Clients are often surprised when they receive notice that Internal Audit would like to schedule a meeting to discuss an engagement. This introduction to the engagement may leave a client wondering, “Why me?” or “What did I do wrong?”. Clients may not understand the engagement process or how to prepare for the review and some clients may even be confused as to what an internal auditor does and the role that Internal Audit plays in the organization.

To ensure that the engagement process leads to success, it is important that clients understand their role in the review and are familiar with the Internal Audit function at the System Office.

What is internal auditing?

When most people think of auditing, the first thing that comes to mind is financial auditing. While this is an important aspect of auditing, it is only one small facet.

The Institute of Internal Auditors (IIA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.

Does internal audit follow professional standards?

Internal Audit follows the Global Internal Audit Standards (Standards) established by the IIA. The IIA provides the internal auditing profession with Standards, guidance, and information on internal auditing best practices and has principles and standards of Ethics and Professionalism, which have been adopted by System Office Internal Audit. The purpose, authority, and responsibility of the internal audit function is required to be defined in a charter, which is approved by the UNC Board of Governors Committee on Audit, Risk Management, and Compliance (CARMC).

The Standards also require Internal Audit to have an external quality assessment every five years to measure its compliance. The results of this assessment are shared with senior management and the CARMC.

How is internal audit Organized?

NCGS §143-746 requires the System Office to maintain an internal audit function. In accordance with the Internal Audit Charter, Internal Audit operates as an independent appraisal function and reports functionally to the CARMC and administratively to the UNC System President (or their designee). At the System Office, the internal audit function administratively resides under the chief of staff.

What are the purpose and objectives of internal audit?

Internal Audit functions primarily as a service unit that assists all levels of management in the effective discharge of their responsibilities. This can be done through advisory services or by performing independent audits, reviews, or investigations. Internal Audit seeks to provide reasonable assurance to management that effective stewardship is maintained over the organization’s resources and serves as a liaison between management and external auditors.

The objectives of Internal Audit are to:

  • Evaluate the adequacy of the internal control structure within a department or unit
  • Assess the extent of compliance with applicable laws, regulations, policies, and procedures
  • Verify the existence of assets and ensure proper safeguards/protection of assets
  • Evaluate the reliability and integrity of data produced by information systems
  • Investigate concerns related to fraud, embezzlement, and theft
  • Consult with management and provide methodologies, facilitation, focus, knowledge, technology, best practices, and independence that help solve management’s issues

What is the scope of internal audit’s authority?

In accordance with the Internal Audit Charter and NCGS §116-40.7, internal auditors have unrestricted access to all records, assets, and other resources of the organization, which are necessary to accomplish its objectives. Internal Audit ensures the safekeeping and confidentiality of all records and information used during an engagement to the extent provided by NCGS §116-40.7.

What SErvices Does internal audit Provide?

Internal Audit performs reviews and audits of varying types and scopes depending on the circumstances and requests from management. Audit services can be requested by members of the UNC System Office community through memos, emails, or the System Office Hotline. The types of audit services provided by Internal Audit are listed below.

Assurance Audits

  • Operational audits evaluate and analyze the efficiency and effectiveness of a unit, function, program, process, procedure, and/or systems. Can combine elements of information technology, financial, and/or compliance as mutually dependent for establishing an effective and efficient internal control system for the programs, processes, procedures, or systems under review.
  • Compliance audits evaluate an area’s adherence to established laws, standards, regulations, policies, and/or procedures. 
  • Information system audits evaluate, assess, and verify information systems, applications, architecture, and processes, maintain data integrity, produce reliable and accurate information, protect agency/University assets, ensure availability and performance, and ensure compliance with IT-specific laws, policies, and standards.
  • Financial audits determine whether an entity’s financial statements are fairly presented and are in accordance with established financial accounting criteria. Financial audits address questions regarding the validity of internal controls, accounting, budgeting, and the propriety of financial transactions.

Risk Assessments

Risk assessments identify events that may give rise to risk and opportunities for the achievement of the organization’s objectives. The consideration of the probable material facts of uncertain events, identification, measurement, and prioritization of risks and auditable areas are performed to develop an Internal Audit Plan.

Follow-Up Engagements

Follow-up engagements revisit past audit recommendations and management’s action plans to determine if corrective actions were taken, or if situations have changed to warrant different actions.

Advisory Services

These services are performed in collaboration with management to improve the organization’s controls surrounding governance, risk management, and compliance. These are frequently undertaken when a significant process change is being planned or implemented and may include but are not limited to: interpreting policies, implementing or revising specific processes and controls, and offering feedback on how internal controls and/or operations might be strengthened. We strongly encourage departments to contact us for advisory services when starting a new business process or making significant changes to the way day-to-day activities are conducted.

Investigations

Investigations are normally requested on an as-needed basis by management or by an anonymous tip. These engagements typically focus on specific topics and may include alleged irregular conduct, non-compliance with established policies or laws, misuse of State/University resources, false time reporting, internal theft, and/or conflicts of interest.

Any dishonest or improper act by an employee, such as those that violate the law, waste money, result in gross mismanagement or abuse, or endanger public health and safety, is a concern. North Carolina General Statute § 143B-920 requires all state employees, including employees of the UNC System Office, to report theft or misuse of state property. Per System Office finance policies and procedures, such information should be reported to Internal Audit or Legal. When potential violations are reported, Internal Audit will evaluate and investigate as promptly and discreetly as possible.

To report suspected fraud, waste, or abuse, please visit the System Office Hotline to submit a concern.

What is reviewed and why?

Internal Audit develops an annual Audit Plan, which is reviewed and approved by the CARMC and the UNC System president. This plan identifies the engagement projects to be conducted during the upcoming fiscal year, however, throughout the year, needs are re-assessed and the Audit Plan may be amended to include requested reviews, special projects, or changes in priority.

An area/process can be selected for review if it is assessed as high risk, it is a cyclical engagement project, irregular conduct is alleged, or management requests a review. The most common method for selecting an area/process for review is through the annual risk assessment. Several factors are considered in this assessment:

  • To what extent is the process or area required to comply with state or federal regulations
  • Is this area subject to a great deal of public scrutiny
  • Has a recent organizational change occurred
  • What is the volume of activity
  • How reliant is the area on technology
  • When was the last time Internal Audit reviewed it
  • Concerns about conduct resulted in a requested review
  • Does management have concerns they want us to look into (e.g., structure, regulations, complexity of operations, or prior audit findings)

 How is the scope of the engagement determined?

The engagement scope is determined from one or more of the following:

  • Information collected during a preliminary survey, including interviews with the appropriate personnel
  • Assessment of risk associated with the business area’s functions
  • Evaluation of answers received on internal control questionnaires

In certain instances, discoveries or events that occur during an engagement can change the scope. If changes in scope are significant, management will receive a notification.

How long does an engagement last?

Engagements and reviews vary in length and the time required depends on the scope and objectives of the engagement. Other factors include the cooperation and availability of the business area and the complexity of the operation. A positive working relationship between the business area and the Auditors is an important factor in the accuracy of information gathered and the timely completion of an engagement.

What is the actual engagement process?

  1. The engagement is announced through an engagement notification, typically done via email. This notification will describe the general objectives of the engagement, who the auditor-in-charge will be, the projected time frame of the engagement, and information the auditor may need the business area to supply.
  2. A kick-off meeting is scheduled with the business area to discuss the scope and objective, and the process of the engagement. Management is encouraged to present any questions or concerns they have about the engagement during this meeting.
  3. An engagement typically consists of four main phases: planning, fieldwork, findings, and reporting.
  • During the planning phase of the engagement, Internal Audit will gain an understanding of the business area’s operations and/or area being reviewed by requesting written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the business area. Internal controls may also be reviewed and documented during this portion of the engagement.
  • During the fieldwork phase of the engagement, Internal Audit will complete testing of internal controls, collecting and analyzing data, and perform other steps necessary to accomplish the objectives of the engagement. This will be the most time-consuming phase of the engagement for the business area and Internal Audit realizes the value of each person’s time.
  • During the findings phase of the engagement, Internal Audit will meet with the business area to review any items discovered during the fieldwork phase that have the potential to be improved. The auditor-in-charge will maintain open communication throughout the entire engagement so that there should be no surprises to the business area during the findings phase.
  • During the reporting phase of the engagement, the auditor-in-charge will prepare a draft report to share with the business area that includes the business area/process being reviewed, the engagement objective and scope, observations, and recommendations. Once this draft is shared, Internal Audit will schedule an exit meeting with the business area to discuss the report, findings, recommendations, management responses, and the next steps to close out the engagement.

If I call you with a question, are you going to audit me?

Typically, no. One of the many services that Internal Audit provides is to help answer questions when you are not sure of the office responsible, need assistance interpreting policies or regulations, or want guidance on implementing a new process. If we can’t answer the question for you, we will try to connect you with the appropriate department that can.

How long do I need to hold on to a document?

For guidance, please review the records retention information and other links provided by UNC System Office’s Legal Affairs.