and audit circulars, reducing administrative burden, and

reducing the risk of fraud, waste, abuse, and improper payments. The document includes a substantial section

devoted to comments received from stakeholders, and OMB’s and the Council on Financial Assistance Reform’s

considerations when deciding whether or not to implement the comments received.

The Uniform Guidance document replaces several existing OMB circulars, including the administrative circulars A-

110 and A-102; cost circulars A-21, A-87 and A-122; and the non-federal audit circular A-133. The effective date of

the cost and administrative portions of this guidance is December 26, 2014 for new awards and funding increments

issued on or after that date. The effective date for the audit guidance is audits of fiscal years beginning on or after

December 26, 2014. On December 19, 2014 OMB published technical corrections to the Uniform Guidance and

most Federal agencies published their specific adoption of Uniform Guidance largely as issued by OMB. The

Uniform Guidance includes numerous changes from existing compliance and audit rules that each institution

should be considering and planning to implement. The more significant items are included below:

Federal agencies must provide award performance goals, indicators and milestones, and recipients must

relate award financial data to the performance goals and provide cost information to demonstrate cost

efficiencies. There is some relief for research and development awards.

Procurement requirements are largely taken from A-102 rather than A-110. Because of this, there is much

more emphasis on competition and competitive bids.

Recipients must maintain effective internal controls. COSO and the Federal Green Book (Federal agency

internal control framework) are listed as two examples that “should” be followed as a best practice.

Subrecipient monitoring has largely not changed and there is specific emphasis on performing a risk

assessment of each subrecipient. Subrecipients must be paid a minimum indirect cost rate of 10%.

The traditional three examples of effort reporting have been removed. Emphasis is placed upon using

existing payroll distribution systems, and strengthening internal controls to assure an accurate distribution

of payroll.

OMB has revised the Compliance Supplement to consider the compliance change brought by Uniform

Guidance. The procedures are designed to focus on and have greater emphasis on the goal of reducing

fraud, waste, abuse, and improper payments.

The new Uniform Guidance represents the first time in decades that OMB and the federal agencies have focused on

reducing the burden of compliance and audits while still achieving effective program management and

accountability of public funds. The changes are extensive, and many of them will require institutions to take a

critical look at their internal compliance structure, processes, and policies to determine where change is required to

existing institutional practice.

PwC 14

Given that Uniform Guidance is now effective, institutions should be examining each of the more significant items,

and should develop an implementation plan and timetable. These plans should include training of both financial

and compliance administrators, as well as the faculty and investigators who carry out the work of the federal

awards. Some of the new requirements, such as those in the procurement area, will need to be applied to all federal

awards rather than just those awards received after the Uniform Guidance effective date because of the difficulty

with maintaining two separate compliance policies.

In addition, the greater emphasis on internal control best practices will necessitate a review of internal controls

over compliance at a minimum, to determine where there may be significant gaps that should be addressed.

DATA Act

During 2012 and 2013, the House and Senate each issued versions of the Digital Accountability and Transparency

(DATA) Act. The intent of the Data act is to amend the 2006 Federal Funding Accountability and Transparency Act

to further increase transparency of federal spending by federal agencies and the recipients of federal awards.

During May 2014, the House and Senate reconciled their respective versions and President Obama signed the

DATA Act into law on May 9, 2014.

The Data Act includes the following:

The OMB and Treasury Department are to develop government-wide financial data standards for federal

agencies and recipients of federal funds to use for reporting. Common data elements will be mandated for

use in financial reporting and payment information by all federal agencies.

The new data standard must incorporate a “widely accepted, nonproprietary searchable platform —

independent, computer readable format,” such as XBRL. This is similar to the electronic data tagging and

reporting mandated by the SEC for public companies several years ago.

There is a three-year development period that includes a pilot study to be conducted by OMB to determine

the feasibility of pushing the electronic tagging and reporting down to the recipients’ funding.

The DATA Act, when fully implemented by federal agencies, will significantly increase the visibility the general

public has into federal spending and undoubtedly will impact the federal award decisions made in the future.

Our perspective

The attention to educational institutions from Congress, the President, and other regulatory bodies is not slowing

down. While some legislation is in progress to streamline compliance requirements and reduce the financial

burden, other in-progress legislation, as described previously in this paper, will result in more compliance

requirements and added cost of implementation. Therefore, when the opportunity arises, educational institutions

should continue to be vocal with regulatory bodies and political leaders as to their perspectives on proposed

changes and the regulatory cost associated with such changes. In the meantime, institutions will need to continue

to be vigilant in enhancing internal controls over compliance.

In connection with the development of an organizational framework for institutional compliance, educational

institutions should continue to develop other proactive responses to manage and monitor regulatory compliance.

Institutions should consider the following to enhance overall compliance and reduce the financial, operational, and

reputational risks associated with noncompliance:

Stay abreast of new regulatory developments and ensure their voice and points of view are heard through

industry associations and political influences.

PwC 15

Continue to educate trustees, faculty, and staff of the ever-changing regulatory environment to ensure there

is the appropriate level of focus on compliance with not only external rules and regulations but also internal

policies and procedures.

Determine who is responsible throughout the organization for compliance with rules and regulations and

whether actions are needed to improve or maintain compliance.

Assess key exposures and implications to the institution from an operational, financial reporting, and legal

perspective, and respond to these exposures through risk management programs, involvement of

appropriate parties with the identification and monitoring of risks (including senior management, internal

auditors, and other key departmental administrators), and establish ongoing programs to mitigate

potential noncompliance.

Identify best practices for appropriate compliance metrics and other means to track and report the

processes and procedures associated with regulatory compliance.

While educational institutions are not SEC registrants, many are considered “public interest entities” due to their

issuance of tax-exempt municipal bonds and other factors. As a result, institutions must be cognizant and proactive

with respect to the level of reporting, controls, and compliance responsibilities associated with this designation.

PwC 16

Institutional compliance

Background

The legal and regulatory developments of the past several years have debunked the notion that higher education

institutions are not heavily regulated. Rather, what has emerged is a “hyper-regulated” sector that is struggling to

keep up with increasing legislative activity and heightened levels of regulatory scrutiny. Once focused largely on

the multitude of federal laws and regulations governing their operations, educational institutions are now receiving

greater attention from other parties, including state law makers, accrediting organizations, and regulators seeking

to enforce greater standards of oversight and accountability. Moreover, the traditional areas of regulatory scrutiny

that have long been the focus of education compliance programs, such as financial aid, conflicts of interest,

sponsored research and athletics, are becoming increasingly more complex for institutions to manage and are more

likely to invite regulatory inquiry. Layered on top of these traditional compliance requirements are several

additional areas of focus and trends in institutional compliance:

Unprecedented focus on student safety and campus security: A significant amount of current legal and regulatory focus is directed at student and campus safety issues. The Department of Education (the Department) has committed to extending its enforcement of Title IX, a law that prohibits sexual discrimination at any educational institution accepting federal financial assistance. Over the past year, the Department’s Office of Civil Rights has been investigating upwards of 65 institutions regarding their handling of sexual assault cases.9 Likewise, campus reporting requirements under the Clery Act, a 1992 law which requires higher education institutions to comply with certain campus safety and security requirements if accepting federal funds, were expanded by the Obama Administration in 2014 to require broader reporting and transparency from colleges and universities when reporting crimes on campus.10

Data privacy and information security: The challenges of data privacy and protecting personally identifiable information (PII), protected health information (PHI), and proprietary institutional data have become exponentially more challenging for colleges and universities within the past year. No longer just a concern of the corporate world, higher education institutions have experienced increased frequency of, and impact from, hacking and data breaches. Privacy and information security are now ranked among the highest compliance risks in terms of perceived level of threat to higher education institutions.11 We discuss this further in the Cybersecurity section of this publication.

Global expansion: Higher education footprints are expanding globally, as U.S. colleges and universities continue to develop new academic and research programs in unique international locations. In turn, compliance program owners at those institutions are wrangling with new and varied regulatory frameworks, as well as unfamiliar and unpredictable enforcement agencies, in global jurisdictions that their institutions enter.

New learning models and partnerships: With the rapid evolution in technology, a new frontier of higher education has developed in the form of online and distance learning. Once considered a niche model for education, online and distance learning have become highly cost-efficient and approachable alternatives to traditional brick-and-mortar education, with many highly recognized institutions recently launching such programs. This new frontier in higher education creates additional risk and exposure not addressed by traditional compliance programs. Similarly, this new frontier has also led to the formation of

9 Department of Education Press Release, May 1, 2014 10 Department of Education Press Release, October 20, 2014 11 PwC 2014 State of Compliance Survey.

PwC 17

new partnerships among higher education institutions and third parties, thus raising additional compliance risks and obligations.

These emerging trends, coupled with the traditional focus areas of higher education compliance programs, are

causing trustees and administrators to evaluate how their organizations manage and respond to compliance risks.

Most institutions recognize that as the complexity of their environments increase, they must better and more

thoroughly evaluate how their compliance programs are structured and whether and how their organizations are

managing risks in an effective and cost efficient manner.


The stakes have never been higher for colleges and universities to ensure they maintain effective compliance

programs to protect their brands and reputations. As a result, there has been a noticeable shift in focus by boards

of trustees and their audit committees toward proactive risk management. Rather than awaiting the next big legal

or compliance issue to spur change, governing authorities at educational institutions are beginning to challenge

their administrators to consider more proactive programs for managing risk. This shift, in turn, has resulted in the

development of more formalized and programmatic approaches to compliance-related risks.

To help manage these compliance programs, a greater number of colleges and universities have begun to develop

standalone roles dedicated to the oversight of compliance. Several educational institutions have designated a head

of compliance with responsibility for institutional compliance, while even more colleges and universities have

formed in-house compliance committees to better support compliance program efforts.12 By having an individual

tasked with oversight and a committee to support such a compliance leader, it is clear that higher education

institutions are moving toward a more structured approach to managing compliance risk.

Taking this more structured approach to compliance governance a step further, many colleges and universities are

also aligning compliance resources to their highest risk priorities. For example, for institutions with significant

research capabilities, schools have aligned dedicated resources to help manage compliance requirements in the

research setting. The responsibilities of this function typically include adopting sound policies and procedures,

providing training on those policies and procedures and developing monitoring and auditing plans. While the day-

to-day management of these specific compliance risks is delegated to a specific leader in a functional area, the

connectivity and linkage back to an institutional compliance program helps create consistency in policy, process

and communication.

Institutional compliance programs are also leveraging a greater number of compliance monitoring activities and

data points to help assess compliance program effectiveness. Of note, higher education organizations are

monitoring and gaining value from risk assessments, compliance audits and regulatory visits that, in turn, provide

valuable inputs to help inform the direction of, and drive improvements to, their compliance programs.13

Our perspective

The need for compliance program governance and oversight has reached an important juncture within higher

education. Instrumental to that governance and oversight is a higher education institution’s board of trustees or

audit committee. In line with governance trends both within higher education and in other sectors, colleges and

universities should seek to have some level of expertise regarding risk and compliance among its board and/or

audit committee members. Likewise, there should be a common understanding among board and/or audit

committee members that they have overall responsibility and accountability for ensuring the existence and

effectiveness of their institution’s compliance program. This obligation is not simply leading practice, but is

12 PwC 2014 State of Compliance Survey. 13 PwC 2014 State of Compliance Survey.

PwC 18

ultimately an expectation of the U.S. government: a governing authority must “be knowledgeable about the content

and operation of the compliance program.”14 To execute on this responsibility, the board and/or audit committee is

well advised to meet regularly with compliance program owner(s), to ask the right questions of institution

administrators regarding the management of key compliance risks and to better understand the scope of

compliance program activities through regular and meaningful updates, communications and training activities.

In addition to strong board-level governance around the compliance program, higher education institutions should

also ensure that oversight and management of program operations are delegated effectively. As supported by

recent PwC survey data, formalized compliance program oversight in higher education is becoming more the norm

and several models have emerged:15

Centralized Model: In this model, under the leadership of a designated Chief Compliance Officer (CCO) (or other designated individual) and their supporting staff, the oversight of compliance program activities flows through a central resource and support is often provided by a cross-functional compliance committee. Neither the CCO nor the compliance committee should own all compliance program activities. Instead, these activities should be driven by those functional areas of the institution with the requisite knowledge and understanding of the applicable compliance risks (i.e., research, athletics, financial aid, etc.). While these functional areas are responsible for the ongoing execution and monitoring of compliance program activities within their designated risk areas, they should consult regularly with the CCO and provide meaningful and regular updates to the CCO, as well as to institutional leadership. In addition, the CCO and his or her supporting staff should have ownership for certain key compliance program elements (i.e., code of conduct, hotline, and investigations) that help serve and advance compliance responsibilities of those functions. Although the centralized model is not as common in higher education, more institutions are considering a model that includes a designated individual responsible for overseeing institutional compliance.

Decentralized Model: A decentralized compliance program places the responsibility for implementing

and overseeing the compliance programs within the functional areas of the institution, with no centralized compliance function (i.e., a CCO) to coordinate or with which to consult. Functional leaders then must report to executive leadership, and in certain cases, to the board and/or audit committee, regarding the specific risk areas and/or compliance program activities for which they have ownership. These functional leaders have responsibility within their unit for compliance training, adoption of procedures and systems to promote compliance, mechanisms to enforce rules and monitoring programs to evaluate compliance. Procedures established within the unit are reported to an administrative officer (i.e., the president or executive vice president).

Hybrid Structures: Most institutions today rely on hybrid compliance program models that suit the unique structure of the specific institution. In many cases, this model entails centralization of key compliance program elements (i.e., written code of ethics or conduct, hotline, central auditing process to test compliance) and decentralization of the more regulatory-focused compliance program elements within individual units (such as compliance functions within research, athletics, and financial aid). A hybrid structure often includes a compliance steering committee which has oversight of the organization’s overall compliance program. Oversight for specific and technical risk areas resides within leaders or departments that have the specialized knowledge (i.e., research requirements, NCAA regulations, etc.). The steering committee often evaluates the strengths and weaknesses within a departmental program, and works to standardize important tasks such as training, policies, and enforcement.

As higher education institutions continue to adopt more formalized compliance programs and consider different

models for driving those programs, it is crucial that the boards and/or audit committees overseeing the process

fully understand and assess the impact that the programs will have on both internal and external stakeholders.

14 Federal Sentencing Guidelines Manual § 8B2.1 (2015) 15 PwC 2014 State of Compliance Survey.

PwC 19

From an external perspective, the adoption of a formalized compliance program will undoubtedly be viewed as a

positive step by regulators and accrediting organizations in advancing institutional risk management. Likewise,

having a publicly-facing compliance program helps assure prospective students, employees, vendors and business

partners that the institution values its brand and reputation and is committed to upholding the laws and

regulations in those locations where it operates.

From an internal perspective, the process of adopting a formalized compliance program provides great

opportunities to strengthen institutional relationships, to improve communication and culture and to help the

organization achieve its strategic objectives. Critical to achieving these results is the need to garner early buy-in

from key functional areas and individuals at the institution, both within the administration and the wider academic

community. The most effective compliance programs are the result of strong collaboration and common

understanding among stakeholders as to the purpose, mission and value proposition of having an institutional

compliance program. Without socializing the concept and providing opportunities for input across the institution,

there is a greater likelihood of confusion and resistance when the organization launches its compliance program.

Regardless of the decision to implement a centralized, decentralized or hybrid structure, the end goal for any

institutional compliance program is to effectively manage compliance risk. To achieve a successful compliance

program, institutions should consider the following key attributes:

Risk assessment: Institutions should be taking stock, on a regular basis, of their compliance risks and validating ownership and effective management of those risks. For some institutions, this exercise is now part of a broader ERM program that seeks to look at risk more broadly than just compliance. For other institutions, this exercise is performed as part of a more detailed compliance risk mapping or risk assessment initiative that is separate from ERM. In both cases, the end goal is the same: identify compliance risk areas of top concern and ensure ownership and appropriate risk mitigation activities. The results of the risk assessment can also help build the compliance work plan, as well as allocate limited resources to identified gaps. Once the risk assessment is performed, formal accountability for identified compliance risks should be assigned to specific leadership positions within the organization, and a process for monitoring and reporting on the highest priority compliance risks should be developed.

Policies and procedures: Despite varying appetites in higher education for formalized policies and procedures, the adoption of core compliance policies and procedures is important to creating structure and awareness as to institutional standards and expectations for behavior. At a minimum, institutional compliance programs should adopt a code of conduct, as well as specific policies focused on key risk areas, such as whistleblowing and investigations, conflicts of interest, privacy and security and discipline. These policies should be communicated and applied institution-wide. Other compliance policies may be developed to address specific compliance risks and applied through procedures at a functional level. Formal disciplinary protocols to address deviations from adopted policies and procedures should be developed and communicated to both faculty and others working throughout an institution.

Training and communication: To best ensure there is widespread and consistent familiarity with the policies and procedures of an institutional compliance program, formalized training and communication efforts are necessary. Training should be tailored to the appropriate audiences (i.e., code of conduct for a broad audience and more policy-focused training to impacted areas of the institution), and can take different forms or approaches (i.e., online versus in-person). Similarly, an organized and well-coordinated communications plan can help to establish and evidence an appropriate tone-at-the-top and to raise compliance program awareness through different communication vehicles.

Depending on an institution’s prior compliance issues and level of compliance program maturity,

implementing these key attributes could already be complete or, alternatively, could be part of a more gradual

build-out process. However, the evidence and data in higher education suggest one important reality:

institutional compliance programs are becoming a foundational element to the strategic vision and culture of

high-performing colleges and universities.

PwC 20

Cybersecurity

Background

Recent high-profile data breaches have highlighted the threat faced by the retail, health care and entertainment

industries. However, few are aware that approximately 35% of all data breaches take place in the higher education

arena, a number exceeding both the governmental and financial and insurance sectors.16 According to the Privacy

Rights Clearinghouse, educational institutions experienced 727 breaches in the 10-year period ending in 2014,

representing more than 14 million breached records.17 Affected parties included universities, vocational schools,

and school districts, as well as other not-for-profits operating in the education sector.

The three most common causes of higher education data breaches are hacking/malware, unintended disclosure,

and portable devices.18 Higher education institutions are vulnerable targets as they have numerous network access

points that open the door to a wide array of personal, financial, and intellectual property data. In many cases, the

data is highly decentralized, making it especially susceptible. Additionally, the expanded use of personal devices

used by faculty and students to connect to an institution’s network has increased the risk of malicious attacks.

The legal and regulatory landscape is quickly changing to respond to the growing threat of data breaches.

According to the Data Quality Campaign, in 2014, 36 states considered student data privacy bills, while 20 states

enacted such bills. Additionally, an increase in legislation regarding personally identifiable information (PII),

including the Family Educational Rights and Privacy Act (FERPA), and the Student Online Personal Information

Protection Act (SOPIPA), has made data security an even greater priority. FERPA provides parameters for what is

permissible when sharing student information, but it does not prohibit sharing data across agencies. SOPIPA,

enacted in California, prohibits websites, online services and apps from using student information for creating a

commercial profile or for targeted advertising and from selling student information. SOPIPA is widely regarded as

being the first truly comprehensive student data privacy legislation.

Given the increased regulatory environment and susceptibility to data theft that institutions face, data security

policies, practices and controls continue to receive significant attention at colleges and universities.


In response to the aforementioned threats, many institutions are looking to cloud service providers to help manage

and maintain their systems and data. There are a number of risks that institutions are considering when moving

data to a third-party including data ownership, multitenant environments, regulatory requirements, service

provider access, availability, audit requirements, and many others. Institutions must be aware of the relevant

security- and privacy-related controls service providers are using to manage risk. Institutions need to not only ask

initial questions about security controls when selecting a service provider, but also validate and test the existence of

these controls throughout the lifetime of the relationship.

16 James Bourne, “Business data breaches get more expensive each year: The state of enterprise security”, http://www.appstechnews.com, (January 28, 2015).

17 “Just in Time Research: Data Breaches in Higher Education”. Educause Center for Analysis and Research. http://www.educause.edu, (May 20, 2014). 18 James Bourne, “Business data breaches get more expensive each year: The state of enterprise security”, http://www.appstechnews.com, (January 28, 2015).

http://www.appstechnews.com/

http://www.educause.edu/

http://www.appstechnews.com/

PwC 21

Despite the growing pervasiveness of cloud-based solutions, in-house or commercial off-the-shelf applications still

make up the majority of the systems used by educational institutions. These traditional systems and applications

are being assessed for security and privacy concerns. This internal risk assessment process is in the infancy stage at

many colleges and universities. According to a March 2014 survey of colleges and universities conducted by the

SANS Institute, only 45% of respondents had a formal risk assessment policy. Additionally, PwC’s 2014 Global

State of Information Security Survey found that 42% of the educational institutions surveyed are performing

internal risk assessments of information technology systems.

While most regulations do not require compliance with specific security control frameworks, institutions are

considering the ISO 27002 information security standard and the NIST 800-53 security framework. There are

many other information security frameworks available to help organizations define and develop their security

control environments and mitigate and manage IT risks, but the NIST and ISO frameworks are two of the most

commonly adopted. As organizations continue to support, develop, and manage applications in their own

environments, they continue to assess and ensure the security of such systems.

Our perspective

Educational institutions are challenged by a culture of open systems and access versus the threats and risks posed

by attacks on systems that hold and maintain valuable information. The movement to more secure platforms

operated by other companies is expected to continue to grow, moving sensitive systems and data to third-party

cloud providers. Therefore, the security and protection models used in the past will have to change. Institutions

should consider incorporating the following foundational programs into their information governance program:

Stratify and segment data and systems – Institutions must understand the various types of data they are

responsible for (data and systems managed in-house, as well as those outsourced to third-parties) and identify the

appropriate security and control framework that each of these types of systems and data must meet or exceed.

Assess existing systems for breaches – Institutions must consider there is a probability their systems have

already been breached, and a monitoring program should be put into place to periodically scan for system breaches.

This could include a breach indicator test, which goes further than a traditional attack and penetration test.

Build a security framework – Institutions must have a baseline security appetite and to develop this appetite,

management must be aware of the risks the institution faces, the threat vectors on how the institution can be

attacked, and the controls in place to protect against those threats and risks. Most institutions do not have a

security framework in place that is down to the control level of key technology devices that can be monitored and

audited to ensure they meet the risk appetite established by the institution.

Monitoring risks at third-parties – Institutions must undertake proper monitoring of all their third-party

vendors who manage and protect the institutions’ data and systems. This includes technical security assessments,

privacy assessments, and having a detailed understanding of the security framework and controls in place to

protect the data and systems they are responsible for. Clear roles and responsibilities for overseeing, monitoring,

and managing third-party relationships need to be defined, documented and communicated.

As the number of data breaches continues to rise and new legislation emerges around the protection of student

data, institutions are required to demonstrate a higher standard of due care to protect this data. Regular risk

assessments and robust security controls are one way of demonstrating such care. In order for institutions to

provide the protection needed to meet the evolving threats and risks, it is imperative for them to deploy a risk

management program for information and privacy, similar to other risk programs in place. An institution cannot

rely on yesterday’s practices to combat today’s threats.

PwC 22

Information technology

Background

Dramatic advances in information technology and the related pace of change has stretched all industries to keep up

with the expectations of consumers, the ever-increasing costs, and the overall risks and rewards of the latest

technology. Higher education is seeing the broad effects of how technology is changing the way in which students,

faculty, researchers and administrators go about their business. This section highlights three information

technology priorities – mobile devices, cloud computing and ERP systems – that are currently demanding

significant attention from educational leadership.

A simple glance at the latest smartphone is evidence of the amazing technological and economic change agent at

hand. These devices and the legions of individuals using them are changing the way we interact. From hailing a

taxi, to booking a flight, to registering for a class and reading a textbook—all are made simpler and more efficient

through the use of these devices. Mobile devices are now in the hands of 98% of Americans under the age of 30,

with smartphones and tablets growing as the preferred communication and computing devices. As a result, how

and where the higher education population receives information and communicates has changed, and the

commingling of personal and professional use of devices is becoming the norm.

Cloud computing is also gaining significant attention in higher education. Cloud technology has two main

characteristics—the services are priced on a subscription basis and are delivered via a network connection. The

facilities, equipment and labor to produce the cloud service are provided by the vendor and the client is relieved

from managing the complex technical infrastructure. Seeing an opportunity, new cloud-based vendors are selling

flexible and user-friendly offerings that avoid much of the heavy startup and maintenance costs of the traditional

ERP systems. Cloud systems are generating a wave of change across the higher education marketplace as

institutions look for ways to improve IT capabilities and reduce operating costs.

Despite the growing appetite for cloud computing, ERP systems are still at the core of many institutions’ daily

operations. These are the systems that track revenues and expenses, fixed assets and human resource data, among

other key financial and operational information. As many systems in higher education are antiquated, the pace of

large ERP system implementations – from student services to financial systems – has quickened. The cost for such

large system upgrades and implementations has grown exponentially, causing trustees and senior leadership to

play a proactive and deeper role in overseeing the information technology environment.


The freedom and capabilities of mobile devices and the increasing flexibility provided by cloud and ERP systems

are affecting how educational institutions strategize around technology. The ubiquity of mobile devices, the speed

at which change occurs and the lower entry cost provided by cloud systems has increased the need for institutions

to be nimble, as well as proactive when managing their technological plans and related goals. Summarized below

are several ways educational institutions have been impacted by these changes.

Mobile Devices: The arrival of mobile systems has launched a frenzy of change in higher education. Textbooks are

replaced with e-books, video and websites. Lectures are recorded and available for wider audiences. Massive open

online courses are a new source of competition and opportunity. Mobile apps are also being used to further engage

alumni and donors in the college and university experience.

To address this rapid change, colleges and universities are rethinking how and where education and business are

conducted. As an example, with over half of all applicants reviewing colleges and universities via their

PwC 23

smartphones, the mobile experience is critical to institutional branding. Investments are being made to make

campuses mobile friendly, including institutions publishing their own applications providing course catalogs, maps,

library searches, and personalized class schedules. Institutions are also addressing the need for immediate access

to information by providing systems that are always on and available.

Cloud systems: Institutions are increasingly adopting cloud services to take advantage of low entry cost and capital

outlay, as well as flexibility. Such items as email, collaboration systems, websites, alumni tracking and

administrative systems are starting to move to cloud services. Institutions are also using cloud-based solutions like

YouTube channels and Facebook pages as part of their communications and brand management work.

The market place for Cloud systems continues to grow and provide new opportunities for colleges and universities

to innovate and adopt more efficient solutions. The increased sophistication and reliability of cloud solutions is

providing institutions with the ability to offer immediate access without expanding data centers and staff.

ERP: ERP systems are being influenced by both mobile and cloud computing. Institutions are finding new

entrants that are offering cloud-based ERP systems, thus increasing competition in the market. In response, the

traditional ERP vendors are working to produce or improve their own cloud offerings.

Institutions are finding there are more choices of ERP systems and how the ERP systems are delivered. The

upgraded ERP systems offer improved user interfaces and richer capabilities than previous systems. Regardless of

the vendor, product or delivery model selected, an ERP implementation is a major endeavor. A well-crafted

architecture, disciplined program management and strong executive support remain critical success factors for an

ERP implementation project.

Our perspective

Change and opportunity are often linked. Institutions that provide a great mobile experience for their students and

staff will have an advantage over institutions that are behind the curve. Upgraded ERP systems and cloud-based

systems can help deliver the access that is demanded in today’s society.

Consistent with other industries, higher education is challenged to keep pace with the current information

technology environment. Institutions need to continually review their information technology portfolio and make

changes to remain competitive with current technology. New ways in which individuals interact with technology on

mobile devices provide opportunities to develop competitive advantages. Mobile devices provide the means to

integrate visual, audio and geographic information into applications. Institutions can use the capabilities to enrich

the educational process, change how research surveys are conducted, improve how field data is collected, simplify

food service delivery, and expand alumni outreach. The mobile space will continue to expand and innovate. With

over a half million registered developers and over 2.5 million applications available on the most popular platforms,

mobile devices are being transformed into the tool that can do anything. Institutions need to take advantage of this

and develop forward-looking plans on how best to capture the future of mobile technology to best serve their

institutional strategies.

The popularity of cloud systems continues to grow with a flexible delivery model that is a good match for the

demand pattern of higher education institutions. Like any tool, cloud systems need to be utilized properly to be

effective. As cloud systems continue to be installed, IT organizations will need more skills as architects, integrators

and project managers and less skills configuring and repairing back-end systems. Since cloud systems do not have

a heavy reliance on information technology departments, vendors will market to other department heads who may

not consult IT departments in the evaluation process. This can lead to implementations that are good for a

department but increase the overall cost and complexity of the institution. As cost pressures continue to grow, a

modest investment in architecture and portfolio governance can mitigate the risk.

PwC 24

The ERP marketplace is expanding with new entrants selling cloud-based products that provide new capabilities,

the ability to grow and contract and better fit mobile computing. These systems are often aimed at a subset of ERP

functions and are marketed directly to functional managers. Meanwhile, the established ERP vendors continue to

expand the breadth of their offerings. The challenge for higher education is to strategically adopt newer solutions

without driving up the cost and complexity of overall operations. The need for a strong governance structure and

IT architectural plan is higher than ever. A coherent plan to incorporate new systems can prevent well-intentioned

changes from turning the information technology environment into expensive, confusing and inefficient islands of

data.

The advancement of technology will keep improving the information and capabilities available on devices.

Successful institutions will find ways to integrate the daily business of higher education into the mobile world while

cloud-based services and improved ERP systems will prove to be valuable tools in making institutions more agile

and mobile friendly. Successful institutions will manage their technological brand and provide a superior

experience for students, faculty, administrators and other constituents.

PwC 25

Shared services: A source for administrative efficiency

Background

Colleges and universities continue to face pressure to control administrative costs. Analyses of multi-year cost

trends at many institutions indicate that expenditure increases outside the core mission strikingly outpace those

associated with costs of instruction, research and, for those with academic medical centers, patient care. Left

unchecked, these trends will reduce the allocation of an institution’s resources necessary to achieve its goals and

objectives, and ultimately impair its ability to fulfill its mission.

Traditional sources of revenue will provide little relief. Increases in tuition and fees are constrained by increased

competition from colleges and universities seeking to maintain enrollment by increasing discounts and from

educational providers offering alternative instructional delivery models. College affordability and student debt

remain issues in the national conversation. Endowment returns, although up from previous years, offer only

limited relief, particularly for tuition-dependent institutions. Federal funding is unlikely to increase sufficiently to

offset rising research costs, while the outcome of research – intellectual property – has unpredictable returns. In a

number of states, appropriations are decreasing substantially, continuing the trend of shifting the burden of higher

education costs from taxpayers to students and their parents.

On the other hand, overall college and university costs continue to increase disproportionately to revenue and

funding. Educational organizations are labor intensive and benefit costs are likely to increase at a rate higher than

revenue increases. Costs associated with compliance with state and federal laws and regulations and with student

demands for lifestyle amenities and technology also place a heavy burden on institutional resources. Additionally,

many universities find themselves in an intellectual arms race where top talent physicians and scientists are

recruited with large compensation packages. Faced with these challenges, institutional leadership is taking steps to

increase efficiency and reduce costs while maintaining administrative operations that provide effective and

compliant service.

Increasingly, shared service centers have assumed a role in the set of transformative solutions being adopted to

achieve this objective. Commercial enterprises have long accepted the shared services model as a means to provide

services at reduced costs, but colleges and universities have only recently come to accept the model. Why the

hesitancy? Educational institutions are typically structured around a set of academic divisions/schools and

departments that include faculty and staff who perform a variety of activities, such as human resources, payroll,

procurement, travel, research administration, and financial management. This operational model is attached to the

tenure and promotion paradigm that university departments and schools have used for years to organize faculty

along traditional academic lines. As a result, services have historically resided within the academic division or

school, rather than being shared across departments.

In addition to academic departments, operations and support units such as facilities, transportation, health and

safety, research administration, information technology and advancement also employ staff members who perform

similar administrative tasks. In many cases, the staff members are generalists who are not able to call on peers for

assistance because processes and practices are uniquely defined in each department. From an institutional

perspective, this arrangement allows for structural redundancies, process inefficiencies, and unnecessary

operational costs. This structure also increases regulatory and compliance risk as an array of staff with varying

degrees of understanding of required policies and processes, perform critical tasks in an often inconsistent manner.

PwC 26


Increasingly, colleges and universities are adopting components of a shared services business model to support

functions performed throughout the institution. These shared services have included such areas as human

resources, benefits, procurement, travel, billing, treasury functions, research administration, and information

technology. Various successes and challenges have resulted from those institutions that have embarked on such a

model. Those that have been most successful have shared a set of common characteristics.

Board and senior leadership support – Shared services represent a change in the business model often

unfamiliar to many in the institution. Change in the decentralized leadership environment of a college or university

is facilitated by a clear vision supported and articulated by a leadership team aligned around a shared perspective

and clear outcomes.

Effective change management and communications – Institutions that have effectively managed the

change have demonstrated ongoing resource commitment to communicate the need for and benefits associated

with the new business model. Key elements of change management have included a compelling description of why

change is needed, leadership alignment, and an ongoing benefits assessment to highlight the advantages of the

model for both the institution and those impacted.

Dedicated project structure – Executing the transition plan has required institutions to dedicate a robust

project structure including governance support, effective project management, and a committed project team to

work collaboratively with stakeholders.

Clear definition of roles and responsibilities, processes, and service charges – Colleges and

universities have established a clear and well documented delineation of the roles and responsibilities between the

shared service center and those organizational units they serve. These have been codified in a service level

agreement or performance level agreement.

Phased deployment – To lessen the impact of large-scale deployments of service centers, institutions have

phased the change through pilot projects that often involve small, less-complex units. When pilots are successful,

other units often seek to share in that success, which has facilitated the selection of departments for participation in

future deployments.

Even in the best of circumstances, institutions have faced challenges with adopting shared services business

models. Faculty who have traditionally received administrative support from staff in their department have

expressed concern that they will be required to attend to more administrative functions, decreasing their

effectiveness as instructors and researchers. Staff members subject to re-assignment to a shared service center

have expressed concern that they need a better understanding of the path to the new organization structure and the

process of training needed in their new roles. Others declare their commitment to their current department’s

objectives and express reservations regarding the notion of serving in a specialist role.

Our perspective

Although a number of institutions have adopted the shared services approach, many have not. The reasons vary.

For some, leadership has failed to recognize the need to change. In these cases, institutional planning processes are

unresponsive to the forces influencing higher education. Planning is often tactical, rather than strategic. Shared

services adoption requires an investment of institutional resources to achieve the transition and contain ongoing

operational costs. For some, the investment is too great. Others recognize the need to change, but lack the

leadership wherewithal to effect it. Shared services adoption requires a collective commitment to a new business

model, and a prioritization of shared services implementation above other potential institutional initiatives.

Effecting this change requires that leadership present a coherent case for change, effectively communicate the need

PwC 27

for a timely transition, and develop and execute a well-conceived and well-resourced plan. Importantly, leadership

must champion change and address resistance throughout the transition.

Certain institutions may be hobbled by obsolete information technology. A shared services business model requires

well integrated technology supported by software that can be configured to support central processing for

distributed sets of departments. The software supporting the new model must provide stakeholders with

transparency into the new processes, shared service managers with visibility sufficient to monitor and control tasks

and meet performance standards, and shared service center staff with the ability to handle transactions and update

systems in a single encounter. Some of the software packages widely used in higher education today cannot

effectively support shared services for key administrative functions. Other software packages have been modified

so extensively that re-configuration to support a new business model may be cost prohibitive. Software

replacement may represent the more viable alternative.

Institutional leaders should continue to ask the following questions to assess the need for shared services:

How does the increase in institutional support costs, student services, and academic support over the last three

to five years compare to the increase in the core mission costs (i.e., instruction and research)?

How are resources allocated across institutional support services? For instance, although the finance function

may be performed in the Controller’s Office, are there resources from other academic and administrative

departments that also perform the function? Is the total cost of decentralized functions known (i.e., research

administration, purchasing, human resources, among others)? How do these costs compare to other

institutions?

Are faculty or staff performing the same functions in many departments, effectively duplicating efforts? For

example, are there administrative IT staff not only in the central IT department but also throughout the

academic, administrative and auxiliary departments of the institution?

Institutions that have successfully implemented shared service centers have learned valuable lessons along the way.

These “lessons learned” provide a path that others may follow. They have found that it is particularly important

that executive leadership understand and be engaged in communicating the need for change. Communications

regarding the benefits of shared services must emphasize customer service – the opportunity to improve the overall

experience by increasing accuracy, the timeliness of response and the effectiveness of communication. The

initiative represents a unique opportunity to thoughtfully consider and streamline business processes, removing

non-value-added steps. Benefits of administrative cost savings are best communicated with a description of how

the savings will be applied.

To date, colleges and universities have focused shared service initiatives on those functions that consume

significant resources in both decentralized academic and administrative units and central support organizations.

These include financial management, human resources, payroll, research administration, and selected components

of information technology. This list will continue to expand.

Savings opportunities are difficult to measure without an analysis of how staff and faculty with administrative

responsibilities in decentralized academic and administrative units apply their time and effort. Those institutions

that have measured and estimated the costs of this effort have realized savings ranging from 5% to 25% of the

combined decentralized and centralized units’ effort – a substantial savings that can be re-allocated to higher

priority functions. Just as important, they have realized improved service levels and expanded advancement

opportunities for those that staff the shared services center.

As with any organizational model, changes in the environment such as those resulting from new leadership,

changes in institutional structure, and regulatory and reporting requirements may require changes in the services

the center supports. Ongoing monitoring and assessment of the impact of these changes allow the shared services

center to adapt to the changing needs of the institution it serves.

PwC 28

The outlook from Washington

Background

Higher education act

Ideological differences within Congress about the appropriate role of the federal government in education policy

remain a significant challenge to substantive legislative action in the higher education area. For the first time since

2006, Republicans control both the House and Senate and drive the legislative agenda. First on the education

agenda is reform of No Child Left Behind and reauthorization of the Elementary and Secondary Education Act – no

simple task. With one failed attempt at passage in the House and unclear prospects for passage in the Senate, it is

questionable whether lawmakers will have the appetite to tackle another major education package, namely

reauthorization of the Higher Education Act. However, the new chairman of the Senate Health, Education, Labor

and Pensions Committee (HELP), Senator Lamar Alexander (R-TN), has said he intends the Senate to complete its

work to reauthorize the Higher Education Act by the end of 2015. Having put forth no definitive timeline, returning

chairman of the House Education and the Workforce Committee, Representative John Kline (R-MN), also has

listed reauthorization of the Higher Education Act among his priorities, and the House committee is working to

draft legislation that adheres to the four principles the committee outlined in 2014.19

It also should be noted that there are other important issues competing with the Higher Education Act

reauthorization for time on the committees’ agendas, including reauthorization of the law governing federal child

nutrition programs in the House and reform of the Food and Drug Administration, Children’s Health Insurance

Program reauthorization and Affordable Care Act reforms in the Senate. Additionally, both chairmen of the House

and Senate committees have as a top priority oversight and targeted reform of the Equal Employment Opportunity

Commission and National Labor Relations Board. When considered in light of the numerous other issues facing

Congress (i.e., Highway Trust Fund expiration, Patriot Act reauthorization, cybersecurity, and

budget/appropriations), it seems less likely that Congress will address the Higher Education Act reauthorization

ahead of the 2016 Presidential election.

While members of Congress continue to explore and debate reauthorization of the Higher Education Act, President

Obama and his Administration are moving ahead with executive and administrative actions designed to achieve the

President’s stated goals of making college more “accessible, affordable, and attainable.” Focused efforts include

actions designed to reform higher education funding, strengthen community colleges, limit tuition increases, and

address transparency and accountability issues. Many actions were taken through rulemaking and budget

proposals and are still under consideration or in the implementation process, including the college ratings system,

gainful employment regulations, and the “Student Aid Bill of Rights.” It remains to be seen whether these actions

will ultimately accomplish the Administration’s goals.

College Ratings and Gainful Employment

The public comment period closed for the Department of Education’s first draft of the Postsecondary Institution

Ratings System on February 17, 2015. According to the Department’s invitation for comment, the system aims to:

(1) help colleges and universities measure, benchmark, and continue to improve across the shared principles of

19 The Four principles are empowering students and families to make informed decisions; simplifying and improving student aid; promoting innovation, access, and completion; and ensuring strong accountability and a limited federal role. Republican Priorities for Reauthorizing the Higher Education Act, http://edworkforce.house.gov/uploadedfiles/hea_whitepaper.pdf.

http://edworkforce.house.gov/uploadedfiles/hea_whitepaper.pdf

PwC 29

access, affordability, and outcomes; (2) help students and families make informed choices about searching for and

selecting a college; and (3) enable the incentives and accountability structure in the federal student aid program to

be properly aligned to these key principles. A consistent theme from the comments was that the draft lacks

understanding of the different schools it proposes to group together. Additionally, commenters said that student

outcomes must be measured comprehensively and that post-graduate income levels cannot be the only measure of

a successful college education. The consensus that emerged from the public comment period is that the draft

framework is not ready to be rolled out for the 2015-16 school year. Whether those comments resonate with the

Department of Education remains to be seen as the Department works toward completion of the framework in time

for the 2015-2016 school year.

With an intense focus by the Department of Education, the Administration has set out to make a number of

changes in the for-profit space. Last year, the Department of Education released its final Gainful Employment rule.

The Department made significant adjustments from the original proposal that were seen as addressing some

concerns; however, the Debt-to Earnings (DTE) ratio was not changed, which will pressure schools to maintain

lower tuition and fees on an ongoing basis.

Cost of compliance

Republicans in Congress have voiced opposition to the Administration’s approach. In February, the Senate HELP

Committee held a hearing titled “Recalibrating the Regulation of Colleges and Universities: A Report from the Task

Force on Government Regulation of Higher Education.” The hearing featured a bipartisan report from the Task

Force on Federal Regulation of Higher Education commissioned by Senate HELP Committee Chairman Alexander

and Senators Barbara Mikulski (D-MD), Richard Burr (R-NC), and Michael Bennet (D-CO). The report suggests

numerous regulatory reforms in higher education policy, targeted at both traditional and for-profit schools. Soon

after the hearing, legislation was introduced in both the House and Senate targeting many of the regulations

currently being promulgated by the Department of Education, as well as some existing ones. Senator Burr

introduced S.559, the Supporting Academic Freedom through Regulatory Relief Act, which would stop many of

the regulations from being issued and/or enforced, including the college ratings system, gainful employment rules,

and credit hour definition.

A companion bill, H.R. 970, with a Democratic co-sponsor was introduced in the House by Representative Virginia

Foxx (R-NC). The bills are viewed as a stopgap measure to prevent the Department of Education from issuing or

enforcing certain regulations until Congress takes up reauthorization of the Higher Education Act, during which

Congress would purportedly address the issues. Even if the bills pass Congress, they may have little chance of

becoming law without significant support from congressional Democrats or an agreement with the President. That

said, there is an area where bipartisan collaboration seems likely–student loans. Senate HELP Committee

Chairman Alexander acknowledged that possibility during an interview with NPR last year. When asked what he

was willing to collaborate on with the Administration, Senator Alexander responded, “We did a good job working

with the President last year [2013] simplifying student loans and reducing the interest rate for undergraduates by

half. We need to finish that job by simplifying the FAFSA and repayment options.”

Several universities have performed studies of the cost of compliance in higher education. Specifically, Vanderbilt

University performed a regulatory cost burden study based on its own costs, as well as 12 other colleges and

universities across the sector. They were interested in uncovering the costs and primary contributions to federal

regulatory compliance. Vanderbilt University identified both direct costs and “marbleized” costs (those costs that

were included in other activities). They estimate that colleges and universities spend 4% to 11% of their

expenditures on compliance activities, excluding clinical regulatory costs. When considering clinical activities,

those percentages are even higher. Those institutions at the higher end of the range tend to be colleges or

universities with research activities. Another significant factor resulting in an institution’s cost percentage being at

the high end of the range is research on humans or animals.

PwC 30

Our perspective

The summary above is a high-level outline of selected federal policy and regulatory matters on the federal agenda.

The attention to educational institutions from Congress, the President, and other regulatory bodies is not slowing

down. While some legislation is in progress to streamline compliance requirements and reduce the financial

burden, other legislation in progress will result in more compliance requirements and added cost of

implementation. Therefore, when the opportunity arises, educational institutions should continue to be vocal with

regulatory bodies and political leaders as to their perspectives on proposed changes and the regulatory cost

associated with such changes.

PwC 31

Contributors

Roslyn Brooks

Marcy Culverwell

John Dalton

Ralph DeAcetis

Martha Garner

Tom Gaudrault

David Hemingson

Paul Hinds

Syed Khan

Carl Miller

Patricia Moks

Tomas Pereira

Ann Pike

Emily Rando

Shannon Smith

Paul Tanis

Christopher Wells

© 2015 PricewaterhouseCoopers LLP. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.

Documents

University of California Audit and Communications Planregents.universityofcalifornia.edu/regmeet/may16/a6attach1.pdf · 30/6/2016 · Communications and Planned Interactions