1. Research Administrators Network
The Role of the �Internal Audit Department�
2. Research Administrators Network Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The Institute of Internal Auditors
3. Research Administrators Network Were Here to Help! Identify Risks
Find Better Ways and Best Practices
Partner With You to Find Solutions
Prevent Problems
4. Research Administrators Network We Report to the Board of Regents Audit Committee - Ensures independence
Elevate issues to a level where they can be corrected
Keeps Regents informed
Meets quarterly Independence is the foundation of auditing
The Regents can provide resources needed to correct some issues
The President and Regents can adopt policy changesIndependence is the foundation of auditing
The Regents can provide resources needed to correct some issues
The President and Regents can adopt policy changes
5. Research Administrators Network What is Risk Based Auditing? Focus on risk of occurrences that could prevent the University from achieving its goals
There are many types of risk fraud, improper reporting, ineffective or inefficient use of resources, credibility loss, etc.
Focus on areas with high risk and high probability that controls are not in place or are weak
6. Research Administrators Network We have a plan! Risk based audit plan developed with input from across the University
Risk factors:
Impact
Probability
Controls Impact - What would be the impact on the University if this item failed to function?
such as a major fraud, or a disruption in business, what would be the impact to the University?
High Impact - it could create serious problems for the University that could result in the loss or use of resources, a significant loss of revenues/funding, or unfavorable publicity and possible harm to the Universitys reputation
Medium Impact the University would recognize the impact, but would be able to manage the problem
Low Impact - it would not have a significant impact on the University or its reputation
Probability Without considering existing process controls that may exist, what is the probability that this breakdown could occur?
Every area has certain checks and balances that help prevent things from going wrong, such as review processes, issuing receipts for money received, and approvals (auditors refer to these processes as controls). If the controls were not in place, what is the possibility that something would go wrong? Items that might increase the probability include high volumes of transactions, highly regulated areas, large amounts of cash and high employee turnover, involvement of management.
High Probability it is very likely that something could go wrong
Medium Probability it is possible that something could go wrong
Low Probability it is not likely that anything will go wrong
Controls - How well does the University manage this potential risk, i.e. how good are the controls in this area? Are there currently processes in place that provide good checks and balances? Are you aware of problems that have occurred in the area that could have been prevented by better controls, if yes, then the controls may not be as good as they could be.
Good processes exist that should prevent the majority of possible losses or other problems
Average processes are in place that will usually prevent problems, although the processes could be better
Poor there are few processes in place to prevent losses or problems, or the processes are not working
Impact - What would be the impact on the University if this item failed to function?
such as a major fraud, or a disruption in business, what would be the impact to the University?
High Impact - it could create serious problems for the University that could result in the loss or use of resources, a significant loss of revenues/funding, or unfavorable publicity and possible harm to the Universitys reputation
Medium Impact the University would recognize the impact, but would be able to manage the problem
Low Impact - it would not have a significant impact on the University or its reputation
Probability Without considering existing process controls that may exist, what is the probability that this breakdown could occur?
Every area has certain checks and balances that help prevent things from going wrong, such as review processes, issuing receipts for money received, and approvals (auditors refer to these processes as controls). If the controls were not in place, what is the possibility that something would go wrong? Items that might increase the probability include high volumes of transactions, highly regulated areas, large amounts of cash and high employee turnover, involvement of management.
High Probability it is very likely that something could go wrong
Medium Probability it is possible that something could go wrong
Low Probability it is not likely that anything will go wrong
Controls - How well does the University manage this potential risk, i.e. how good are the controls in this area? Are there currently processes in place that provide good checks and balances? Are you aware of problems that have occurred in the area that could have been prevented by better controls, if yes, then the controls may not be as good as they could be.
Good processes exist that should prevent the majority of possible losses or other problems
Average processes are in place that will usually prevent problems, although the processes could be better
Poor there are few processes in place to prevent losses or problems, or the processes are not working
7. Research Administrators Network What Is the Plan? List of audits for fiscal year
Based on risk assessment and available man hours
Includes estimated budget hours and completion date
Approved by Audit Committee Leave some room for the unexpected
Requests and unforeseen issues are presented to Audit Committee for approvalLeave some room for the unexpected
Requests and unforeseen issues are presented to Audit Committee for approval
8. Research Administrators Network Auditable Entities WE DO AUDIT
Operations and compliance
Departments
Colleges or Schools
Programs, Grants, Contracts
Information Technology Systems
University-wide Processes
WE DO NOT AUDIT
Specific individuals
Human Resource issues
Sexual harassment or other civil rights issues May get into performance auditing in the futureMay get into performance auditing in the future
9. Research Administrators Network Internal Audit is Intake Point for Whistleblowers University policy requires Internal Audit to receive reports of
Misconduct
Fraud
Several ways to report
Hotline
E-mail
Phone
Walk in
We interview complainant complete form informing them of process and rights and if they agree tape record interview.
Based on nature of complaint we will refer and provide copies of tape and short synopsis of interview. If confidentiality is an issue we try our best to maintain it however without a name it is sometimes difficult to conduct an investigation.We interview complainant complete form informing them of process and rights and if they agree tape record interview.
Based on nature of complaint we will refer and provide copies of tape and short synopsis of interview. If confidentiality is an issue we try our best to maintain it however without a name it is sometimes difficult to conduct an investigation.
10. Research Administrators Network Investigations of Fraud and Employee Misconduct Whenever possible we will refer to the appropriate Dean, University Police, OEO or Human Resources for investigation
University policy requires Internal Audit to investigate if financial or operational
Internal Audit coordinates and reports to the State Auditor Based on University policy we refer complaints to appropriate department for investigation
If we conduct an audit and find inappropriate use of University assets or misappropriation of funds we request an opinion from University Counsel on whether the matter constitutes fraud and if so it is reported to the State Auditor and University Police.
We have dealt with opposing counsel, insurance adjusters, state police and federal program investigatorsBased on University policy we refer complaints to appropriate department for investigation
If we conduct an audit and find inappropriate use of University assets or misappropriation of funds we request an opinion from University Counsel on whether the matter constitutes fraud and if so it is reported to the State Auditor and University Police.
We have dealt with opposing counsel, insurance adjusters, state police and federal program investigators
11. Research Administrators Network Who Are We? We are University employees
We are certified
public accountants,
internal auditors,
fraud examiners and information system auditors
We are a staff of 7 auditors Most auditors have two certifications
Half the staff have been with Internal Audit for over 20 years
Most auditors have more 10 - 20 years audit experience in public accounting, financial auditing, internal audit and performance auditMost auditors have two certifications
Half the staff have been with Internal Audit for over 20 years
Most auditors have more 10 - 20 years audit experience in public accounting, financial auditing, internal audit and performance audit
12. Research Administrators Network Its the little things that get you! Misreporting hours.
Forgetting to obtain prior approval when needed.
Using estimates that are not supported.
Any violation of University policy.
We have helped HR in several cases where employees claimed to be at one place and were not there. In one case an employee claimed to be going t class but was not
Not reviewing P-card transactions
Not approving purchases prior to placing orders
Unfamiliarity with University policy or misunderstandingsWe have helped HR in several cases where employees claimed to be at one place and were not there. In one case an employee claimed to be going t class but was not
Not reviewing P-card transactions
Not approving purchases prior to placing orders
Unfamiliarity with University policy or misunderstandings
13. Research Administrators Network Preventive Measures Make sure your controls are working
Review and reconcile
Check the work of your subordinates
Dont give in to the temptation to skip controls because you are busy! It is difficult to take the time to develop a policies and procedures manual
To review and scrutinize documentation
However, it is even more time consuming to under go an audit or investigation It is difficult to take the time to develop a policies and procedures manual
To review and scrutinize documentation
However, it is even more time consuming to under go an audit or investigation
14. Research Administrators Network What is included in the audit report? What was found
Why it happen
What is required
What effect it has
Recommendation for improvement
Response who, when and how Audits have six elements
Condition
Cause
Criteria
Effect
Recommendation
Response
Reports have an executive summary with a conclusion answering the objective
Background relating to the area under audit
Observations and RecommendationsAudits have six elements
Condition
Cause
Criteria
Effect
Recommendation
Response
Reports have an executive summary with a conclusion answering the objective
Background relating to the area under audit
Observations and Recommendations
15. Research Administrators Network What happens after the audit? Follow-up
Review corrective action
Report to Audit Committee Have two reports recommendations cleared and past due
Based on timeframes provided in the response, we conduct a follow-up to verify that corrective action occurred.
Audit committee is concerned with past due and pay close attention to this report
HaHave two reports recommendations cleared and past due
Based on timeframes provided in the response, we conduct a follow-up to verify that corrective action occurred.
Audit committee is concerned with past due and pay close attention to this report
Ha
16. Research Administrators Network Who Audits the Auditors? We must have a peer review at least once every five years
Our Standards are set by the Institute of Internal Auditors, and the American Institute of Certified Public Accountants
17. Research Administrators Network We Want to Know How We Are Doing At the completion of each audit we will send an after-audit-survey
We want you to rate our performance
Were we professional, helpful, timely and did we add value?
Please take the time to give us your feedback. This is one of our measures to determine if our work is adding value to the UniversityThis is one of our measures to determine if our work is adding value to the University
18. Research Administrators Network We are here to help We provide training
Respond to policy and technical accounting questions
Offer suggestions for improvement
Advisory role
PI training
Cash Management
Grants Management
Will conduct consulting services to prevent problems or discontinue inappropriate processesPI training
Cash Management
Grants Management
Will conduct consulting services to prevent problems or discontinue inappropriate processes
19. Research Administrators Network Christine Chavez�Director of Internal Audit 277-5016
1801 Roma NE
