September 12, 2007
The Internal Audit Office is an independent and objective audit activity designed to add value and improve Fayetteville State University operations. It helps the Chancellor in accomplishing mission objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and oversight.
The Internal Audit Office must be flexible so as to meet, on an immediate basis, the needs of the Chancellor and staff. Internal Audit addresses these needs through timely assessments and increased emphasis on new or real-time risks and controls. Internal Audit emphasizes responsive, problem-oriented services using professional methodologies, local knowledge, current technology, and objectivity to solve problems and manage inherent risks. The Internal Audit Office complies with generally accepted Government Auditing Standards.
The Office of the Internal Auditor is an independent appraisal function established within Fayetteville State University as a service to management and the Board of Trustees. The overall objective is to perform independent audits, reviews, and investigations that provide reasonable assurance that stewardship is maintained over the University’s assets. The overall objective will be accomplished through the timely application of audit procedures in accordance with generally accepted auditing standards. The procedures will provide management with analyses, recommendations, and pertinent comments concerning the operations and activities reviewed.
In accordance with express authorization, the Office of the Internal Auditor shall have full and free access to information necessary to perform audits, reviews, and investigations. Also, the Office of the Internal Auditor shall be authorized to request, under reasonable conditions, a written response to any findings or recommendations contained in any audit, review, or investigation.
The primary responsibility of the office is to evaluate the University’s control structure to ensure that the system, practices, and policies provide for:
The effective discharge of the internal audit function requires an organizational placement of the function that is conducive to a broad scope of audit activities, adequate consideration of audit reports, and effective action on audit findings. The Office of the Internal Auditor is accountable to the Chancellor. Such an organization structure provides for professional independence and objectivity. To ensure objectivity and independence, the office shall have no management responsibilities for units for which it provides audit services.
In carrying out the duties and responsibilities, the Internal Auditor will issue reports to the Chancellor, Vice Chancellors in charge of the audited area(s) and in most cases, the Department Head or Dean of the audited area. The Vice Chancellor in charge of the audited area is responsible for ensuring that corrective action on reported deficiencies are planned or completed within a reasonable period after receiving an audit report disclosing weaknesses.
The Department Head or Dean of the audited area is responsible for sending a written report regarding corrective action to the appropriate Vice Chancellor and Internal Auditor. Subsequent to the reported corrective action plan, the Department Head or Dean should issue a status report to the Vice Chancellor and Internal Auditor.
If it is the opinion of the auditor that a situation is significant, severe or appears that management is not sufficiently addressing the identified situation through appropriate corrective action, the auditor is responsible for bringing such to the attention of the Chancellor. The Internal Auditor shall meet, on a periodic basis, with the Chancellor and report on audit activities. In addition, the Internal Auditor shall issue a detailed report, upon request, to the Chancellor.
The Internal Audit Office shall develop and maintain an annual IA Plan containing the projected workload for the IA staff. The plan has many other uses, including the following:
The focus of the IA Plan will be directed towards high risk areas. The IA Director should obtain input from customers, that is, the Chancellor, Vice Chancellors, Deans, and Directors, etc. The IA Director should obtain this input using method(s) that will be most successful in fostering participation in developing the plan. Some of the more common methods are: face-to-face meetings, telephone conversations, e-mail messages, and formal memoranda.
When using the memorandum or message methods to solicit input from customers, the following basic elements should be included:
Risk assessments may be based on:
History of Problems (weak controls, problems, in recent audits, etc.)
Regulatory Compliance & Public Scrutiny (High public interest and many regulatory requirements may increase risk).
Reliance on Information Technology (Heavy reliance on information technology may increase risk for newly implemented processes; especially if locally developed and used by inexperienced staff).
Dollar Volume & Liquidity of Assets (Large dollar volume flowing through a system and high liquidity of assets generally increase risk).
Organization Stability & Change (Significant organizational changes and lack of continuity in personnel may mean the control system is less effective than in prior periods).
Also, consider other sources, such as ideas from audit staff, knowledge of the mission functions, external audit information; etc.
The Office of the State Controller requires State agencies, Universities, and Community Colleges to perform a Self-Assessment of Internal Controls annually. The Internal Audit Office is required to review the completed internal control questionnaires. This requirement should be included in the Internal Audit’s Annual Audit Plan.
Emphasize the Plan as a flexible and living document. Customers may submit a request anytime during the year for unforeseen high priority problems. The Plan will be issued annually and updated as necessary. The IA Director should ensure that the Chancellor and staff are periodically informed as to the status of the Plan.
One standing committee of the Board of Trustees of Fayetteville State University (Board) shall be known as the Audit Committee (Committee). The Committee shall meet quarterly. The primary function of the Committee is to assist the Board in fulfilling its responsibilities related to the:
The duties of the Committee do not replace or duplicate established management responsibilities and delegations. Instead, the Committee serves in an advisory capacity to guide the direction of management’s actions and set broad policy for ensuring accurate financial reporting, sound risk management, and ethical behavior.
The Chairman of the Board will select members of the Committee. Each Committee member must be independent of management of the University and free of any relationship that would impair such independence. Members may not receive consulting, advisory, or other fees from the University.
A majority of the members of the Committee should be financially literate and, if possible, at least one member should be a financial expert. Financial literacy is the ability to understand fundamental financial information and statements. A financial expert is someone who has an understanding of generally accepted accounting principles and financial statements preferably relative to higher education; experience in applying such principles; experience in preparing, auditing, analyzing, or evaluating financial information; experience with internal controls and procedures for financial reporting; or an understanding of the audit committee function. If feasible, the role of financial expert will be rotated on an annual basis.
The following shall be the principal audit-related duties and responsibilities of the Committee:
The Committee may modify or supplement these duties and responsibilities as needed. The Committee shall have the authority to engage, in accordance with state rules and regulations, independent counsel or other advisors as necessary to carry out its duties. The University shall provide appropriate funding as determined by the Committee for payment to advisors employed by the Committee. The Committee, with the assistance of the Office of the University Legal Counsel and the Director of Internal Audit, should periodically review and assess the adequacy of the Audit Committee Charter.
In order to meet the responsibilities and objectives as set forth in the Audit Charter, it is necessary for the Internal Audit Office to perform reviews and audits of varying types and scopes depending on the circumstances and requests from management.
Each fiscal year an annual audit plan is developed and submitted to the Chancellor and Audit Committee for review and approval. The audit plan is based on a risk assessment methodology, as well as requests from management. Audit services can be requested by members of the university community through memos or email. The following types of audit services are provided by the Internal Audit Department.
The Director of Internal Audit serves in the capacity of Audit Liaison Officer. In this role, the Director and other members of the department are the initial contact point and coordinators of external audit activities. In accordance with UNC General Administration requirements (McCoy, 7/16/96), the Internal Auditor will be informed by the Chancellor, deans, and department heads of all internal reviews being conducted by other university employees. Any reports and related work papers resulting from these reviews will be accessible to the Internal Auditor for follow-up.
Copies of all University audit findings and recommendations issued to management by external auditors and investigators along with University responses shall be forwarded to the Internal Audit Office in a timely manner. During the period of resolution, the Office of Internal Audit monitors the progress of the corrective action being implemented. Upon implementation of the recommendation or other alternative action by management, the Internal Auditor performs verification procedures to ensure that the stated plan of action has in fact been implemented and issues a status report.
A financial audit is a review intended to serve as a basis for expressing an opinion regarding the fairness, consistency, and conformity to financial information with generally accepted accounting principles. Financial audits can be full or limited in scope, depending on the objectives.
A full scope financial audit consists of a review of the financial statements of an entity of sufficient extent to express an opinion on those statements. Such an audit is conducted in accordance with generally accepted auditing standards as adopted by the AICPA. The North Carolina Office of the State Auditor normally performs the University’s financial audit. External accounting firms perform the audits of the University’s affiliated entities.
Financial audits that are limited in scope are normally performed by the Internal Audit Office. These audits can include a transaction cycle review of administrative systems such as purchasing, payroll, and payables or a special examination of the financial activities of a decentralized university department.
Operational audits are concerned with the effectiveness and efficiency of operational units within the University. Effectiveness measures how successfully an organization achieves its goals and objectives. Efficiency measures how well an entity uses its resources to achieve its goals.
A compliance audit measures the compliance of the client with some established University, UNC System, Federal, or State laws, regulations, and/or policies.
Information technology audits are conducted to evaluate the quality of the controls and safeguards over the information technology resources of the University. These audits normally consist of reviewing the effective use of information technology resources, adherence to management's policies, and to encourage the design and implementation of adequate controls over computer applications and the computing environments in which they are used.
These audits are normally requested by management and/or anonymous tips and focus on alleged, irregular conduct. Reasons for investigative audits include: internal theft, misuse of State property, and/or conflicts of interest.
The Office of the Internal Auditor also provides routine consultation and advisory services to University management. This may include but is not limited to interpreting policies and procedures, participation on standing committees, ad-hoc meetings, and routine information exchange.
The head of the department or area being audited is informed in advance that an audit has been scheduled. An entrance conference will be held for the audit team and department members to discuss the purpose and objectives of the audit.
An audit program should be developed to collecting, analyzing, interpreting, and documenting information to satisfy the objectives of the engagement.
The program is a list of steps to be performed to obtain sufficient, competent evidence that will serve as the basis for the conclusions made in the final report. The work program is prepared in the planning phase of each engagement prior to commencement of fieldwork and modified, as appropriate, during the course of the engagement
The fieldwork stage depends on the nature of the audit service and should be designed to focus on operations identified as the most important or the most problematic for the department. During a typical operational audit, Internal Audit performs an evaluation of the department's systems of internal control and tests the compliance with these controls. Key personnel are interviewed, office policies and manuals are reviewed, and documents maintained by the department are examined. Compliance with University policies that are supposed to be administered at the department level is reviewed.
After the conclusion of fieldwork, Internal Audit prepares a draft report which is provided to department management for discussion purposes. The report should contain no surprises for the managers with whom Internal Audit has been working. The report is usually formatted with a paragraph explaining the background and scope of the audit, a paragraph providing a brief summary of the positive findings and areas for improvement that were identified in the audit, and a paragraph requesting management's response to the report. Findings and recommendations are attached in approximate order of priority.
Internal Audit schedules an exit conference with managers to discuss the report and how management will respond to recommendations. If there are significant changes to the draft, a second draft of the report may be issued. Management's written responses to Internal Audit's recommendations are requested within 30 days of the draft report's issuance. Once the report is finalized, management responds. The response consists of three components: whether management agrees or disagrees with the problem, an action plan to correct the problem, and the target date for implementation.
After a draft audit report has been issued, the Internal Audit Office will make every effort to settle differences about audit findings and recommendations. When differences cannot be resolved, the Internal Audit Office may forward the matter to the Chancellor for further discussion and possible resolution.
The final version of the audit report acknowledges and incorporates management's responses to each recommendation. It is distributed to the senior officers and department managers responsible for the operations being reported upon. Final internal audit reports are routinely requested by and provided to external auditors for review in conjunction with the annual audit of the University's financial statements.
Internal Audit will schedule a follow-up audit. The follow-up audit should be done approximately six months after the issuance of the report and involves determining if and how each matter has been resolved. Follow-up audits involve inquiry of management and some limited test work. Follow-up audit reports outline the findings that have been completely resolved, those that are partially resolved, and the outstanding or new items that have not been addressed. They are issued in accordance with the same reporting process that is described above.
Working papers are defined as the documents containing the evidence to support the auditor’s findings, opinions, conclusions, and judgments. They include the collection of evidence, prepared or obtained by the auditor during the review. The auditor is required to prepare and maintain working papers.
Working papers should be:
The procedures followed by the auditor, including the analysis and interpretation of the audit data, should be documented in the working papers. Knowledgeable individuals using the working papers should be able to readily draw the same conclusions as the auditor in charge and determine the purpose, nature, and scope of the audit work. Well prepared working papers also permit another auditor to pick up the engagement at a certain point and carry it to its conclusion.
Information should be clear and complete, yet concise. Normally, each working paper should only be limited to one subject and only one side of the paper should be used.
Working papers should be restricted to matters that are significant and relevant to the objectives of the review. Unnecessary or irrelevant working papers should not be prepared.
Each working paper should contain sections for purpose, source, scope, and conclusion. As applicable, include the elements of criteria, methodology, condition, cause, effect, and recommendation in the appropriate section. Discussions on the working paper sections follow:
(1) Purpose. This section of a working paper explains why auditors are doing the audit work and what the auditors are trying to accomplish.
(2) Source. This portion of a working paper tells the reader where the auditors obtained the information. Auditors should provide enough detail to permit an independent reviewer to find the source of the information recorded on the working paper without assistance.
(3) Scope. This portion of a working paper defines the parameters of the information gathered and how the auditors did the work. It provides things such as: (1) the total number of items available for selection and the number selected, (2) the basis for choosing what the auditors examined, or (3) the period covered.
(4) Conclusion. In this section of a working paper, auditors should draw conclusions by analyzing and interpreting the results of conversations, observations, tests, analyses, information obtained, and other related facts. Most importantly, the conclusion should answer the purpose for which auditors prepared the working paper.
During the engagement, working papers should be maintained in a binder to facilitate their efficient use and ensure against loss or damage.
The primary purpose of indexing is to facilitate the cross-referencing of working papers to each other and to the draft and final report.
An indexing system should be established for each engagement as part of the overall audit review. It should be simple and capable of expansion as well as tailored to the overall focus of the review. By following the work program, the indexing system permits ready reference to any working paper.
The indexing system should show the logical grouping of interrelated working papers. Appropriate groupings will not only contribute to ease of reference but also will assist the auditor’s analysis, interpretation and summarization of the results of the engagement and facilitate review.
Working papers should be indexed as soon as possible after preparation. Establishing an indexing system early in the review process will make this task easier.
Because of the diversity of the engagements at FSU, no specific all-encompassing system of indexing can be prescribed. However, uniform rules and guidelines facilitate a common understanding of an overall system, as well as facilitate review by providing the reviewer an understanding of what to expect in each set of working papers
Cross-referencing is defined as a notation at one place in the working papers to related information in another place. Cross-referencing may consist of an index page number, line/column of a schedule, reference to a paragraph of narrative document or any other unique identifier which will pinpoint the location of data in the work papers.
No engagement should be considered complete until the working papers are cross-referenced. The engagement report is developed through an evolutionary process, including detailed supporting working papers, analyses, draft, and final reports. Cross-referencing should be ongoing. It is an important audit tool in ensuring that all pertinent facts and conclusions have been considered and that adequate support exists for the audit team’s position.
The Internal Audit Director should review of all working papers to assure quality. The auditor should be informed of the results of the working paper reviews. After the auditor has considered the reviewer’s notes, he or she should revise the working papers and perform additional work if needed. The auditor should then comment, in writing, on the revisions and on any additional work accomplished.
Auditors should protect working papers to ensure they are accessible only to authorized persons. Auditors should not leave working papers in places accessible to the public, personnel of the audited activity, or other unauthorized persons. Based on UNC guidance—University General Records Retention and Disposition Schedule—audit reports should be transferred to University Archives after 10 years for appraisal and final disposition. Work papers can be destroyed after 3 years.