- Internal Controls
- Risk Assessment
- Types of Audits
- Audit Process
- Entrance Conference
- Systems Analysis
- Transaction Testing
- Audit Findings
- Exit Conference
- Written Response
- Final Report
- Client Survey
- Further Follow-Up
- Relationship with External Auditors
- Management Requests
- Continuing Education
Internal Audit Policies and Procedures
This pane clears float!
Audits are normally scheduled in advance in conjunction with the assistant chancellor for Administrative Services. These audits should be determined from the available pool which has been determined previously. The manager of the department which is to be audited will be informed of the upcoming audit. Once the audit has been scheduled, an entrance conference will also be scheduled. The entrance conference will be utilized to inform the auditee of the audit objectives and to allow the auditee to inform the internal auditor of any particular operations which should be reviewed. Upon completion of the audit and the preparation of the draft audit report, an exit conference will be held. The purposes of the exit conference are to ensure the accuracy of information in the report and to allow the auditee to discuss the findings and recommendations included in the draft audit report.
Upon completion of the exit conference, the draft audit report will be revised to include any agreed upon changes. The draft audit report will be sent to the auditee for a written response to be returned to the internal auditor within a reasonable period of time. Responses will be included in the final audit report and forwarded to the chancellor, assistant chancellor for Administrative Services and the immediate supervisor for the audited department. This report will also be forwarded to the UW System Office of Operations Review and Audit. While the recommendations are advisory in nature, the chancellor has the discretion to impose any recommendations determined to be mandatory. The auditee’s responses should establish timeframes for the implementation of the recommendations. Audits will be followed up, after a reasonable time period, by the internal auditor to determine the status of the recommendations and the extent of implementation.
This statement provides the basic framework within which Internal Audit operates. The reporting relationship to the assistant chancellor for Administrative Services, with the ability to discuss any matters directly with the chancellor, is very important for two reasons:
- To demonstrate independence from any of the operating units of the university, thereby insuring objectivity in evaluating those units.
- To provide a highlevel mandate that monitoring and evaluating the university’s system of internal controls is of utmost importance.
It is important to note that Internal Audit is not responsible for establishing or maintaining the system of internal controls. The managers in each of the individual operating departments, in conjunction with the assistant chancellor for Administrative Services and within the boundaries of university policies, are responsible for establishing and maintaining adequate internal controls. Such controls can be categorized as follows:
- Administrative Controls, designed to promote operational efficiency and adherence to university policies and procedures
- Accounting Controls, designed to safeguard university assets and ensure the accuracy of financial records.
Internal Audit’s primary function is to examine and evaluate existing internal controls and offer recommendations for improvement. Internal Audit is also available for consultation to provide departments advice on changing or implementing new internal control procedures.
Determining which departments to audit is a continuous and complex process. Given the large number of individual departments and the small size of the Internal Audit Department, it is important to allocate time to departments with high risk exposures. The degree of risk associated with a given department is often, but not always, defined in financial terms. Financial exposures are taken into consideration, but also important is any administrative activity which affects the delivery of important services to students, employees, alumni, and suppliers, or is regulated by governmental or other external legislation, as potentially high risk exposure.
Factors that enter into the risk assessment and prioritization of audits include the size of the department, extent of new systems, complexity of the department’s operations, extent of personnel turnover, and results of previous audits. The interval between audits is dependent upon the overall risk assessment. This is only one method of risk assessment. Other methods are available from the Association of College and University Auditors (ACUA) and other institutions.
The types of audits which will be performed will be generally financial in nature. These will be audits of auxiliaries, cash handling audits of revenue areas within the Bursar’s operations, cash handling audits of revenue collections in the outlying departments, audits of the capital inventory system to include the library, audits of academic departments, audits of physical plant, non-federal gifts and grants and audits which are requested by administration. As stated in UW System FPPP #16, any suspected fraud, embezzlement, theft, or conflict of interest will be reported to the assistant chancellor for Administrative Services. If requested by the UW System Office of Operations Review and Audit, audit work required prior to the discussion with the representative for the Attorney General’s office will be performed by the Internal Audit Department.
Departments may also request an audit be performed. An audit request form, which is available on the Internal Audit website, must first be completed. The department requesting the audit must provide a detailed explanation describing what they want to be audited. The audit request must then be approved by the assistant chancellor for Administrative Services and the chancellor before any audit work can begin.
The most successful audit projects are those in which the internal auditor and auditee see themselves as consultant and client. Understanding and applying this concept tends to foster a more constructive working relationship and can result in improved operations for the department under review. Although every audit is unique, there are similarities that can be found in each.
Prior to meeting with the client, the internal auditor will:
- If the area has been audited previously, a review of the prior audit workpapers and prior audit reports will be made to reacquaint the internal auditor with the unique operations of the department.
- Review any new developments which may have occurred since the last audit that could potentially impact the current audit (e.g., the installation of a new computer system, new management or departmental reorganization).
- Obtain a printout of the auditee’s recent financial transactions. With this information, a set of audit objectives and an audit program can be produced.
The entrance conference provides the opportunity for the internal auditor and auditee to establish the scope and schedule for the audit. The internal auditor will contact the auditee to schedule a mutually agreeable time for the entrance conference, usually held at the auditee’s location. At the meeting, the internal auditor will outline the audit objectives, approximate time schedules, types of auditing tests, and the process of reporting. The auditee should inform the internal auditor of any special time constraints to which the department will be subject. Every attempt to minimize any disruptions of regular departmental routines and avoid seasonal busy periods will be made. The auditee should designate herself or a senior member of the department as the primary contact person for the internal auditor to direct questions or requests for assistance. Any special areas of concern the auditee would like to have the internal auditor review should also be brought up at this time.
The next phase of the process requires the internal auditor to gather information about the auditee’s operations. This is especially important if the department has not previously been audited, but it is also necessary to determine whether any significant changes in operating procedures have occurred since the last audit. The internal auditor will conduct interviews with key personnel and review office manuals and policies to produce a plan for the remainder of the audit. This work typically results in narratives, procedural flowcharts, obtaining samples of documents and a detailed step-by-step audit program. The purpose of the systems analysis is to determine the types of internal controls the client has implemented and to evaluate them to ensure proper recording of business transactions, the policies for safeguarding of university assets and promotion of operational efficiency. Ideally, the internal auditor will find adequate internal controls and sound operating procedures in place. If this is the case, the internal auditor will proceed to the transaction testing stage. However, if the internal auditor detects a significant internal control deficiency during the systems analysis stage, an audit finding would be written immediately and discussed with the auditee.
The purpose of transaction testing is to examine documents and other records for evidence that the internal controls which have been described in the preliminary systems analysis stage are actually in place and working as intended on a daily basis. When such evidence is found in a representative sample of transactions or records, it can generally be concluded that established procedures are being consistently followed and the level of compliance with internal controls is adequate. When a strong system of internal controls is in place and followed, there is confidence that the data generated by the transactions can be relied upon as accurate and that administrative policies are being followed.
As is often the case, the internal auditor will find one or more deficiencies during the course of a typical audit. Some may be significant, but most will be relatively minor problems which will require minimal adjustments in procedures to correct. The internal auditor will bring all potential audit findings to the auditee’s attention as they are identified in an attempt to resolve them before completion of fieldwork. Some of the audit findings may turn out not to be audit findings at all and will be removed from the draft audit report. Others may be actual audit findings which can be corrected quickly; possibly before the audit is completed. Still others may be actual findings which will require more analysis and study by the auditee after the audit is completed. At the end of the fieldwork stage, the internal auditor will review all actual audit findings with the auditee who should expect to see them in a written formal draft audit report which will follow. The draft audit report should not contain any surprises for the auditee.
The internal auditor will write a draft audit report for the auditee. After the auditee has had a reasonable time to review the draft audit report, an exit conference will be scheduled. At the exit conference, the internal auditor will determine that everything included in the draft audit report is factually correct. Each audit finding will be discussed in detail, along with corresponding recommendations for corrective action. Any new information the auditee has gathered with regard to the audit findings, any alternative recommendations and any editorial suggestions should be made known to the internal auditor at this time. This information will be taken into consideration, and a revised draft will be issued.
Upon final revision of the draft audit report, the auditee will be requested to provide a written response to the recommendations presented in the report within a reasonable period of time. The response should indicate:
- Whether or not there is agreement with the recommendations
- What the plan is to implement the recommendations
- The expected implementation date
- Any other information necessary for an understanding of the issue
Upon receipt of the written response, the internal auditor will issue the final audit report to the auditee’s immediate supervisor with copies to the chancellor and the assistant chancellor for Administrative Services. A copy will also be provided to the UW System Office of Operations Review and Audit. Additional copies may be distributed as deemed necessary by the assistant chancellor for Administrative Services. The reporting package will include the internal auditor’s report with the auditee’s responses and a memo written by the internal auditor.
Shortly after the audit report is finalized, a survey questionnaire will be sent to the auditee which will provide the auditee an opportunity to comment on the audit process. Completion of this survey will help to evaluate the effectiveness of the Internal Audit Function.
After a reasonable period of time has passed, the auditee will again be contacted requesting information on the corrective action taken to date. Until satisfactory results are achieved, Internal Audit will periodically inquire about audit issues which are not resolved. Follow-up audits will also be planned if further review and analysis is warranted. The internal auditor makes regular reports to the UW System Office of Operations Review and Audit.
The external auditor for the University of Wisconsin System is the Legislative Audit Bureau (LAB). LAB makes all audit arrangements for audits through the UW System Office of Operations Review and Audit. When LAB arrives at the university, Internal Audit will be the contact for any arrangements which need to be made or questions which need to be answered.
Any audit questions which emanate from other audit organizations or federal and state agencies should be directed to the Internal Auditor for response. The same protocol will be in effect for audits performed by the UW System Office of Operations Review and Audit.
As mentioned earlier, UW System FPPP #16 details the procedures to be followed when there is a suspicion of financial irregularity. Internal Audit should perform the initial investigatory work upon notification by the UW System Office of Operations Review and Audit. Internal Audit can also be of service to departments that have questions about procedures or need advice about strengthening internal controls. Such procedural or internal control projects are conducted when Internal Audit’s unique combination of experience, technical capabilities and familiarity with the university’s administrative systems fit the needs of the requesting department. Internal Audit is available as needed to support senior management.
All of the employees hired by the Internal Audit Department should have a Bachelor’s Degree in Accounting or Business Administration. While not essential to hiring, internal auditors should be encouraged to obtain one or more professional designations or advanced degrees.
The Internal Audit Department subscribes to the standards for professional conduct as developed by the Institute of Internal Auditors (IIA). Memberships should also be maintained in ACUA and the IIA.
Both ACUA and the IIA offer state of the art continuing education programs on a national, regional, and local chapter basis. As appropriate seminars are offered, and as budgeted funds permit, Internal Audit is encouraged to attend these seminars. These continuing education programs not only provide Internal Audit with the latest information and training they need to perform their work assignments, but also provide individuals the opportunity to meet and interact with other audit professionals in higher education and other industries.
Internal Audit will also participate in any training programs which are sponsored by the UW System Office of Operations Review and Audit.
This pane clears float!