Eliminating Sludge in the University Business Office

I was listening to the Freakonomics Radio episode "All You Need Is Nudge" when Richard Thaler said something that stopped me mid-run. The Nobel laureate was describing a moment when he — one of the world's foremost experts on irrational systems — found himself trapped inside one. He was conducting research and needed to fill out a compliance form at a well-known university in Cambridge, Massachusetts. The experience, according to his account, was an exercise in institutional absurdity. Here was a man who had spent his career diagnosing exactly this kind of dysfunction, sitting inside it, powerless.

What struck me wasn't the irony. It was the universality. Every business officer in higher education is familiar with that form. We may not have designed it, but we administer its cousins every day.

Thaler has a name for what that form represents: sludge. Where a nudge is choice architecture that makes the right thing easy, sludge is friction that makes everything harder than it needs to be. It accumulates in institutions, not usually because anyone wants to obstruct people, but because no one has ever been held accountable for the cost of their friction. University business offices — and I say this with full self-awareness — are among the most prolific producers of sludge in American organizational life.

The first honest step is to name what we're looking at. When a faculty member submits a reimbursement request and is asked for documentation they already submitted, that's sludge. When a department chair needs three approvals to purchase something under $500, that's sludge. When a student waits six weeks for a refund that requires no human judgment, that's sludge. These aren't inconveniences at the margins. They are policy choices — and they have a cost that never appears on a budget report because no one has ever been asked to measure it.

Here is where a certified fraud examiner would stop me, and they would be justified in doing so.

Friction is not only an institutional failure. In the right places, friction is an institutional defense. The three-signature purchase approval that feels like compliance theater may exist because purchasing fraud and expense reimbursement fraud are two of the most prevalent schemes in nonprofit and educational institutions. The ACFE's own research shows that asset misappropriation accounts for the overwhelming majority of occupational fraud cases in higher education, with median losses running into the hundreds of thousands of dollars. Small-dollar, high-frequency transactions are a particularly common vector precisely because they tend to fall below the threshold of scrutiny. The CFE reading this post would argue — correctly — that eliminating controls in the name of efficiency is how institutions end up on the wrong side of an audit finding, a board investigation, or a federal compliance review.

That critique deserves a direct response, because it is the reason well-intentioned process improvement efforts stall in university administration.

The answer begins with the Fraud Triangle. Donald Cressey's foundational model holds that fraud requires three conditions to occur simultaneously: pressure, opportunity, and rationalization. Most university business offices design their controls almost exclusively against the opportunity leg — creating physical and procedural barriers to access. This is understandable but incomplete. Sludge addresses opportunity imperfectly at best, and it actively worsens rationalization. The faculty member who has been asked to resubmit the same documentation three times, waited two months for a reimbursement, and navigated a system that treats every transaction as a presumptive act of theft is not a person whose rationalization threshold has been raised. The internal logic of "this system is broken and treats me like a criminal, so cutting corners doesn't feel wrong" is not hypothetical — it is a predictable behavioral response to institutional disrespect. Sludge that was designed to prevent fraud can, perversely, erode the ethical culture that is the most durable protection against it.

The second answer is that control existence and control effectiveness are not the same thing, and most business offices have accumulated significant quantities of the former masquerading as the latter. A three-signature approval where all three approvers are in the same department, share system access, and routinely rubber-stamp each other's requests is not a fraud control — it is a social ritual that resembles one. It also illustrates a well-documented organizational phenomenon: diffusion of responsibility. When everyone is accountable, no one is. The signature line that takes thirty seconds to execute after four days in an inbox is not a checkpoint. It is a latency cost dressed up as governance.

This reframes the goal of a sludge audit entirely. The objective is not to eliminate controls. It is to distinguish genuine risk-commensurate controls from accumulated process debris — and that distinction requires internal audit and risk management as partners in the work, not obstacles to it.

The diagnostic toolkit for such audits begins with Value Stream Mapping, adapted from Lean manufacturing. You walk a single transaction — a travel reimbursement, a vendor payment, a budget transfer — from initiation to completion and document every step, every handoff, and every wait time. The resulting map separates process time (the actual touch time required to perform each step) from lead time (the total elapsed time from submission to completion). In higher education, this gap is almost always shocking. A reimbursement that requires eleven minutes of actual human processing time routinely takes three to six weeks to complete. When administrators see that ratio rendered visually — not described, but mapped — the argument for removing sludge becomes mathematical rather than emotional. A document sitting in an inbox for four days to receive a thirty-second digital signature is not a control. It is a capital cost: delayed research procurement, deferred vendor relationships, and institutional credibility lost with the faculty member who will remember the experience the next time someone asks for their cooperation on a compliance initiative.

The 5 Whys technique is equally useful for interrogating why a step exists in the first place. Most business office processes contain steps that rely on institutional memory rather than current logic—controls designed for a system that was replaced a decade ago, approval requirements triggered by a single incident in 2009 that became everyone's permanent burden. Working through the sequence honestly, with both an operations lens and a fraud lens, will surface one of two answers. Either the original risk has been mitigated by other means and the step is now purely frictionary, or the control remains necessary and the complaint about it is simply the cost of operating with integrity. Both outcomes are useful. Neither emerges without asking the question.

The technology dimension deserves its own treatment, because this is where good intentions most reliably produce bad outcomes. There is a rule in manufacturing: you don't automate a bad process. The equivalent in university finance administration is that you don't configure a workflow that mirrors a paper form from 1995. When universities implement modern cloud-based finance systems — Workday, Oracle Cloud, and their peers — and map existing processes into the new software without first questioning whether each step should exist at all, they digitize the sludge rather than eliminating it. The implementation becomes an expensive missed opportunity, and the sludge becomes harder to remove because it is now embedded in system architecture rather than merely habitual behavior.

The more consequential shift that modern systems enable is a move from preventative controls to detective controls — and this is where the fraud examiner and the process analyst should find the most productive common ground. The traditional model of university finance control is built on prevention: require approvals, mandate documentation, create friction at the point of transaction. The limitation of this model is that it imposes costs on every transaction in order to catch the small fraction that represent genuine risk. Modern continuous monitoring tools, AI-powered anomaly detection, and automated duplicate-payment flagging can identify suspicious patterns across the full transaction population in real time — without inserting a human bottleneck into every individual transaction. Removing the manual approval step on a low-risk, low-dollar disbursement is a defensible control decision when the back-end monitoring is rigorous, automated, and genuinely independent. The CFO's burden in this conversation is to lead the institutional shift from "prevent all errors at any cost" to "detect material errors rapidly through data" — and to make that case clearly to external auditors who may still be evaluating control strength by counting signatures rather than measuring detection capability.

Delegation-of-authority thresholds warrant particular scrutiny within this framework. Approval limits that haven't been reviewed in a decade may require adjustment, but any adjustment should occur through explicit consultation with internal audit and a clear-eyed assessment of what each approval is intended to protect against. The goal is not to lower thresholds or to raise them. The goal is thresholds calibrated to real risk, with genuinely independent approvers, meaningful segregation of duties, and a clear audit trail.

Thaler's core observation about sludge is that its burdens are not randomly distributed. They fall hardest on the people with the fewest resources to absorb them: first-generation students navigating financial aid bureaucracy, junior faculty learning expense systems, and departments running on thin administrative capacity. Administrative friction is a regressive tax on time—it imposes the greatest costs on those who can least afford it. That observation doesn't disappear in the face of fraud risk. It sharpens the obligation to be precise. Imposing genuine, effective controls on everyone is a reasonable institutional cost. Imposing unnecessary friction on everyone because we haven't done the hard work of distinguishing one from the other is a failure of leadership.

The standard for a well-designed business office process is this: every step either represents a genuine, independent, risk-commensurate control or it should not exist. A person interacting with this office should spend no more time than the underlying transaction requires, receive a clear answer within a timeframe that reflects the actual complexity of the decision involved, and never be asked to compensate for inefficiencies the office created.

Thaler's compliance form at that Cambridge university probably failed that standard. The honest question for every business officer is not whether our processes are more sophisticated than his anecdote. It's whether we've ever actually asked — and whether we're willing to let the answer change something.