Preventing higher education fraud with audit and risk collaboration

Imagine this scenario: at the prestigious Acewood University, the administration had long been proud of its rigorous academic standards and ethical integrity. However, a series of unsettling incidents began to surface: a professor was caught inflating grades for a favored student, a financial aid officer was found to be embezzling funds, and a research grant was discovered to have been misused. These events sent shockwaves through the campus, prompting the university's leadership to realize that a more proactive and integrated approach to managing fraud risk was desperately needed.

Fraud in higher education is a growing problem, presenting the potential for significant financial, reputational and operational risks. Colleges and universities should take a proactive and integrated approach to managing fraud risk. This article explores how internal audit and enterprise risk management (ERM) programs can collaborate to detect, prevent, and respond to fraud effectively, ensuring that institutions like “Acewood” can maintain their integrity and trust.

Understanding unique fraud risks in higher education

Higher education institutions face a unique set of fraud risks, including

• Student aid fraud.
• Financial fraud.
• Cybersecurity threats.
• Procurement and vendor fraud.
• Research and grant fraud.

These risks can have severe consequences, such as financial losses, damage to reputation, legal consequences and regulatory noncompliance.

For example, a recent case at the University of Central Florida (UCF) saw thieves stealing $107,625 through a sophisticated hacking scheme. The fraud involved hacking into a vendor's computers, tricking officials into transmitting money to a different bank account and swamping the school's email system to prevent warnings from being noticed. This incident highlights the importance of robust internal controls and continuous monitoring.

Collaborative efforts between audit and ERM

To effectively manage these risks, internal audit and ERM programs should work together. This collaboration can lead to a more comprehensive and risk-based approach to fraud detection and prevention. Here are some key points on how auditors and risk managers can collaborate:

Governance and independence

• Independence: Auditors provide objective assurance, while ERM managers facilitate risk ownership in business units. This separation ensures that both functions operate independently yet collaboratively.
• Risk alignment: Risk-based auditing lets auditors compare their audit plans with ERM risk assessments. Auditors can use that information to focus on the biggest risks that affect the institution.
• Real-time reporting: Dashboards that show what is happening can be used to track fraud, cybersecurity, and compliance risks. They can also be used to track remediation efforts. This type of information gives a clear view of new threats and how well controls are working.
• Integrated information: Sharing risk data across the institution prevents data silos and ensures a holistic view of risks.
• Regulatory compliance: Both audit and ERM should ensure adherence to standards such as the Institute of Internal Auditors (IIA) standards and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework help them achieve regulatory compliance.

Continuous risk assessment and monitoring

Continuous risk assessment (CRA) is a critical tool in the fight against fraud. It involves the ongoing analysis of data to detect and mitigate risks in real time. Here are some benefits of CRA:

• Early detection of fraud patterns: CRA helps identify suspicious patterns and anomalies before they escalate into significant fraud incidents.
• Pro-active risk mitigation: By continuously monitoring risks, organizations can take immediate action to prevent fraud and be aware of emerging risks
• Strengthening internal controls: Traditional audits and periodic reviews may miss real-time fraud, but CRA ensures that internal controls are checked continuously.
• Compliance with regulations: CRA helps make sure requirements from FERPA, HIPAA, Title IX, or NCAA are followed. This helps reduce regulatory risks and reduce potential for fraud.
• Cost savings and efficiency: Proactively preventing fraud through CRA reduces the need for costly forensic investigations and legal proceedings. It also optimizes internal audit efforts when automating control testing.
• Data-driven fraud prevention: using machine learning, AI, and analytics, CRA can predict potential fraud risks and flag irregularities based on trends.

Technology options for continuous monitoring

Technology plays a crucial role in continuous monitoring and risk assessment. Here are some technology tools that can help:

• Real-time dashboards: These give a central view of risk data from different parts of an organization. This helps both risk and audit teams find and evaluate changing risks.
• Data analytics: Using financial enterprise resource planning (ERP) data through direct connections can show you insights that can help you assess risks. For example, identifying overpayments, duplicate payments, or payments to ineligible recipients.
• Automated scripts: Replacing manual, error-prone sampling with automated scripts that run continuously in the background can improve the effectiveness of fraud prevention.

3 examples in action

1. Vendor fraud

Vendor fraud is a common issue in higher education, often caused by a lack of oversight of vendor contracts. Examples include false or inflated invoices, conflicts of interest, kickbacks, and unauthorized spending. To mitigate these risks, institutions can implement monitoring systems and controls, such as:

• Regular and surprise audits: conducting regular audits of vendor contracts and transactions.
• Data analytics: using data analytics to identify anomalies or patterns indicative of fraud.
• Automated tools: implementing automated tools to detect irregularities in payment processes.

2. Continuous audit example: purchase card audit

A continuous audit of purchase card data can help detect suspicious transactions. For instance, analyzing purchase card data to determine instances where transactions exceeded a pre-defined threshold or looking for duplicate transactions can surface potential fraud. Parameters such as the number of transactions over a threshold can be defined, and thresholds can be set to define control success.

3. Research and grant fraud indicators

Research and grant fraud can cause significant reputational and financial damage to institutions. Signs of such fraud include data fabrication, misuse of research funds, and conflicts of interest. To address these risks, institutions can:

• Analyze expenditure data: look for patterns of non-research-related spending, unusual spending categories, high personal expense amounts, and geographically inconsistent spending.
• Implement preventive controls: Ensure that funds are used for their intended purposes and that there are no undisclosed relationships between researchers and external entities.

Continuous risk assessment with technology integration

The updated IIA International Professional Practices Framework (IPPF) standards emphasize the importance of continuous risk assessment and technology integration, providing a framework for effective risk management in the modern era of higher education.

The integration of audit and ERM programs is essential for navigating and mitigating unique risks in higher education. By using technology to monitor and assess risks, institutions can quickly find and prevent fraud. This will ensure financial integrity, compliance with laws and a positive reputation.

Technology that helps higher education institutions stay ahead of fraud and risk

Diligent provides industry-leading solutions to help institutions strengthen oversight, mitigate risks and ensure compliance with evolving regulations. With a centralized platform for enterprise risk, audit, and compliance management, institutions can use our solutions to make data-driven decisions, improve financial integrity, and safeguard their reputation.

• Enterprise Risk Management – gain full visibility into institutional risks with automated risk assessments, real-time reporting, and industry benchmarking insights from Moody’s.
• Audit Management – enhance fraud detection, strengthen internal controls, and streamline compliance efforts with automated workflows, continuous monitoring, and AI-powered analytics.

Talk to us today about how you can integrate your risk and audit management to improve oversight, reduce fraud exposure and operate with greater confidence.