Five questions for Agnessa Vartanova
When Agnessa Vartanova joined CU as associate vice president of internal audit just over three years ago, she was new to higher education. The accounting professional arrived from DaVita Inc., a Fortune 500 company in Colorado, and she previously served in corporate leadership positions at TTEC Holdings Inc. and Ball Corp., another Colorado-based Fortune 500 company.
“At the University of Wyoming, I studied accounting and had a phenomenal fraud examination professor, who made the profession of auditing sound interesting,” Vartanova said. After earning bachelor’s and master’s degrees in accounting from UW, she began her career at PricewaterhouseCoopers in Denver.
“With a variety of clients, I had an opportunity to work on both external and internal audit engagements,” she said. “I really enjoyed the continuous improvement and operational efficiency aspect of internal audit. When I had a chance to join an internal audit team at TeleTech, I jumped on it. The rest, as they say, is history.”
Apart from a couple of years in financial planning and analysis at Ball Corp., Vartanova’s career has been dedicated to internal audit.
“I truly believe in the profession and the value internal auditors can bring to an organization they serve,” she said.
Vartanova grew up in Saratov, Russia, but has lived in the Rocky Mountain West since arriving in Wyoming as a 15-year-old exchange student.
“Since that was before Internet and cellphones, when I was matched up with a host family in Casper, Wyoming, my parents researched where I was going by looking it up in an encyclopedia. They had never heard of the place,” Vartanova said. “The encyclopedia showed that Casper was the largest city in Wyoming (a pretty large state on the map), so coupled with the fact that I was flying into Casper International Airport, I did not expect the pilot of a small puddle jumper (which should’ve been a tipoff, but I was only 15) announcing landing in the middle of nowhere. Despite the initial culture shock, I had a great year.”
After high school, she attended Casper College before enrolling at the University of Wyoming.
“Albeit not the most glamorous locations in the U.S., I feel fortunate to have been able to attend both institutions, which gave me a strong foundation for my career and where I formed lifelong friendships,” she said.
In her current home state, she enjoys hiking.
“So far, my daughter and I have hiked 14 14ers and are hoping to summit a few more this summer,” Vartanova said. She also enjoys live music and theater performances, and reading books on history, leadership, and communication.
1. “Audit” can be an intimidating word. Does that lead to any misconceptions or misunderstandings about your department’s role and how the team carries it out?
Absolutely! There are many types of audit services: tax, compliance, financial, environmental, health and safety, and more.
There is also some misunderstanding about what triggers an audit, what that process will look like, how the findings are shared, and what impact the outcomes might have. It doesn’t help that auditors, deservingly or less so, have a reputation of having a “gotcha” attitude. In most cases, an announcement of an upcoming audit will send people’s hearts racing. I find that a lot of apprehension is driven by a lack of appropriate communication between the auditors and auditees, lack of transparency in the process, differing expectations and level of rigor, and challenging prior experiences with auditors.
As internal auditors, our purpose is to strengthen the organization’s ability to create, protect and sustain value by providing the Board of Regents and leadership with independent, risk-based and objective assurance, advice, insight and foresight. Although we report to the Board of Regents and have the word “auditor” in our title, our vision is to provide impactful insight to all CU stakeholders, enabling a stronger control environment, operational efficiencies, and successful achievement of objectives. We intentionally take the time to demystify our process and answer concerns that individuals may have at the onset of an audit. My team really thrives on helping our stakeholders establish and maintain strong internal controls and sound business practices.
2. How do you and your team go about promoting sound business practices and internal controls at CU? How do you interact with professionals at the campuses?
Our portfolio of services includes assurance and advisory engagements, fiscal misconduct investigations, and education. In every interaction with our stakeholders, we have an opportunity to share insight about effective internal controls and provide a fresh perspective on process efficiency:
- Our assurance engagements are designed to provide objective assessments on control effectiveness. To the extent we observe that a process is not well-defined through a policy or procedure, a control is not designed to prevent or detect errors or is not consistently performed, we will share our observations and provide recommendations on how to remediate those gaps. In these situations, we will request process owners to provide an action plan to address the gaps, and we will monitor the completion of the action plan against the agreed-upon implementation timeline. To the extent the gaps may not significantly impact the risk associated with the process, but there is a way to further strengthen controls, we may provide a process improvement recommendation.
- Our advisory engagements are designed to support the university in the implementation of new policies, procedures, or systems through providing insight around design and training and facilitating discussions about risks and controls. In these engagements we can provide an auditor’s perspective on the quality of documentation, holistic and effective nature of the rollout, and the ability of the anticipated controls to mitigate risk.
- In the case of the fiscal misconduct investigations that our team performs, we may also provide insight as to the control weaknesses that may have led to the finding of fraud or misconduct.
- Through the educational aspect of our service portfolio, we are well-equipped to share general perspectives on well-established control environment, effective risk assessments, control design, compliance structures and monitoring activities, as well as fraud indicators and mitigation techniques. These conversations are often delivered through presentations both at CU and professional conferences.
In other words, we are intentional about seizing opportunities to educate our community on sound business practices, effective internal controls, and efficient processes in every engagement.
In the past three years, we have been intentional about investing in relationships with campus leaders, developing and following a transparent and consistent process, and keeping our vision in mind with every interaction and engagement. We have several touchpoints throughout the year with senior leadership and consider their input when developing our annual audit plan.
That said, we don’t want our auditees to think that they were selected for an audit because “someone told on them.” We actually have a fairly rigorous risk assessment process for designing our annual list of engagements. It includes several input points, including emerging higher education risks, CU objectives, and our cumulative audit knowledge and experience. We also have strengthened the frequency of our communications and timeliness of our processes to provide better service to CU.
We also keep our team Core Values in mind in every interaction with our stakeholders, approaching every conversation with integrity, respect, and service excellence; staying accountable for our actions and agile in our approach; and focusing on the best interests of the CU community.
Another way we interact with our stakeholders is through CU EthicsLine. Apart from the reports of potential fiscal or ethical misconduct, faculty and staff often reach out for advice and support via the hotline. That provides us with opportunities to provide answers or direct those individuals to the right folks in the CU community.
3. As you mentioned, you report directly to the Board of Regents and the Regents Audit Committee. Why is that structure important to the work you do?
The answer to that is two-fold. Firstly, this reporting structure establishes and protects internal audit’s independence, enabling us to perform our services and fulfill our responsibilities without interference or inappropriate limitations. The Board specifies our authority, role and responsibilities, which provides internal audit with the support necessary to fulfill our purpose and deliver on our vision.
Secondly, by reporting to the Board, we can objectively review all entities in the CU system, report the results of our engagements, and effectively monitor the disposition of action plans without undue pressure or bias. It is also important to mention that this reporting structure supports our mandate to include all of CU system operations in our scope, which helps us better assess risk and provide holistic and relevant coverage through our engagements.
4. You gained previous professional experience at Fortune 500 companies in Colorado. What aspects of that work have most informed your approach in the higher education setting at CU? What, if anything, has differed the most or been most surprising?
Working at Fortune 500 companies has definitely taught me a strong professional ethic and commitment to operational efficiency, both within internal audit and organizational processes. It has also been a valuable experience from the perspective of engaging across different cultures, as I had an opportunity to work internationally. Many of the updates that we have implemented at the CU Internal Audit practice over the last three years have leveraged leading industry practices, such as data analytics, focus on engagement quality and timeliness, and process consistency.
One of the pleasant surprises for me was the high level of knowledge-sharing among higher education auditors. I have built a strong network of colleagues across the country, which I can leverage when exploring new audit topics or approaches to addressing emerging risks.
Higher education institutions like CU have a distributed and highly diverse operational model, which is further complicated by a vast number of regulatory compliance requirements. With so many facets to CU’s operations, it can be challenging to know which risks require most attention from my team. Such a diverse and demanding environment pushes us as internal audit practitioners to continuously learn and grow professionally in order to serve our stakeholders well. Still, a lot of financial and information security internal controls and ethical business concepts are industry-agnostic, and we can be creative and resourceful in adapting successful methodologies from the commercial sector, which can be highly beneficial.
5. Is there something that every employee at CU should understand about the role they play in the university’s risk management and business practices?
It is important for every employee at CU to understand their responsibility and accountability in the safeguarding of the university’s assets and reputation through upholding ethical business practices. CU operates in a complex and diverse regulatory and operational environment, which presents a plethora of potential challenges and risks. CU also plays an important role in our communities, the state and the nation, providing excellent education and groundbreaking research. Being knowledgeable about potential risks, what a well-designed control may look like, and staying committed to highest ethical standards and regulatory compliance is vital to CU being able to continue to serve our stakeholders and positively impact our society.
Employees should know that CU offers many resources to help them stay educated and compliant with policies and regulations. Offices of compliance, export control, grants and contracts, controllers, information security, and internal audit can all provide support and insight in a variety of risk management matters.
There also are ways to report potential fiscal misconduct or unethical behavior through a resource that is provided by the Board of Regents to the entire CU community, the CU EthicsLine. Reports to this hotline can be made through a variety of ways and may be anonymous. The hotline is monitored by internal audit, ensuring that every concern is appropriately delegated for a timely investigation. As always, under university policy and applicable law, any university employee or contractor who reports known or suspected violations of law or university policy in good faith is protected from retaliation.