Often clients first become aware of an impending engagement when they receive a memo that the auditor will contact them to schedule an opening meeting. This introduction to the engagement may leave a client wondering "Why me?" or "What did I do wrong?". These questions are often followed by confusion about the engagement process or how to prepare for the review. Some clients may even be confused as to what an internal auditor does and the role internal audit plays in the organization.
To help the engagement process be successful it is important that the client understand their role in the review and is familiar with the internal audit function at the UNC System Office. We hope the following helps.
When most people think of auditing the first thing that comes to mind is financial auditing. While this is an important aspect of auditing, it is only one small facet. The Institute of Internal Auditors defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations." It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. See the Audit Services section of the site to learn more about the services internal can provide.
Internal audit follows the professional standards that have been established by the Institute of Internal Auditors (IIA). As required by these Standards, internal audit undergoes an external quality assessment every five years to measure its compliance with IIA standards.
The IIA serves over 70,000 members and provides the internal auditing profession with standards, guidance, and information on internal auditing best practices. The IIA has a Code of Ethics, which has been adopted by internal audit. One of the standard’s requirements is that the purpose, authority, and responsibility of the internal audit function be defined in a charter. This charter is approved by the Board of Governors' Committee on Audit, Risk Management, and Compliance.
The UNC System Office is required by NCGS §143-746 to maintain an internal audit function. In accordance with the Internal Audit Charter, internal audit operates as an independent appraisal function and reports functionally to the Committee on Audit, Risk Management, and Compliance of the Board of Governors and administratively to the UNC President (or his designee). At the UNC System Office, the internal audit function resides within Governance, Legal and Risk.
The primary purpose of internal audit is to function as a service unit that assists all levels of management in the effective discharge of their responsibilities. This can be done by consulting and performing independent audits, reviews, and investigations. The office seeks to provide reasonable assurance to management that effective stewardship is maintained over the organization's resources. Internal audit also serves as a liaison between management and external auditors.
In general, the objectives of internal audit are to:
- Evaluate the adequacy of the internal control structure within a department or unit.
- Assess the extent of compliance with applicable laws, regulations, policies, and procedures.
- Verify the existence of assets and ensure proper safeguards / protection of assets.
- Evaluate the reliability and integrity of data produced by information systems.
- Investigate concerns related to fraud, embezzlement, and theft.
- Consult with management and provide methodologies, facilitation, focus, knowledge, technology, best practices, and independence that help solve managements' problems.
In accordance with the internal audit charter and NCGS §116-40.7, internal auditors have unrestricted access to all records, assets, and other resources of the organization, which are necessary to accomplish its objectives. Internal audit ensures the safekeeping and confidentiality of all records and information used during an engagement to the extent provided by NCGS §116-40.7.
Internal audit develops an annual audit plan that is reviewed and approved by the Board of Governors' Committee on Audit, Risk Management, and Compliance and the UNC President. This plan identifies the engagement projects to be conducted during the upcoming fiscal year; however, it can be amended to include requested reviews, special projects, or changes in priority.
Not all reviews are selected in the same way. An area can be selected for a review if:
- It is assessed as an area with high risk
- It is a cyclical engagement project
- Irregular conduct is alleged and a review is requested
- Management specifically requests a review
The most common method of selecting an area for an engagement is through the application of a risk assessment. Several factors that are considered in the assessment are:
- To what extent is the process or area required to comply with state or federal regulations?
- Is this area subject to a great deal of public scrutiny?
- Has recent organizational change occurred?
- What is the volume of activity?
- How reliant is the area on technology?
- When was the last time Internal Audit reviewed it?
- Have concerns about conduct resulted in a requested review?
- Does management have concerns that they want us to look into? Concerns can be about the internal structure, regulations, complexity of operations, or any prior audit findings
Throughout the year, needs are re-assessed and the audit plan may be amended to include requested reviews, special projects, or changes in priority.
Investigative engagements are normally requested by management and/or anonymous tips and focus on alleged, irregular conduct. Reasons for investigative engagements include: internal theft, misuse of state property, and/or conflicts of interest. The scope of an engagement that is initiated by a managment request depends on the request.
The scope of the engagement and/or review is determined from one or more of the following:
- Information collected during a preliminary survey, which includes interviews with the appropriate client personnel
- Assessment of risk associated with the client's functions
- Evaluation of answers received on internal control questionnaires tailored for the assignment
- Client requests concerning topics, functions and/or time frames
Sometimes discoveries or events that occur during a project can change the scope of an engagement. If this should happen, the client is notified of significant scope changes.
Engagements and reviews vary in length. The amount of time required depends on the objectives of the engagement, the cooperation and availability of the client, and the complexity of the operation. An internal control review may take one to two weeks, while a broad-based engagement may take months. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the engagement.
- The engagement or review is announced through an engagement letter. Internal audit notifies the client in writing when their area is selected for an audit. An engagement letter is sent to the client that describes the general objectives of the engagement, the auditor in charge, the projected time frame of the engagement, and information the auditor may need the client to supply.
- An entrance conference is scheduled with the client to discuss the purpose, scope, and process of the engagement. The auditor and personnel deemed appropriate by the client attend the entrance conference. Clients are encouraged to present any questions or concerns they have about the engagement. Clients are also given the opportunity to request that a specific function or area of their office be examined during the engagement or in future work.
- A preliminary survey is performed. During this portion of the engagement, the auditor will gain an understanding of the client's operations and/or area being reviewed. The auditor may request written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the client's operations. Internal controls may be reviewed and documented during this portion of the engagement.
- Fieldwork is conducted. This phase of the engagement includes testing the internal controls, collecting and analyzing data, and performing other procedures necessary to accomplish the objectives of the engagement. This phase of the engagement is the most time-consuming part of the review for the client because personnel will need to be available to answer questions and provide information. Internal audit realizes the value of each person's time and tries to arrange meetings in advance and work around scheduling conflicts when possible. Also during this phase of the engagement, the auditor will strive to maintain an open communication with the client to ensure they are kept abreast of the initial observations so there are no surprises once the final report is issued.
- A draft report is prepared. After the fieldwork is completed, the auditor prepares a draft report, which will include an overview of area being audited, audit purpose, objectives, scope, methodology, reportable conditions, and recommendations. The draft report along with any non-reportable condition is shared with the client for review before the exit conference.
- An exit conference is scheduled. An exit conference is scheduled with the client to discuss the draft audit report. This conference is an opportunity to discuss the observations and clarify any ambiguities. Non-reportable conditions will also be discussed during the exit conference.
- The client submits their responses to the audit findings and recommendations. After the exit conference, if necessary, changes are made to the draft report then shared with the client. The client is normally given anywhere from one to two weeks to respond to the draft report. The client prepares a response to each of the observations and recommendations and provides to internal audit. If circumstances arise that prohibits the client from responding to the report in the allotted time frame, the client should contact internal audit to request more time.
- The final report is issued. A final report is issued after the auditor receives the draft report with the client's responses. The final report is distributed to the client, senior-level management, the President and the Board of Governors' Committee on Audit, Risk Management, and Compliance.
- A follow-up review is conducted. Within a reasonable time after the final report is issued, a follow-up review is performed to verify the resolution of the observations. The review is concluded with a follow-up report, which lists the actions taken by the client to resolve the original observations. A draft of the follow-up report will be circulated to the client for discussion before the report is issued. The follow-up report will be circulated to the original report recipients and other UNC System Office officials as deemed appropriate.
Typically, no. One service we provide is to help answer questions when you are not sure the responsible office or would like assistance interpreting policies or regulations or want guidance on implementing a new process. If we can’t answer the question for you, we try to help you find the right person to ask.
For guidence, review the Records Retention information and other links provided by UNC System Office’s Legal Affairs. If you still are not sure, please contact us.