The Office of Internal Audits is a service department dedicated to assisting management at all levels in the effective discharge of their duties.
The most successful internal audit departments are those in which the client (departments) and internal audit establish and maintain constructive working relationships. The objective of the Office of Internal Audits is to have you as the client or Auditee involved at every stage of an audit engagement, so that you understand what the audit process is, and why we perform the process.
This brochure is designed to provide information concerning the function of the Office of Internal Audits, the audit process, and the Auditee’s role in the success of the internal audit activity.
The Mission of the Office of Internal Audits
The mission of Xavier University’s Office of Internal Audits is to provide independent, objective assurance and consulting services designed to add value and improve the University’s operations. It helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The scope of work of the Internal Audit activity is to determine whether the University’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:
- Risks are appropriately identified and managed.
- Interaction with the various governance groups occurs as needed.
- Significant financial, managerial, and operating information is accurate, reliable, and timely.
- Employees’ actions are in compliance with policies, standards, procedures, and applicable laws and regulations.
- Resources are acquired economically, used efficiently and adequately protected.
- Programs, plans, and objectives are achieved.
- Quality and continuous improvement are fostered in the University’s control process.
- Significant legislative or regulatory issues impacting the University are recognized and addressed appropriately.
Opportunities for improving management control, efficiency, and the University’s image may be identified during audits. They will be communicated to the appropriate level of management.
How is an area selected for audit?
An area is selected for audit in one of three ways: risk analysis, spot checks, and through special projects. A definition of each is as follows:
Risk Analysis - The Office of Internal Audits utilizes a risk analysis to develop an audit plan and identify the major areas of the university needing audit attention. Each year the top risk areas are re-evaluated and a determination is made as to which areas will be scheduled for audit.
Spot Checks - These are audits that are conducted on a random basis. These audits may consist of sampling various transactions (accounting, inventory, payroll, petty cash, long distance calls, cash, etc.) to verify accuracy and compliance with policies and procedures. These types of reviews are used to identify weaknesses in controls which may warrant more in depth audit coverage.
Special Projects - These are audits or investigations that are conducted upon request by administrators, department heads or managers.
Are all audits the same?
No. There are several different types of internal audits. Specific categories for each are as follows:
Financial Audits- These audits primarily relate to accounting and reporting of financial transactions including commitments, authorizations and receipt and disbursement of funds. An additional purpose is to determine whether there are sufficient controls over cash and similar assets as well as policies and procedures governing the acquisition and use of university resources. These transactions should be properly reported in the financial statements and supported by accounting records and financial documentation.
Compliance Audits - These audits address the specific department’s adherence to laws and regulations, policies and procedures, federal and state requirements, and restrictions imposed on endowments & grants etc.
Operational Audits - These audits address the effective and efficient use of departmental or university resources, and evaluate whether these resources are best used to achieve the department’s and university’s mission. An operational audit may include elements of compliance and financial audits, and administrative reviews that concentrate on various university processes including payroll, inventory, accounts payable and cash disbursements, etc.
Electronic Data Processing (EDP) Audits - These audits address the internal control environment of automated information processing systems and how individuals utilize these systems. EDP audits typically evaluate system input, output, processing controls, backup and recovery plans, system security and computer facility reviews.
Investigative Audits - These audits primarily focus on alleged violations of laws or university policies and procedures that may result in prosecution or disciplinary action. Theft, misappropriation of university assets, and conflicts of interest are all examples of reasons for investigative audits.
What are the steps in the audit process?
Although every audit engagement is unique, the actual audit process itself is similar for most engagements, and consists of several stages as noted below:
Engagement Notification - In most instances Auditee’s are notified in writing when their department or area is selected for audit. Due to the nature of certain engagements however, there may be instances in which little or no advance notice is given. The engagement letter, which is also given to the senior management of the area being audited (Dean, Director or Chairperson and the Senior Vice President for Administration) includes the objectives of the audit.
Entrance Conference - An entrance conference is scheduled with the department head to discuss the purpose and scope of the engagement. At this time we encourage auditees to discuss any concerns or questions they may have about the process. In addition other logistical questions are addressed at this time, including work space and scheduling departmental personnel that may be assisting with the engagement. Data Requests are also provided detailing a list of documents needed (written policies and procedures, schedules, reports, departmental files, etc.) for the auditor to begin his work.
Field Work - The field work concentrates on transaction testing and in most instances is conducted in the department under review. It is here departmental records are housed and interviews are performed with departmental personnel allowing the auditor to obtain the necessary knowledge and familiarity with the department’s operations. It is during this phase where controls, policies and procedures are tested and determined to be operating properly. Accounting transactions are also tested for propriety, validity and accuracy.
The duration of an audit will vary depending on its scope, level of cooperation received from the Auditee, and access to personnel and records.
Communicating Results - As the field work progresses, the auditor communicates in written and verbal form any significant findings with the Auditee (client). The primary purpose is for the Auditee to provide insight and possible documentation to resolve the findings and also allows the Auditee to understand the conclusions drawn from the various tests, observations and inquiries of the auditor.
Upon conclusion of the audit fieldwork a draft of the audit report is prepared. The purpose of the draft is to establish in writing, the conclusions drawn from the fieldwork. The Auditee is again given the opportunity to agree or disagree with the findings and recommendations of the report and to also provide in writing their proposed resolutions and responses, along with a proposed timeline for implementation. The primary benefit to this process and ultimate goal is to have no surprises during the reporting phase of the process. The recommendations provided are intended to benefit the department and ultimately the university.
Exit Conference - Finally, an exit conference is held to again discuss the audit findings. The attendees are usually the Auditor, the Auditee, the Chairperson or Director, as well as anyone else from the department the Auditee may invite.
The exit conference provides a final opportunity to resolve any questions or concerns the Auditee may have and to address any other issues before the final audit report is released.
Final Audit Report - The principal product of the entire process is the audit report. It is here that the auditor expresses the audit opinion, findings and recommendations, and management’s responses to the findings. Copies of the report are distributed to the Auditee, specific chairperson or director to the area as well as the appropriate senior manager governing the area. The report is also distributed to the applicable Vice President, the President and included in a summary report given to the Business Affairs Committee of the Board of Trustees.
Follow-Up Reviews - Professional auditing standards require the performance of follow up reviews to determine corrective action taken on previously reported findings.
As you can see, the audit process is quite extensive. An audit or review can provide a department with useful and important information regarding the departments internal controls over its administrative processes and/or systems; and ways to improve the efficiency and effectiveness of business and administrative operations. However, the process works at its best when management and internal audit have a solid working relationship.
What professional standards are Internal Auditors required to follow?
Internal Auditors are required to maintain technical proficiency in auditing techniques. Audit staff will be encouraged to obtain professional certification as a Certified Internal Auditor (CIA) or Certified Public Accountant (C.P.A.). Professional standards used to govern the practice of internal auditing include:
The Standards for the Professional Practice of Internal Auditing and the Code of Ethics published by the Institute of Internal Auditors, Inc.; (IIA)
Generally Accepted Auditing Standards as determined by the American Institute of Certified Public Accountants (AICPA);
College and University Business Administration published by the National Association of College and University Business Officers (NACUBO); and,
Governmental Auditing Standards published by the United States General Accounting Office (GAO), etc.
In addition, auditors are required to maintain a certain amount of continuing education hours annually relevant to the services they provide.
Where can I get more information?
If you have any questions regarding the Office of Internal Audits, or if we can be of any assistance to you, please call 520-5243.