Frequently Asked Questions (FAQ's)

WHAT IS THE FUNCTION OF THE INSTITUTIONAL COMPLIANCE & INTERNAL AUDIT DEPARTMENT (INTERNAL AUDIT)?
AUTHORITY
WHAT ARE CONTROLS? AND WHY SHOULD I, AS DEPARTMENTAL/UNIVERSITY MANAGEMENT, CARE ABOUT CONTROLS?
SO, WHAT ARE INTERNAL CONTROLS?
WHO IS RESPONSIBLE FOR INTERNAL CONTROLS?
WHY WAS MY DEPARTMENT SELECTED TO BE AUDITED?
WHY MIGHT I REQUEST AN AUDIT?
WHAT SHOULD I EXPECT WHEN AN AUDIT IS SCHEDULED FOR MY UNIT?
HOW LONG WILL THE AUDIT TAKE?
HOW WILL THE AUDIT FINDINGS BE REPORTED?
ARE THERE DIFFERENT TYPES OF AUDITS?
PROFESSIONAL STANDARDS
WHO SHOULD I CONTACT IF I HAVE QUESTIONS OR ISSUES OF AUDIT CONCERN?

WHAT IS THE FUNCTION OF THE INSTITUTIONAL COMPLIANCE & INTERNAL AUDIT DEPARTMENT (INTERNAL AUDIT)?

Internal Audit reviews can provide you with important and useful information. We can help you determine whether there are appropriate internal controls over your administrative processes and/or systems; we can show you ways to improve the efficiency and effectiveness of your administrative processes; and we can recommend improvements in these and other areas.

The Internal Audit staff does this by conducting independent and objective reviews of your department's operations and procedures. Internal Audit is therefore a managerial control, and our goal is to assist you in the effective discharge of your responsibilities by furnishing you with analysis, appraisals, recommendations, and pertinent comments concerning the activities that we review. The attainment of this goal involves:

Evaluating the soundness and adequacy of the internal control structure.
Assessing compliance with policies, plans, procedures, laws, and regulations.
Verifying the existence of assets and ensuring that they are properly accounted for and safeguarded from losses of all kinds.
Conducting special examinations and reviews requested by management including investigating reported occurrences of fraud, embezzlement, theft, waste, etc., and recommending controls to prevent or detect such occurrences.
Evaluating the economy and efficiency with which resources are employed, and recommending improvements in operations.
Evaluating the reliability and integrity of management data by reviewing general controls and computer security procedures over data processing.
Determining the extent to which established objectives and goals for operations or programs are being accomplished.

AUTHORITY

The internal audit staff is authorized by the Audit Committee of the Board of Trustees, and the Chancellor to conduct a comprehensive program of internal auditing. The Institutional Compliance and Internal Audit Department is further authorized to have unrestricted access to University functions, records, properties and personnel in order to conduct reviews thoroughly and effectively.

WHAT ARE CONTROLS? AND WHY SHOULD I, AS DEPARTMENTAL/UNIVERSITY MANAGEMENT, CARE ABOUT CONTROLS?

Controls Are Simply Good Business Practices

Among other things, controls can provide reasonable assurance that:

Management data is reliable;
Assets are accounted for and are safeguarded from losses;
Operating practices are sound and help ensure compliance with policies, laws and regulations;
Resources are used efficiently.

Controls can be informal; for example, backing up important research or financial information on your computer, locking records in a file drawer, or using passwords to limit access to computerized information.

3 Types of Controls - Preventive, Detective, and Corrective

Controls can be designed for various functions. Some controls can be installed to prevent undesirable outcomes before they happen (preventive controls). Others controls can be installed to identify the undesirable outcomes when they do happen (detective controls). Still other controls can be installed to make sure that corrective action is taken to reverse undesirable outcomes or to see that they do not recur (corrective controls). All of these types of controls, in concert, function to ensure that some department/university objective or goal will be met.

Preventive Controls are more cost-effective than detective controls and are designed to discourage errors and irregularities from occurring. When built into a process, preventive controls forestall errors and thereby avoid the cost of correction.

Examples of preventive controls include: trustworthy, competent staff; segregation of duties to prevent intentional wrongdoing; proper authorization to prevent improper use of university resources; adequate documentation and records as well as proper record-keeping procedures to deter improper transactions; and physical control over cash, equipment and other assets to prevent their improper conversion or use.

Detective Controls are usually more expensive than preventive controls, but are also essential, and are designed to find errors or irregularities after they have occurred. Detective controls measure the effectiveness of preventive controls. Also, some errors cannot be effectively controlled through a system of prevention; they must be detected when they occur.

Examples include reviewing procurement card statements and phone charges for appropriateness, allowability, and/or proper allocation. Detective controls also include such control devices as bank reconciliations, independent checks on performance, confirmation of bank balances, cash counts, and systems of review like internal auditing.

Corrective controls come into play when improper outcomes occur and are detected. All the detective controls in the world are valueless if the identified deficiency remains uncorrected or is permitted to recur. Corrective controls such as documentation and reporting systems keep problems under management surveillance until they have been solved or the defect corrected. Corrective controls thus close the loop that starts with prevention and passes through detection to correction.

A System of Controls Reduces Business Risk

The University's exposure to loss is limited when policies and procedures are clearly understood, and reporting mechanisms are reliable. Good control systems should include:

Employees with the appropriate education and training for the duties assigned
Individual Accountability
Independent Monitoring
Approval & Authorization
Separation of Duties

These control elements safeguard individual departments, and the university as a whole, from loss. Without a sound system of controls, errors and omissions can occur and go undetected. Also, existing controls can be circumvented by an inappropriate concentration of duties.

Management's Role

It is the responsibility of management to maintain an adequate system of controls within their areas of authority. Changes in conditions can cause the effectiveness of a control to deteriorate, or the degree of compliance to change. In response to changes, management must create additional controls, or alter existing controls, to protect against loss.

SO, WHAT ARE INTERNAL CONTROLS?

Internal Controls are:

An integrated system put in place to keep your department on course to achieve its mission.
An integrated system to promote efficiency, reduce risk of asset loss, and help ensure the reliability of financial data.
An integrated system to promote compliance with laws and regulations.

Control Activities include:

Authorizing transactions * Approving transactions * Verifying
Reconciling statements * Segregating duties * Reviewing operating performances
Securing assets * Monitoring Accounts * Analyzing * Comparing
Reporting * Observing * Communicating

WHO IS RESPONSIBLE FOR INTERNAL CONTROLS?

Everyone in your department is responsible for internal controls. While the Audit Committee of the Board of Trustees is ultimately responsible for maintaining an adequate system of financial and administrative controls at the University, the department head or manager is responsible for internal controls in the department and should take "ownership" of the internal control system. The department head or manager sets the "tone" for the department by influencing the control consciousness of his/her staff and communicating an administrative philosophy that includes integrity, ethical values and competence. Everybody must understand that internal controls must be taken seriously. Also, since all employees produce information that affect the internal control system, they should all be responsible for communicating upward problems in operations, noncompliance with the University policies, or other policy violations or illegal actions.

WHY WAS MY DEPARTMENT SELECTED TO BE AUDITED?

The Institutional Compliance and Internal Audit Department establishes a comprehensive audit plan based on a University-wide risk assessment. The decision of what audits to include in the annual audit plan is based in part on this risk assessment and, in part, on input from the Audit Committee of the Board of Trustees, university administration, departmental managers, external auditors, and the Internal Audit staff. We also make provision for requests to perform special reviews/investigations.

WHY MIGHT I REQUEST AN AUDIT?

An audit can produce many benefits, and timing can be an important factor. If you have recently assumed new or additional supervisory responsibilities, an audit can review administrative procedures to assess whether internal controls in your unit are adequate. It is also beneficial to assess the system controls and modified office procedures when new computer systems are being installed. A periodic "checkup" to review your department's administrative activity can help insure that your procedures continue to comply with University policies. An audit really is an opportunity to receive an independent appraisal of the effectiveness and efficiency of your department's administrative activities. Anyone within the University can request an audit. We are also available for consultation without having to perform an audit. You may wish to coordinate the request with the head of your department, the President, the Provost, the Vice Chancellor responsible for your area, or submit a request for consultation or an audit directly to the Internal Audit Department. All requests will remain confidential to the extent policies and the law permit.

WHAT SHOULD I EXPECT WHEN AN AUDIT IS SCHEDULED FOR MY UNIT?

With a few exceptions, you or the senior management of your area will be notified in writing when your department is selected for an audit. This letter will state the objectives to be accomplished in the audit. Subsequently, a representative of the Internal Audit Department will contact you to schedule a meeting to discuss the scope of the audit and the logistics of conducting the audit. At this initial meeting, you should take the opportunity to discuss any concerns or questions you may have about the audit, and to determine how you can facilitate the review process.

A typical audit has several stages, including preliminary research, data collection and analysis, review, report writing and distribution, and follow-up.
Click here to see the Audit process in graphic form.

HOW LONG WILL THE AUDIT TAKE?

Audits can last from several days to several months. The auditor assigned to your unit will give you a reasonable estimate of the time he or she needs to complete the audit.

HOW WILL THE AUDIT FINDINGS BE REPORTED?

You and your staff will be kept apprised of the auditor's findings throughout the course of the audit. At the conclusion of the audit, you will be able to review a draft of the report before the final version is issued. We make every attempt to maintain the confidentiality of our sources and audit information until the report is issued. The final report is a "public" document. Final audit reports are distributed to the Chancellor, Vice Chancellor of Business and Finance to whom Internal Audit reports administratively, the President, the Provost or the Vice Chancellor responsible for your department, the Controller, and to you and your management staff, as appropriate.

ARE THERE DIFFERENT TYPES OF AUDITS?

Yes. There are five general categories of internal audit reviews:

FINANCIAL AUDITS address questions of accounting, recording, and reporting of financial transactions. Reviewing the adequacy of internal controls also falls within the scope of financial audits.

COMPLIANCE AUDITS seek to determine if departments are adhering to Federal, State, and University rules, regulations, policies, and procedures.

OPERATIONAL AUDITS examine the use of department/university resources to evaluate whether those resources are being utilized in the most efficient and effective way to fulfill the department's/university's mission and objectives. An operational audit may include elements of a compliance audit, a financial audit, and an information systems audit.

INVESTIGATIVE AUDITS are performed when appropriate. These audits focus on alleged violations of federal and state laws and of University policies and regulations. This may result in prosecution or disciplinary action. Audits precipitated by internal theft, misuse of University assets, and conflicts of interest are examples of investigative audits.

INFORMATION SYSTEMS (IS) AUDITS address the internal control environment of automated information processing systems and how these systems are used. IS audits typically evaluate system input, output and processing controls, backup and recovery plans, and system security, as well as computer facility reviews.

PROFESSIONAL STANDARDS

Internal Audit staff members come from a variety of backgrounds, including public accounting firms, government, and industry. Auditors may be Certified Internal Auditors, Certified Public Accountants, or Certified Fraud Examiners.

Internal Audit subscribes to auditing standards promulgated by the Institute of Internal Auditors and maintains membership and participation in professional activities of organizations such as:

Association of College and University Auditors (ACUA)
Institute of Internal Auditors (IIA)
American Institute of Certified Public Accountants (AICPA)
Association of Certified Fraud Examiners (ACFE)

WHO SHOULD I CONTACT IF I HAVE QUESTIONS OR ISSUES OF AUDIT CONCERN?

Please direct questions to Issah Yakubu, Director of Institutional Compliance and Internal Audit at 17928.