The Office of Internal Audit and Risk Management is responsible for assessing various functions and control systems in the university and for advising the Board and administration concerning their condition. The fulfillment of this accountability includes but is not limited to the following:
- Examining and evaluating the adequacy and effectiveness of the overall system of administrative and financial controls.
- Determining the reliability and integrity of financial and operating data.
- Evaluating sufficiency of and adherence to university plans, policies, and procedures and compliance with State and Federal laws and regulations.
- Ascertaining the extent to which university assets are accounted for and safeguarded and, as appropriate, verifying the existence of such assets.
- Appraising the economy and efficiency with which university resources are employed.
- Submitting an annual audit plan for audit coverage that fulfills the responsibility of the Internal Audit and Risk Management Department.
- Issuing written reports of audit findings and recommendations to the Board of Governors and the administration.
- Reviewing plans or actions taken to correct reported conditions for satisfactory disposition of audit findings.
Periodically, Internal Audit and Risk Management completes a high level risk assessment, which forms the basis for a risk-based internal audit plan. In addition, the Board of Governors reviews and provides input to the audit plan for the coming year. During the year, university management will also provide requests for audit that are considered to be included within the plan. Typical phases of the internal audit include the following:
Prior to meeting with the client, the Internal Audit and Risk Management team discusses the upcoming audit. If the area has been audited previously, we review the file to re-familiarize ourselves with the unique operations of that unit. Any new developments that may have occurred since the last audit are reviewed and discussed. Financial or operational data may be reviewed, as well as other information such as policies and procedures. With this information, the audit team produces a set of audit objectives.
The entrance conference provides the opportunity for the audit team and client/management to discuss audit objectives, schedules, testing and reporting of audit results. Any areas of concern the client would like to have reviewed by the audit team should be brought up at this stage.
The audit team gathers additional information about the client's operations, meets with key personnel, reviews policies, reports, regulations and other data. (If the unit has not previously been audited, this is a significant effort.) The audit team also reviews any changes in operations since the last audit. Key internal controls are evaluated to determine if they are adequate and the extent and types of specific testing to be performed.
The purpose of transaction testing is to examine documents and other records for evidence that the internal controls described in the preliminary survey stage are actually in place and functioning as intended. When we find such evidence on a sample of transactions or records, we conclude that established procedures are being followed and the level of compliance with internal controls is adequate. When a strong system of internal controls is in place and followed, we are confident that the data generated by the transactions can be relied upon as accurate and that policies are being carried out.
Discussion of Audit Findings
The audit team may find one or more opportunities/deficiencies during the course of a typical audit. They will bring all potential audit findings to the client's attention as they are identified to ensure that the audit team has been provided with all the relevant facts. At the end of the fieldwork stage, the audit team informally reviews all findings with the client.
At the pre-exit conference, the draft report is discussed, and management is requested to respond to the recommendations via a corrective action plan (prior to report distribution).
Periodically, management will be requested to communicate in writing the status of implementation of corrective actions as noted in the audit report. Internal Audit and Compliance periodically provides the president with status of corrective actions taken.