What is internal audit?
Internal Audit is a university department organized to help you, as a university manager, achieve your goals and objectives. We view each project as an opportunity to work together to improve the effectiveness and efficiency of university operations and to ensure compliance with governing laws, regulations and policies.
As internal auditors, we play many roles: auditor, consultant, accountant, advisor, listener, teacher and administrator. In these roles, all of our activities are directed toward helping the university achieve its goals. Our focus is on the future. Although we may look at how you have done things in the past and how you are doing things today, we use this information to suggest improvements so that you can manage even more effectively.
Who does Internal Audit report to?
Internal Audit (IA) under the direction of the Director for Internal Audit, reports to the Board of Trustees through the Chair of the Audit and Risk Committee and to the University President. IA is authorized by the Board of Trustees and senior management to conduct audits in accordance with the Annual Audit Plan approved by the Trustee Audit and Risk Committee and to engage in other independent reviews and consulting activities as required in support of its mission.
What is the authority of the Internal Audit department?
Internal Audit has the authority to recommend improvements and to monitor the implementation of its recommendations. In accordance with approved Internal Audit Charter, Internal Audit has full and unrestricted access to all University activities, documents, records, systems, facilities and personnel as necessary to fulfill its objectives. Information obtained will be maintained with appropriate confidentiality.
Who is responsible for internal controls?
Management is responsible for establishing, maintaining and promoting effective business practices and effective internal controls. However, virtually all employees play some role in effecting control. Systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the unit and the scope of its operations. While there may be practical limitations to the implementation of some internal controls, each business function throughout the university must establish and maintain a system of controls. A properly functioning system of controls improves the efficiency and effectiveness of operations, contributes to safeguarding University assets and identifies and discourages irregularities, such as questionable payments and practices, conflicts of interest and potential diversions of university assets.
How are audits selected?
Not all audit projects are selected in the same way. Generally an area is selected for internal audit in one of four ways:
- Through the application of a risk model, projects are selected based on their relative risk. Several factors (e.g., the internal control structure, complexity of operations, financial impact, etc.) are considered in developing a list of projects, prioritized according to their audit risk. Projects with the greatest risk exposure are assigned the highest priority.
- Some routine or cyclical audits are required. Examples of these projects include audits of grants and contracts and of NCAA regulations.
- Still other audits are performed as the result of special requests. For example, a manager may request that we review an activity or function in his/her area.
- Finally, a small percentage of internal audits are initiated to investigate irregularities.
An audit plan is developed for three years, based on risk assessment and consultation with management and the Audit and Risk Committee. The audit plan details the areas to be audited and is approved by the Audit and Risk Committee. The plan is adjusted in years two and three based on changes in circumstances and associated risks.
Why might I request an audit?
An audit can produce many benefits, and timing can be an important factor. If you have recently assumed new or additional supervisory responsibilities, an audit can review administrative procedures to assess whether internal controls in a particular area are adequate. An audit is also beneficial in assessing system controls and modifications to office procedures resulting from the installation of new systems.
A periodic "checkup" to review your unit's administrative activity can help ensure that your procedures continue to comply with university policy. An audit is an opportunity to receive an independent appraisal and confirmation of the effectiveness and efficiency of your unit's administrative activities.
What should I expect when I'm being audited?
First and foremost you can expect courtesy and professionalism in all of your interactions with Internal Audit. We will notify the head of the department being audited that the audit has been included on the annual audit plan and will coordinate to schedule the timing of the audit. You can expect regular communications throughout the audit to keep you informed regarding the project's overall progress, barriers or delays, potential issues identified, and open items. The audit will be executed in a spirit of partnership. Remember, we're here to help you not "get" you. We'll make an objective assessment of your operations, and share ideas for best practices. Finally we'll provide a report which includes recommendations for improving internal controls, processes and procedures, performance, and risk management.
What happens when Internal Audit identifies a deficiency or non-compliance?
We will fully explore the issue and will typically develop an observation for inclusion in the final audit report. All issues will be fully vetted with the unit's management and we'll coordinate with the appropriate personnel to develop a recommendation best suited for the department's individual needs. Management responds to recommendations with its Action Plans to address the observations and the expected timing for their implementation; these responses are incorporated in the report. The status of these plans is reviewed by IA in a follow-up audit that is generally performed between a year and eighteen months after the initial audit report is issued.
Who receives the audit report?
An audit report is addressed to the head of the organization being audited (e.g. the Dean, Vice President, etc.) and distributed to appropriate administrators (e.g. Department Director, etc.). Copies are provided to the President, the Executive Vice President or Provost, the Senior Vice President of Finance, other administrative executives depending on the nature of the audit (e.g., the Associate Provost for Research Advancement and Compliance, the Vice President for Information Technology Services, etc.), and PricewaterhouseCoopers, LMU's external auditors. The Chair of the Audit and Risk Committee of the Board of Trustees is also provided with the report; summaries of the outcomes for all completed audits are distributed to the Audit and Risk Committee meeting attendees.
Acknowledgements: Office of Internal Auditing: Eastern Illinois University and Internal Audit: University of Pennsylvania