Audit Guide: Detecting the Handled Institution
A field guide for auditors entering institutions where the record may already be managed. This “Rosetta Stone” helps identify institutional gaslighting, audit choreography, handled records, and systems of plausible deniability.
Why?
A comprehensive framework for detecting institutional corruption, administrative violence, and audit choreography. Designed for OIG, DOJ, and other various external oversight teams to identify systems of plausible deniability and handled records.
This guide is for external auditors, OIG teams, DOJ contractors, and review staff who know how to audit records, but who may be walking into institutions where the record has already been handled. It is designed to help auditors, investigators, oversight teams, and institutional reviewers detect when choreography, scope, and access are being used to manage the record.
In formal audit language, many of these patterns appear as internal-control failures, risk-assessment gaps, unsupported management representations, weak substantive testing, or oversight evasion. This guide uses plainer field language because handled institutions often survive in the space between the formal term and the actual, lived mechanism.
A handled institution does not hide by refusing audit. It hides by preparing too well and by preparing the wrong kind of access.
The binders are ready. The summaries are crisp. The interview list is curated. The escort is helpful. Difficult people have already been narratively labeled. The ugly facts have been converted into process language. Faults have been self-disclosed.
Three early audit-control mechanisms in sequence:
- Choreography: the dog-and-pony show concentrates attention on a chosen surface.
- Scope: what the auditor is allowed to see is curated through channeled scope.
- Access: whom the auditor is allowed to hear from, which records the auditor may access.
How to read this guide:
First pass: Audit environment
Who controls the schedule, movement, interview list, room access, and unscripted speech?
Second pass: Scope and seams
What has been renamed, reorganized, outsourced, affiliated, excluded, or routed through a less encumbered entity?
Third pass: Evidence and value paths
Do raw records, custody trails, asset paths, money paths, benefit paths, and absence patterns match the institutional narrative?
With that in mind, here are some question frames.
1. First Signs of a Dog-and-Pony Audit
These are early signs that the audit environment itself is being managed before substantive testing begins. Watch for over-prepared binders, preselected interviewees, escorting behavior, forbidden side conversations, strangely uniform answers, and “helpful” summaries that arrive before questions are asked.
Pay special attention when the institution resists giving auditors a room alone with interviewees, or insists that a representative remain present during interviews.
The signal is not preparation itself. Good institutions prepare too. The signal is choreography: who sets the timeline, who controls movement, and who decides what the auditors are allowed to see.
Example: “We have you scheduled for a short tour at 9 a.m.”
A short tour can consume the entire morning. Auditors may find themselves deep inside a maze of buildings, equipment, offices, or operational areas, where it feels easier to continue following along than to interrupt the path. Then the day disappears into the vacuum of an escorted tour.
For multi-day audits, watch the evenings too. Long hosted dinners after each audit day can look hospitable, and sometimes they are. They can also function as schedule capture. If auditors are kept at dinner until late, they lose the quiet hotel-room hours needed to review documents, compare notes, identify contradictions, and plan the next day’s questions.
Hospitality becomes control when it consumes the auditor’s independent thinking time.
Auditors should preserve unstructured review time each day. The day’s documents, interviews, anomalies, and unresolved questions need to be examined away from the institution’s hosts, escorts, and preferred narrative.
A handled institution may manage the audit day by tour, and the audit night by dinner and entertainment.
daytime capture through tours and escorts
evening capture through hospitality and exhaustion
2. Scope Management
A handled institution may not need to hide the facts if it can redesign the audit scope so the relevant facts sit just outside the auditable frame.
Ask whether any hot area has been recently reorganized, renamed, outsourced, spun off, merged, dissolved, or moved into an affiliated entity.
A department that once sat inside the audit universe may become a wholly owned corporation, foundation affiliate, public-private partner, contractor-managed unit, or “independent” operating arm. The risk may remain functionally connected while becoming formally out of scope.
Look closely at pre-audit conversations that sound cooperative but quietly narrow the frame:
“Please let us know which areas you intend to review so we can be fully prepared.”
“Which files will you need?”
“Which equipment will you want to inspect?”
“Which units are you planning to visit?”
“Can you send the interview list in advance?”
“Can you identify the transactions you want pulled?”
Some of these requests are normal. Audits require logistics. The question is whether advance notice is being used to support access or to curate reality.
Watch for day-one checklists that specify which equipment, records, rooms, inventory locations, systems, contracts, or work areas will be viewed. If the institution knows exactly which areas will be toured, it may have time to smooth the record, relocate awkward items, brief staff, clean up custody gaps, or present a temporary version of normal operations, or advance audit findings with solutions already in the works.
Who proposed the audit scope?
Who negotiated it?
What was excluded?
What changed organizational form before the audit began?
Were any units, funds, vendors, contracts, systems, records, subsidiaries, foundations, affiliates, or public-private structures treated as outside the review when scoping the audit?
Does any excluded area still receive public money, public authority, public trust, institutional resources, shared staff, shared systems, shared leadership, or operational dependence from the institution under review?
Were any terms changed before the audit, such as “department” becoming “affiliate,” “program” becoming “project,” “procurement” becoming “partnership,” “complaint” becoming “personnel matter,” or “finding” becoming “process improvement”?
Scope can also be redesigned structurally before the audit ever begins. Watch for sensitive functions moved into affiliates, subsidiaries, foundations, LLCs, public-private entities, or wholly owned corporations. The institution may still control the entity, fund it, benefit from it, share leadership with it, or depend on it operationally, while later treating it as formally outside the audit universe.
The question is not only “Is this entity legally separate?” The question is whether the risk, money, authority, personnel, records, and public trust remain functionally connected.
Formal separateness can become a plausible-deniability architecture when functional control remains connected.
A scope boundary is not neutral just because it is documented. Scope is architecture. In a handled institution, the most important facts may be placed outside the room before the auditor arrives.
A handled institution can win the audit before evidence is reviewed by deciding what the auditor is allowed to see.
3. Multi-Institutional Projects and Least-Encumbered Routing
Multi-institutional projects can create audit fog. When public institutions, private entities, nonprofits, hospitals, foundations, affiliates, cities, universities, research centers, and public-private consortia work together, responsibility may be distributed across entities with different legal duties, procurement rules, disclosure standards, approval thresholds, and record-retention obligations.
Handled institutions may use that complexity to route activity through the least-encumbered participant. Do not stop at the entity that signed the contract.
Ask:
Who owns, controls, funds, governs, or benefits from the multi-institutional project?
Was a new legal entity created to hold the project?
If so, who owns it, appoints its board, controls its budget, receives its benefit, and bears its risk?
Who bought in, and what did each participant contribute: money, land, staff, reputation, data, research capacity, public authority, operational control, or access?
What voting rights does each participant hold?
Are voting rights proportional to funding, ownership, public exposure, operational control, or something else?
Who has veto rights?
Which entity controls procurement, hiring, contracting, research administration, grant compliance, vendor selection, data access, asset ownership, records, compliance, and public messaging?
Was procurement routed through the entity with the fewest public-bidding, transparency, conflict, board-approval, or documentation constraints?
Did a public institution supply money, authority, land, staff, reputation, research infrastructure, or controlling interest while another entity executed the contracts?
Was the “private” or “independent” entity functionally acting on behalf of the public institution?
Did the project move from one entity to another after legal, procurement, or compliance concerns were raised?
Are records split across entities in a way that prevents any one auditor from seeing the whole transaction path?
Ask for the full governance map: organizing documents, bylaws, operating agreement, board structure, voting matrix, delegated authority chart, procurement policy, conflict policy, and record-retention obligations.
The question is not merely which entity signed the contract and what their regulatory frameworks were. The question is whether public money, public authority, or institutional control traveled through a route designed to avoid obligations that would have applied if the transaction had remained visible.
The audit should follow the regulatory framework for where control should have resided, not merely the entity that actually executed the contracts.
4. Access Control and Management Representations
Management representations should be tested against unscripted access, lateral interviews, and contemporaneous records.
Notice:
Who Controls Access?
Who schedules interviews?
Who selects the interview pool?
Who sits in?
Who answers for others?
Who appears nervous when someone speaks directly?
Who tries to “clarify” what someone else meant?
Who becomes the recurring translator between the auditor and the institution?
Handled institutions often control reality by controlling access to unscripted speech.
Also notice who is absent on the day or days of the audit. A handled institution may manage the room by managing attendance: encouraging certain people to take the day off, assigning them elsewhere, placing them on leave, suspending them, or otherwise ensuring that the people most likely to disrupt the prepared story are unavailable during the audit window.
Ask for absence lists, leave records, disciplinary suspensions, temporary reassignments, and staffing changes around the audit period. Compare those names with prior complaints, conflicts, internal findings, procurement objections, HR issues, and known operational trouble spots. Is there a way to obtain a list of absent staff and interview them later?
Meeting Access and Functional Participation
Do not treat an invitation list as proof of participation.
In multi-participant audit meetings, wrap-up meetings, compliance reviews, or closing conferences, confirm at the beginning that all invited participants can actually speak, ask questions, view shared materials, and participate as intended.
Handled institutions may appear to include required participants while quietly limiting their functionality through meeting settings, moderator controls, muted roles, “listening only” access, restricted chat, disabled camera/microphone permissions, or facilitation rules that prevent real participation.
Ask:
Who is on the invitation?
Who can speak?
Who can ask questions?
Who can see shared documents or screens?
Who controls muting, chat, recording, screen sharing, admission from waiting rooms, and participant permissions?
Were any required participants placed in listening-only mode?
Were any participants told to route questions through a facilitator?
Were legal, compliance, finance, procurement, HR, internal audit, or operational witnesses present in name only?
Did the meeting format allow the appearance of compliance while preventing actual challenge, clarification, or record correction?
At the start of any multi-party meeting, the external auditor should ask each participant to check in verbally and confirm their role, purpose, and ability to participate. If a participant cannot speak, ask questions, or access the same materials, that limitation should be named on the record before the meeting proceeds.
Presence is not participation if the institution controls who can speak.
The auditor should verify functional participation, not merely attendance.
5. Procurement Controls and Override Paths
Ask buyers about exceptions, repeat vendors, emergency buys, verbal instructions, unusual routing, preferred suppliers, and pressure from above.
Ask what happens when they say no.
Ask whether there are recurring vendors that everyone knows are politically protected.
Ask about temporary authority. When a director, supervisor, or approver takes a day off, what gets pushed through? Who receives delegated authority? What transactions tend to appear during those windows?
Ask buyers what they would review first if no one could retaliate against them for answering honestly.
Has a buyer ever negotiated savings only to be reprimanded? That may signal that an off-ledger incentive, preferred vendor arrangement, or kickback path was disrupted.
GPO / Cooperative Purchasing Routes
Ask whether a group purchasing organization, cooperative agreement, consortium contract, purchasing alliance, or pre-negotiated contract vehicle was used.
Do not treat “we used a GPO” as the end of the procurement analysis.
Ask:
Was the institution eligible to use that vehicle?
Was the purchase category covered by that vehicle?
Did the original cooperative solicitation satisfy the competition requirements applicable to this institution, this funding source, and this purchase threshold?
Was the purchase made with federal funds, grant funds, restricted funds, state funds, foundation funds, or mixed funds?
Did the funding source require additional competition, cost/price analysis, domestic preference, disadvantaged-business outreach, conflict review, or documentation?
Were federal procurement requirements under 2 CFR 200, state law, institutional policy, sponsor terms, or grant conditions still applicable?
Was the GPO used to avoid a normal bid, sole-source justification, conflict review, board approval, public posting, or competitive evaluation?
Who selected the GPO?
Who selected the vendor within the GPO?
Were multiple GPO vendors compared, or was the GPO label used to justify a predetermined vendor?
Were administrative fees, rebates, credits, patronage dividends, marketing funds, conference sponsorships, or other vendor/GPO financial flows disclosed?
Did the GPO receive revenue from the awarded supplier?
Do staff and leadership attend GPO sponsored or funded events?
Did institutional staff receive travel, conference access, meals, speaking opportunities, advisory-board roles, or other benefits connected to the GPO or vendor?
A GPO may be legitimate. It may also become a scope-and-competition fog machine if auditors stop at the contract vehicle rather than testing the route.
“GPO” is not a magic word. It is a procurement route that still needs a compliance trail.
A cooperative purchasing vehicle can satisfy competition only if the competition actually traveled with the purchase.
GPO Governance, Advisory Roles, and Post-Employment Benefits
Ask whether any current or former institutional employees, especially procurement leaders, executives, department heads, category managers, or frequent GPO users in the institution have held board seats, advisory roles, committee positions, consulting arrangements, speaking roles, or paid affiliations with the GPO or its supplier network.
Ask:
Have any current or former employees served on a GPO board, advisory council, supplier-selection committee, user group, or strategic steering group?
Did any such role begin shortly before or after retirement, resignation, reassignment, or departure from the institution?
Were purchases routed toward the GPO while that employee still had influence over procurement strategy, category decisions, supplier access, or buyer expectations?
Did staff report pressure, formal or informal, to move spend through a particular GPO or cooperative vehicle?
Was the GPO framed internally as the preferred route before the compliance basis was tested?
Were buyers discouraged from using ordinary competitive processes because the GPO was described as easier, already approved, or institutionally favored?
Did the former employee later receive compensation, travel, status, conference visibility, consulting work, advisory access, or other benefits from the GPO or related suppliers?
Look for tacit exchange patterns. The issue may not be an explicit agreement. It may be a soft corridor: a manager pressures staff to route spend through a GPO before retirement, then later receives a board seat, advisory position, consulting role, or prestige platform connected to that same GPO.
A post-employment GPO role may be a reward path, not merely a résumé line.
Post-employment GPO affiliations should be tested against prior routing behavior.
PCard Rebates, Gift Cards, Credits, and Vendor Incentives
PCard spend can create a parallel value path. The transaction record may show the purchase, while rebates, gift cards, credits, refunds, promotional incentives, or vendor rewards move somewhere else.
Ask:
Who receives rebates, gift cards, credits, or promotional incentives tied to institutional purchases?
Where do those items arrive: mailroom, department office, buyer desk, card manager, central finance, warehouse, project site, or vendor portal?
Who opens mail or packages addressed to purchasing staff, card managers, labs, departments, or project offices?
What happens to envelopes, cards, rebate notices, vendor credits, or promotional materials when the usual recipient is absent?
Has anyone ever received gift cards, rebate cards, prepaid cards, supplier credits, or checks connected to PCard purchases?
Are those items logged anywhere in the institution’s accounting records?
Can the institution reconcile vendor-issued incentives against PCard spend?
Can vendors produce historical records of rebates, gift cards, credits, or promotional incentives issued to the institution?
Do vendor records match institutional records?
If a vendor says the incentive is “standard procedure,” ask for the historical issue log. Standard procedure should leave a repeated trace.
Follow the purchase, then follow every form of value the purchase generated.
If the institution says “this has never happened before,” ask how it knows.
Look especially for value that arrives after the original transaction and outside the normal invoice/payment path. A rebate card, gift card, supplier credit, or prepaid incentive may not appear in the PCard transaction data, yet it may have been generated entirely by institutional spend. Call large PCard spend vendors independently for answers to some of these questions, not relying on institutional story alone.
Contract-Renewal Perks and Vendor-Conferred Value
Look for non-cash benefits issued by vendors during contract negotiation, renewal, extension, preferred-provider selection, or volume commitment.
These are not ordinary travel points earned incidentally from trips already taken. They are benefits granted because the institution controls spend, volume, access, or contract renewal.
Ask:
What non-cash benefits were provided by the vendor during contract negotiation, renewal, or extension?
Were elite-status upgrades, international upgrade certificates, companion benefits, lounge access, preferred-service privileges, waived fees, credits, gift cards, conference passes, event access, advisory seats, or other perks offered?
Who at the institution knew these benefits existed?
Who decided how they were allocated?
Were they treated as institutional assets, personal perks, departmental benefits, or informal relationship currency?
Were they disclosed in the contract file, board materials, conflict-of-interest disclosures, gift logs, travel records, procurement records, or ethics filings?
Were the recipients involved in vendor selection, contract renewal, spend routing, travel policy, procurement strategy, or supplier evaluation?
Did the benefits go to the people making or influencing the contract decision?
Did the benefits continue after the contract was renewed?
Could the vendor produce a record of what was issued, to whom, when, and under what contract or renewal event?
Could the institution produce the same record?
The audit issue is not whether someone took a business trip and accumulated incidental points. The issue is whether valuable vendor benefits were created by institutional purchasing power and then quietly allocated to individuals.
When a vendor gives valuable perks during contract renewal, the auditor should treat them as contract consideration until proven otherwise.
Vendor perks created by institutional spend should be followed as institutional value in accounting records, not personal luck outside of them.
6. HR Controls, Retaliation Signals, and Scapegoat Patterns
Ask about complaints that never became official complaints.
Ask about resignations after conflict.
Ask about performance actions after protected activity.
Ask about informal warnings used to shut down inquiry.
Ask which good people have “unfortunately” left the organization. Do patterns appear in who left, where they worked, what they raised, or why they departed?
Ask about reassignments, reorganizations, “fit” concerns, and “difficult personality” labels.
Handled institutions often convert fact patterns into personality stories. If the same person who raised a concern later became “difficult,” “not collaborative,” “emotional,” “disruptive,” or “not a culture fit,” look closely at timing.
Scapegoat Pattern
Ask about recent public failures and who was formally blamed, reprimanded, suspended, reassigned, or let go afterward.
For each visible failure event, ask:
Who was named on the record?
Who disappeared quietly?
Which role was made to carry the failure?
Does that same role repeatedly absorb blame across unrelated events? Or has the position been fired and replaced multiple times while the surrounding leadership structure remains intact? This is potentially a designated tripwire, part of the architecture of plausible deniability, designed to halt blame from arriving at the inner circle.
Was the person publicly described through an institutional narrative before the facts were fully examined?
Did the institution frame the event as an individual lapse, poor judgment, lack of training, personality issue, or failure to follow procedure?
Then test whether the person functioned as an architected tripwire: a role placed close enough to the failure path to absorb consequence, while decision rights, incentives, approvals, underfunding, scope design, or leadership pressure remained elsewhere.
A scapegoat is not merely someone blamed unfairly. In a handled institution, a scapegoat may be part of the control architecture: the visible tripwire, a failure point designed to protect the invisible system.
Outside Seats, Paid Affiliations, and Institutional Time
Ask whether any current or former employees hold paid or compensated roles with affiliated nonprofits, multi-institutional networks, consortiums, foundations, GPOs, vendors, advisory boards, institutes, or public-private entities that do business with, receive funding from, influence, or benefit from the institution.
Ask:
Who holds outside board seats, advisory roles, steering-committee positions, consulting arrangements, paid speaking roles, or compensated leadership roles connected to entities adjacent to the institution?
Are those roles disclosed?
Are they paid directly, paid through stipend, paid through honoraria, compensated through travel, conference access, prestige roles, research support, consulting fees, or other non-salary benefits?
Does the employee perform that outside role during institutional work hours?
Are institutional staff, assistants, analysts, travel budgets, email accounts, offices, calendars, procurement authority, or institutional relationships used to support the outside role?
Does the outside entity receive institutional funds, membership dues, contracts, technology spend, grant participation, data access, policy influence, or preferred routing?
Did the employee influence the institution’s participation in that entity?
Was institutional participation expanded before or after the employee received the outside role?
Were other employees pressured to support, route spend through, attend, sponsor, or defer to the outside entity?
Look for arrangements where the institution pays the salary, supplies the time, lends the authority, and the outside entity supplies the private or semi-private benefit.
Double-dipping often hides as civic service, sector leadership, or professional collaboration.
Outside service should be tested when institutional time, authority, funding, or staff support appears to generate private or semi-private benefit.
7. Internal Audit, Risk Assessment, and Scope Suppression
Ask internal audit what they were discouraged from reviewing.
Ask what scope was narrowed.
Ask what evidence disappeared, arrived late, or became unavailable.
Ask which recommendations were softened.
Ask which findings never reached the final report.
Look for turnover and ask for a list of former employees.
Ask whether management responses addressed the actual finding or reframed it into a narrower procedural issue.
Ask what they would test if they had full independence, full access, and no concern about institutional blowback.
8. Legal / Counsel Interface
Privilege is legitimate. It can also become a fog machine.
The question is whether counsel is protecting legal analysis or helping convert operational facts into protected management representations.
Notice when legal review is used to prevent fact-finding rather than protect legal analysis.
Ask what is truly legal analysis, and what is operational concealment wearing legal clothing.
Look for scoped-review language such as “agreement to form only,” “limited review,” “no opinion on underlying facts,” or “management provided the following representations.”
These phrases may be appropriate. They may also mark the boundary between what was examined and what was carefully left untouched.
9. Handler Signals
Handler signals often appear where management representations become too polished, too uniform, or too quickly supplied. Look for the same person appearing across unrelated issues as someone who “helps solve things” organizationally.
Ask which names are whispered about with fear as people no one should cross.
Look for those who translate facts into process language.
Look for those who reframe witness statements.
Look for those who “helpfully” contextualize people before auditors meet them.
Look for those who explain why certain people are unreliable before those people have spoken.
Look for those who convert clear events into ambiguous procedural disputes.
Look for those who narrate the institution’s story before the evidence is independently examined.
The handler may be in HR, legal, operations, compliance, finance, procurement, executive administration, or an informal role with unusual access. The title matters less than the function. Handlers smooth problems and turn corruption into normalcy and procedure.
10. Evidence Protection and Substantive Testing
Preserve raw artifacts before summaries.
Substantive testing should reach beyond prepared summaries into raw artifacts, timestamps, transaction histories, access logs, and contemporaneous records.
Compare prepared documents against contemporaneous records.
Interview laterally.
Ask the same question at multiple levels.
Separate the fact record from the institutional narrative.
Do not let the prepared binder given to you by the institution become the audit universe.
Whenever possible, obtain timestamps, original emails, transaction histories, access logs, delegation records, draft versions, deleted or superseded workflows, and records produced before the audit was anticipated.
Cradle-to-Grave Asset Tracking and Control Continuity
Follow the asset from acquisition or fabrication through disposal, especially when high-value property is reclassified as waste, scrap, surplus, obsolete, experimental, damaged, or no longer useful.
Cradle-to-Grave Asset Tracking catches the broad lifecycle problem: value can disappear when an item moves from purchase/build/use into transfer, disposal, scrap, surplus, donation, or “waste.”
The audit issue is not only what was purchased. It is what happened to the value after purchase, build, use, obsolescence, transfer, disposal, donation, scrap, or “waste” designation.
Handled institutions may hide value at the end of the chain by misclassifying high-value items as waste, surplus, scrap, salvage, obsolete material, abandoned property, or no-longer-needed equipment.
Ask:
What high-value items were built, purchased, assembled, donated, fabricated, customized, or developed inside the institution?
Where did those items go when the project, semester, grant, lab, contract, or program ended?
Who determined that the item had no remaining value?
Was an objective valuation performed?
Was the disposal method documented?
Was the item sold, donated, transferred, scrapped, stored, parted out, or quietly released to someone?
Who received it?
Was the recipient an employee, board member, donor, vendor, contractor, faculty member, student group, affiliated entity, or insider-adjacent person?
Was the item treated as capital equipment, movable capital asset, inventory, surplus property, scrap, waste, or something else?
Did that classification match institutional policy and actual value?
Was any dean, director, board member, project sponsor, or department head able to pre-approve disposal without independent valuation?
Compare purchase records, fabrication costs, grant records, donated components, labor and materials, insurance schedules, capital asset records, inventory systems, surplus logs, disposal forms, transfer records, sale proceeds, and recipient records.
The key question is whether institutional value was allowed to disappear at the moment the item changed category.
Be skeptical when high-value items become “waste” at precisely the moment someone powerful wants them.
Non-Standard Delivery Points and Chain-of-Custody Breaks
Follow delivery locations, not only purchase approvals.
Non-standard delivery can become the first break in institutional ownership.
High-value items, equipment, research materials, electronics, tools, controlled items, specialty components, and fabricated goods may be purchased through institutional channels but delivered outside normal custody pathways.
Ask:
Where was the item delivered?
Was it delivered to a central receiving dock, warehouse, department office, lab, project site, home address, off-campus facility, vendor-managed location, hotel, conference site, storage unit, or private residence?
Were any high-value items delivered to professors’ homes, administrators’ homes, employee residences, board-member addresses, contractor sites, or other non-standard locations?
Who approved the delivery address?
Was the non-standard delivery justified in writing?
Did the item ever enter institutional receiving, inventory, capital asset, or custody records?
Who signed for it?
Was the signer an institutional employee acting in an official capacity?
Was there a direct chain from delivery confirmation to institutional check-in?
Could the item be physically located after delivery?
Do delivery addresses in vendor records match institutional receiving records?
Are there repeated patterns of certain buyers, departments, faculty, labs, or executives using non-standard delivery points?
Look especially at high-value items delivered outside normal receiving channels and later described as missing, consumed, experimental, project-specific, personally held, or difficult to locate.
A purchase is not controlled because it was approved. It is controlled when custody is traceable from delivery to use to disposal.
Surplus Disposal, Insider Access, and Asset Misclassification
Surplus stores, resale programs, scrap processes, auction channels, and disposal warehouses can be legitimate asset-recovery tools. They can also become quiet dispersal vehicles for mispriced institutional value.
Surplus Stores and Insider Access catches the specific exit mechanism: once something enters surplus, who gets first look, who sets the price, and whether public value is quietly routed to insiders.
Surplus is not neutral if insiders see the asset before the market does.
Ask:
Who gets early access to surplus items before public listing?
Who is notified when desirable items are coming through?
Are board members, donors, senior administrators, faculty, staff, vendors, contractors, friends, or affiliated entities given preview access?
Who sets the price?
Is pricing based on objective valuation, replacement value, market comparables, depreciated book value, scrap value, or informal judgment?
Are certain categories routinely undervalued because they are described as obsolete, waste, scrap, student-built, experimental, damaged, or “not useful to the institution”?
Are high-value items ever held back from public auction or public listing?
Are items routed to particular buyers before competitive sale?
Are there patterns in who purchases desirable surplus items?
Are the same people or entities repeatedly buying equipment, vehicles, tools, electronics, furniture, research assets, specialty materials, or fabricated objects at favorable prices?
Can the institution show a timestamped chain from surplus designation to valuation to public availability to final buyer?
Do surplus staff ever receive instructions from deans, directors, board members, project leaders, or executives about where an item “should” go?
Look especially for “early look,” “courtesy hold,” “internal preference,” “special pricing,” “departmental transfer,” “scrap value,” or “no market value” language.
Surplus can become the polite exit door for institutional value.
Research Funding, Portable Assets, and Stewardship Risk
Research environments create special audit risk because money, equipment, data, staff effort, grant influence, and institutional prestige can cluster around a single investigator. Some of that is normal. Research funding often follows expertise. Principal investigators may legitimately move between institutions. Equipment may be transferred, loaned, subawarded, or shared.
The audit question is whether the institution can still see, value, control, and account for what moved.
Ask:
What funding travels with the researcher?
What equipment, instruments, samples, data sets, software, lab materials, animals, controlled substances, prototypes, tools, or capital assets travel with the researcher?
Are these transfers documented as institutional transfers, loans, subawards, disposals, gifts, project assets, sponsor-owned property, or personally controlled research materials?
Who approved the movement?
Was sponsor approval required?
Was institutional approval required?
Was there an asset-transfer agreement, material-transfer agreement, data-use agreement, subaward, loan document, custody record, or capital-asset update?
Did the item remain institutionally owned while being physically controlled elsewhere?
A capital asset does not become personal because the researcher is indispensable.
Could the institution locate the item after transfer?
Were assets removed before final inventory, closeout, dispute resolution, litigation hold, audit review, or sponsor reconciliation?
Were depreciation, residual value, insurance, maintenance, calibration, safety, and disposal responsibilities assigned?
Did staff, students, postdocs, or administrative support move with the funding in ways that blurred who controlled their work?
Did the researcher’s outside affiliations, sponsor relationships, patents, equity, consulting, advisory roles, or future employment affect what was studied, delayed, emphasized, or quietly avoided?
Look closely when research funding appears to belong socially to the researcher rather than institutionally to the award, sponsor, department, or public purpose.
A grant may be scientifically investigator-led while still requiring institutional stewardship.
Research Direction and Funding Influence
Ask whether funding sources, donor preferences, sponsor relationships, industry partners, philanthropic gifts, or investigator incentives shaped the research question itself.
Research funding can travel with a person while accountability remains with the institution.
Ask:
Who selected the research question?
Who had approval rights over scope, publication, data access, timing, methods, or interpretation?
Were negative findings delayed, softened, reframed, or left unpublished?
Were topics avoided because they would threaten a donor, sponsor, vendor, affiliated hospital, foundation, industry partner, or politically protected program?
Were graduate students, postdocs, staff, or junior researchers pressured to align findings with the funding relationship?
Did the sponsor have rights to review, comment, approve, delay, or suppress publication?
Were conflicts disclosed to participants, reviewers, journals, sponsors, or institutional committees?
Did institutional leadership treat the researcher as too valuable to question because funding, prestige, rankings, patents, clinical volume, donor access, or political relationships traveled with them?
A handled institution may protect the grant-getter because the grant-getter has become a revenue surface. That does not make the research false. It means the audit should test whether money, status, and custody have changed the boundary between independent inquiry and institutional dependence.
Follow the grant. Follow the asset. Then ask what question became harder to ask because the money was attached.
11. Audit Design Principle: Do Not Let the Institution Define the Denominator
Do not let the institution define the denominator of the audit.
A handled institution will often try to narrow the denominator: one transaction, one employee, one process gap, one misunderstood policy, one isolated exception.
The auditor’s task is to keep the denominator attached to the real system.
Was this one error, or a recurring pathway?
Was this one employee, or a role being used as a blame sink?
Was this one vendor issue, or a procurement pattern?
Was this one complaint, or part of a retaliation channel?
Was this one missing record, or evidence of controlled access to truth?
Related doctrine: the Demon Denominator.
Do not let the institution shrink a systemic failure into one disposable person unless the evidence supports that denominator.
12. Data Set Comparison and Substantive Testing Across Seams
Follow all money.
Do not stop at ordinary procurement spend.
Review petty cash, corporate cards, PCards, credits, rebates, refunds, supplier credits, parking-lot money, conference funds, travel reimbursements, foundation accounts, affiliated entities, and contractor-paid benefits.
Look for credits issued in one year against invoices not yet received.
Look for unused balances parked with contractors.
Look for project spend that does not match vendor rate cards.
Look for recurring payments that, in aggregate, move the purchase into a higher regulatory, federal, or institutional approval threshold.
Compare multi-award spend across vendors under the same award.
Compare emergency purchases against ordinary buying patterns.
Compare who receives exceptions against who receives scrutiny.
Compare invoice timing with budget deadlines, leadership absences, audit windows, and fiscal-year close.
Compare institutional payments, membership dues, sponsorships, travel, staff time, and procurement routing to outside entities where employees hold paid, advisory, board, or governance roles.
Handled institutions often hide patterns in the seams between data sets.
13. Hidden Incentives and Control Environment
Lower-level employees may assume the auditor is looking for wrongdoing by them. That can shut down useful truth.
Make clear that ordinary questions are not accusations.
Ask calmly about favorite contractors.
Ask whether contractors pay for conference attendance, professional events, meals, drinks, travel, entertainment, training, gifts, or “relationship-building” opportunities.
Ask which contractors take people to lunch.
Ask which contractors take other teams to lunch.
Ask whether anyone has been offered travel to desirable destinations connected to vendor events.
Ask who gets invited, who approves attendance, who pays, and whether anything changes afterward.
The question is not only whether a formal bribery rule was violated. The question is whether preference, access, or institutional dependence is being cultivated off-ledger.
14. Seam Failures, Control Gaps, and Orphaned Risks
Handled institutions often hide risk in the seams between formal owners.
Look for places where an item, complaint, payment, asset, shipment, responsibility, or decision moves from one organizational boundary to another. These are the places where accountability can become foggy.
Ask:
What happens after delivery but before formal receipt?
Has anything gone missing between supplier delivery and project check-in?
Who owns custody during that interval?
Are there research materials, equipment, controlled substances, capital assets, samples, tools, or records that pass through a temporary holding zone before they become visible to the receiving unit?
Where does the official system first recognize the item, and what happens before that moment?
Ask where problems go when no department wants to own them.
Which issues are treated as procurement’s problem by operations, operations’ problem by finance, finance’s problem by legal, legal’s problem by HR, HR’s problem by compliance, and compliance’s problem by leadership?
Where do multiple offices each say, accurately according to their charter, “that is outside our scope”?
These are not always signs of corruption. Some are ordinary coordination failures. A handled institution can still use seams as hiding places because each unit can deny ownership while the underlying risk remains unresolved.
The question is:
Where does the problem live when every formal owner says it belongs somewhere else?
Seam failure is about no clear owner.
Rage at Repair
Outsized anger can be an audit signal.
Some institutional anger is ordinary. People dislike disruption, new controls, added documentation, and loss of convenience. But auditors should notice rage that appears disproportionate to the stated issue, especially when the change improves custody, traceability, ownership, safety, or accountability.
Ask where outsized rage appeared after:
chain-of-custody gaps were closed;
ownership was clarified;
ambiguous handoff points were assigned to named roles;
redundant or informal approvals were removed;
exceptions began to be logged;
temporary holding zones were eliminated;
cameras, signatures, timestamps, or access controls were added;
inventory, controlled substances, hazardous materials, cash, gift cards, credits, or sensitive records became traceable;
direct handoff replaced “leave it there” practice;
the system began requiring evidence before release, payment, disposal, transfer, or receipt.
Ask:
Who became angry when the gap was closed?
Who claimed the new control was unnecessary, insulting, inefficient, or “not how we do things”?
Who had previously benefited from the ambiguity?
What could move through the old gap without a named owner?
What became impossible after the repair?
Did the rage appear before the repair had produced any real inconvenience?
Was the anger framed as concern for efficiency, customer service, academic freedom, research speed, staff morale, trust, or professional dignity?
Did the same person who objected to the repair also resist documentation, custody assignment, cameras, signatures, or direct receipt?
Did the institution treat the rage as a personality conflict rather than a signal that a hidden pathway had been interrupted?
A handled institution may describe a repair as overreach when the real problem is that the repair closed an exploitable gap.
Diagnostic line:
Rage, as signal, often marks the place where hidden discretion has lost its hiding place.
Disproportionate anger around a control improvement may indicate that the prior ambiguity served someone.
15. Managed Delay and Oversight Evasion
Watch for issues that are endlessly assigned to committees, working groups, reviews, task forces, or “future policy updates” without resolution.
Ask:
Who has authority to decide?
Who benefits from delay?
How long has the issue been under review?
What interim controls exist while the committee deliberates?
Are the same issues repeatedly tabled, deferred, rescoped, or returned for more information?
Does the committee have the authority, resources, and mandate to solve the problem, or only to absorb it?
Handled institutions often use process as a waiting room where urgency goes to die.
Delay can be a control strategy when decision rights are too politically dangerous to exercise.
Stalling is about nominal ownership without movement.
16. Special Pathways, Exceptions, and Control Overrides
Handled institutions often preserve formal control systems while quietly maintaining special pathways around them.
Ask about anything described as special, urgent, sensitive, executive, exception-based, legacy, temporary, one-off, emergency, relationship-driven, or “not how we usually do it.”
Ask:
Who has special access for urgent situations?
Who has special authority that is exercised rarely, but powerfully?
Who can expedite transactions, hires, investigations, payments, travel, purchasing, approvals, room access, system access, or records access?
Is there a special expediting process for a particular person, lab, department, executive office, vendor, donor, project, or external partner?
Who can override ordinary queue order?
Who can bypass normal documentation?
Who can request after-the-fact approval?
Who can authorize exceptions verbally?
Who can make something happen before the system formally recognizes it?
Who decides that a situation is urgent?
How often are “rare” exceptions actually used?
Are exceptions logged, reviewed, and compared across units?
Special authority is not inherently improper. Real systems need emergency paths. The audit question is whether the special path is bounded, documented, reviewed, and available according to objective criteria, or whether it functions as a private corridor for favored actors.
Look especially at recurring “one-off” exceptions. A one-off that repeats is no longer an exception. It is an informal system.
The special path is where the formal system admits who it really serves.
Closing Note
A handled institution may look cooperative. That is part of the difficulty.
The auditor should distinguish cooperation from choreography. Cooperation makes truth easier to reach. Choreography makes the institution’s preferred story easier to repeat. The audit findings may arrive already narrated in a form easy enough to file as complete.
The audit does not only test records. It tests who controls access to defining reality.
Madonna Demir
SIA on corruption and power, further reading on how handled institutions manage audit risk