- What is internal auditing?
- Are there different types of audits?
- What steps are involved in the audit process?
- What is included in an audit report?
- How do you decide what areas should be audited?
- Who audits the auditors?
- What should I do if I discover a cash shortage or suspect that university funds are being misappropriated?
The Institute of Internal Auditors defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Yes, there are five basic types of audits as well as other miscellaneous audits:
a. Financial Audit – This type of audit is performed in order to express an opinion on the reliability of information contained in official financial statements prior to publication. At NMSU, our external auditors are responsible for conducting required financial audits of the University and related entities. The Office of Audit Services performs some work related to the financial statements that the external auditor’s rely on, so our role is one of assistance.
b. Operational Audit - This is the most common type of audit that we perform. It is a comprehensive review of the varied functions within an organization to appraise the efficiency and economy of operations and the effectiveness with which those functions achieve their objectives. Internal controls are reviewed from a cost-benefit standpoint.
c. Compliance Audit – A review of financial transactions and/or operating controls to determine how well they conform with established laws, standards, regulations and procedures. Eamples include: 1) auditing the Athletics Department to determine whether they are complying with National Collegiate Athletics Association (NCAA) rules, 2) auditing grants and contracts to determine compliance with federal regulations and 3) auditing restricted gifts to determine if they are spent in accordance with donor wishes.
d. Investigative or Fraud Audit – These audits are performed to investigate incidents of possible fraud or misappropriation of University assets. We work closely with the NMSU Police Department in these matters, and the State Auditor is required to be notified of any fraudulent activity.
e. Information Technology (IT) Audit – This type of audit addresses the control environment of computer information systems and how they are used. This is a technical review that may include evaluating system input, processing and output controls, data and physical security, contingency planning and disaster recovery, system administration, etc.
f. Miscellaneous audits – This category includes: 1) advisory audits which are conducted at the specific request of a manager, pertaining to any function under his or her responsibility, 2) specific complaint audits or 3) random records audits.
Every audit is unique and the order that steps are performed may vary or overlap, however, a formal operational audit would typically include the following:
a. Engagement Memo - Prior to the beginning of an audit, appropriate administrators are notified of the pending audit and apprised of the audit objectives. Certain preliminary information may be requested at this time, such as organization charts, internal office procedure’s manuals, etc.
b. Planning – During this phase of the audit, background information on the area to be audited is obtained from a number of sources in order to learn as much as possible about the area. Applicable University policies and procedures are reviewed, as well as applicable laws and regulations. Any prior audits of the area are also reviewed. Employees may be interviewed during walk-throughs of processes and Internal Control questionnaires/preliminary surveys distributed. An audit plan is prepared.
c. Entrance Conference - This is a meeting between the managers of the area being audited and Audit Services personnel. The scope of the audit will be discussed at this meeting as well as any scheduling concerns. Every reasonable attempt will be made to schedule audit procedures around busy times. We want the audit to be as least disruptive as possible to normal operations. Managers are given the opportunity to share any concerns that they may have. If there is a particular area of concern that a manager would like to have reviewed, we will include it in our audit plan.
d. Fieldwork – This phase may include interviewing employees, flow charting processes and testing transactions. Some of the work will be performed in the area under audit, and some of the work will be performed in our office. Appropriate managers are kept informed of any findings as the audit progresses.
e. Draft Report – Once fieldwork is completed, a draft of the audit report will be written which will state procedures performed, findings and observations, and any recommendations for improvement. The draft will be provided to the manager in charge of the area under audit and anyone else deemed appropriate by the manager at this stage. Management will be asked to provide written responses to our recommendations that will be included in the final report.
f. Exit Conference – This is a meeting between departmental management and Audit Services personnel to discuss the results of the audit and to go over the draft report. If management discovers any factual errors or believes that we have misinterpreted anything, they should inform us at this meeting so that we can make corrections before the report is seen by anyone else. On occasion, there may be items that we don’t feel are appropriate to include in the written report but need to be brought to the attention of management. We will discuss any such items during the exit conference and/or include them in a separate management letter.
g. Audit Report – Once any agreed upon changes are made to the audit report, a draft of the final report will be provided to departmental management that includes their responses to our recommendations. It may be appropriate to included other managers higher on the chain-of-command at this stage, if not included previously. Once final review and approval is obtained from departmental management, the audit report is distributed. The final report is addressed to the Members of the Board of Regents, the President, and appropriate managers of the audited area. Copies are provided to the Provost, the Vice President or Vice Provost responsible for the area audited, the Vice President for Business & Finance and any others as deemed appropriate.
h. Follow Up - Audit Services will follow up on all audit findings and recommendations as time permits, to determine progress made in implementing recommendations. A written status report will be provided to the same individuals who received a copy of the Audit Report. One additional follow up may be performed if necessary, however, any items not cleared by the time the first follow-up is completed, may be referred to the President and Provost.
A formal audit report addressed to the President and Regents for a routine operational or compliance audit generally includes some or all of the following sections: a) Cover Sheet, b) Executive Summary, c) Table of Contents, d) Background Information, e) Audit Scope & Purpose, f) System of Internal Controls, g) Summary & Conclusions, h) Status of Prior Findings and Comments (if applicable), i) Detailed Findings, Observations & Recommendation (management responses to our recommendations will be included in the final report), and j) any attachments or appendices as appropriate.
A limited procedures audit or review where we examine one specific item or a very limited number of items, or a review done at the request of management, may be written in the form of an Audit Memorandum as opposed to a formal report and may combine or eliminate some of the above sections. It generally does not include the first three items and is not addressed to the President and Regents.
An investigative or fraud audit must be tailored to the situation, but will generally included a Background and Scope & Purpose Section. The issues or allegations under investigation will be described and details will be outlined. Any applicable rules, regulation, laws or policies are stated. If appropriate, we will state whether an allegation is founded (there is evidence to support the allegation), unfounded (there is no evidence to support the allegation), or unsubstantiated (we cannot determine, based on available information, whether the allegation is founded or unfounded). Finally, when appropriate, recommendations to management for corrective action are included. Depending on the timing of the report, it may also include disposition of the matter.
An audit may be scheduled based on a formal risk assessment process, at the request of an administrator or a regent, or because potential weaknesses in an area have come to our attention, perhaps through spot-checking of transactions conducted on a random basis or through a whistle-blower complaint.
The end result of a formal risk assessment process is often a ranking, from highest risk to lowest risk, of “auditable activities” within the university. An auditable activity could be a functional unit such as a college, a research laboratory, a support services department, a branch campus, etc. It could also be an information system such as a payroll system or an admission’s system. In the risk assessment process, a number of risk factors associated with the activity are considered, such as: the audit history of the activity, the degree of regulatory compliance and public scrutiny, the degree of reliance on automated systems, the dollar volume and liquidity of assets, amount of organizational change, and so on. The risk assessment process helps us to decide where the scarce resources of our department can best be utilized.
A separate report may also be written to management that outlines recommendations for corrective action and for strengthening internal controls in the area. This report will incorporate management responses to recommendations and appropriate follow up will be
Quality Assessment of the Internal Audit Function
The Standards for the Professional Practice of Internal Auditing (Standards) as promulgated by the Institute of Internal Auditors (IIA), require that internal audit activities undergo an external quality assessment (QA) or peer review at least once every 5 years. This is a fairly recent requirement, and the deadline for the first QA was January 2, 2007.
The IIA provides a system of rating the level of compliance with the Standards that consists of three categories: generally conforms, partially conforms, and does not conform. In all cases, opportunities for improvement are to be identified that will enhance the value of services provided by the internal audit function to the institution. The QA is one part of a continuous quality assurance and improvement program required by the Standards that includes:
- Periodic internal assessments of the work of the internal auditing department
- External assessments or quality assurance reviews of the work of the internal auditing department, at least once every five years.
- Ongoing internal monitoring.
The Office of Audit Services at NMSU conducted an internal quality assessment or self-review in 2006, and concluded that the internal audit activity generally conforms to the Standards. Eight opportunities for improvement were identified in the report dated October 12, 2006.
The first external quality assessment was conducted November 6-9, 2006. The reviewers also concluded that the internal audit activity at NMSU generally conforms to the Standards and identified ten opportunities for improvement in their report dated December 13, 2006. There was a considerable amount of overlap in the issues identified between the external QA and the self-assessment. An auditor will be assigned to follow up on the suggestions and report the status to the President and the Regents, in accordance with normal procedures.
Click on the following link to view the complete reports:
What should I do if I discover a cash shortage or suspect that university funds are being misappropriated?
Per section 8.15.25 of the Business Procedures Manual (http://www.nmsu.edu/~boffice/bpm_2009/BPM%2006.2009.pdf), a significant cash shortage or a pattern of unexplained shortages that indicate possible misappropriation of public funds must be reported to the Audit Services Department immediately following discover. In such cases, the Audit Services Department will confirm or determine the amount of the shortage and take such other action as the circumstances warrant, including compliance with the statutes of New Mexico concerning misappropriation of public funds.
NOTE: This requirement does not include incidental cash variations, which reasonably could be expected to result from the normal cash transactions of a prudent cashier/cash custodian.