Often clients are surprised when they receive notice that the auditor would like to schedule a meeting to discuss an engagement. This introduction to the engagement may leave a client wondering, “Why me?” or “What did I do wrong?” Clients may not understand the engagement process or how to prepare for the review. Some clients may even be confused as to what an internal auditor does and the role internal audit plays in the organization.
To ensure that the engagement process leads to success, it is important that clients understand their role in the review and are familiar with the internal audit function at the UNC System Office.
What is internal auditing?
When most people think of auditing, the first thing that comes to mind is financial auditing. While this is an important aspect of auditing, it is only one small facet.
The Institute of Internal Auditors defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
Does internal audit follow professional standards?
Internal audit follows the professional standards established by the Institute of Internal Auditors (IIA). The IIA provides the internal auditing profession with Standards, guidance, and information on internal auditing best practices. The IIA has a Code of Ethics, which has been adopted by internal audit. The purpose, authority, and responsibility of the internal audit function is required to be defined in a charter. The Board of Governors Committee on Audit, Risk Management, and Compliance (CARMC) approves this charter. The Standards also require the internal audit unit have an external quality assessment every five years to measure its compliance with IIA Standards. The results are shared with senior management and the CARMC.
How is internal audit Organized?
NCGS §143-746 requires the UNC System Office to maintain an internal audit function. In accordance with the Internal Audit Charter, internal audit operates as an independent appraisal function and reports functionally to the Committee on Audit, Risk Management, and Compliance of the Board of Governors and administratively to the UNC president (or his designee). At the UNC System Office, the internal audit function resides under the Chief Operating Officer.
What are the purpose and objectives of internal audit?
Internal audit functions primarily as a service unit that assists all levels of management in the effective discharge of their responsibilities. This can be done though consulting/advisory service or performing independent audits, reviews, and investigations. The office seeks to provide reasonable assurance to management that effective stewardship is maintained over the organization’s resources. Internal audit also serves as a liaison between management and external auditors.
In general, the objectives of internal audit are to:
- Evaluate the adequacy of the internal control structure within a department or unit
- Assess the extent of compliance with applicable laws, regulations, policies, and procedures
- Verify the existence of assets and ensure proper safeguards/protection of assets
- Evaluate the reliability and integrity of data produced by information systems
- Investigate concerns related to fraud, embezzlement, and theft
- Consult with management and provide methodologies, facilitation, focus, knowledge, technology, best practices, and independence that help solve managements’ problems
What is the scope of internal audit’s authority?
In accordance with the internal audit charter and NCGS §116-40.7, internal auditors have unrestricted access to all records, assets, and other resources of the organization, which are necessary to accomplish its objectives. Internal audit ensures the safekeeping and confidentiality of all records and information used during an engagement to the extent provided by NCGS §116-40.7.
What SErvices Does internal audit Provide?
Internal audit to performs reviews and audits of varying types and scope depending on the circumstances and requests from management. Audit services can be requested by members of the UNC System Office community through memos, emails, or the System Office Hotline. The types of audit services provided by the internal audit unit are listed below.
- Operational audits review the effectiveness and efficiency of operational units within the UNC System Office. Effectiveness measures how successfully an organization achieves its goals and objectives. Efficiency measures how well an entity uses its resources to achieve its goals.
- Compliance audits measure the compliance with established University, Federal or State laws, regulations, and/or policies.
- Information technology (IT) audits are conducted to evaluate the quality of the controls and safeguards over the information technology resources and critical data of the organization. These audits normally consist of reviewing the effective use of information technology resources, adherence to management’s policies, and assessing the design and implementation of internal controls over computer applications and the computing environments in which they are used.
- Financial audits are reviews intended to serve as a basis for expressing an opinion on the fairness, consistency, and conformity of financial information with generally accepted accounting principles. Financial audits can be full or limited in scope, depending on the objectives.
- Internal control reviews are assessments of the internal control procedures to assess if the controls have been designed and implemented to effective manage risk. This type of review could improve efficient and effectiveness, reliability of reports, compliance with laws or rules, or help detect/prevent errors or irregularities.
For internal or external audit work that results in recommended improvements, internal audit conducts follow-up reviews to assess if management’s planned corrective actions have been implemented.
These services are typically done in collaboration with management as they work on specific projects. These are frequently undertaken when a significant process change is being planned or implemented, and may include but are not limited to: interpreting policies, implementing or revising specific processes and controls, and offering feedback on how internal controls and/or operations might be strengthened. We strongly encourage departments to contact us for advice when starting a new business process or making significant changes to the way day-to-day activities are conducted. We believe that it is easier to “get it right” from the beginning rather than having to “fix it” later!
- These engagements are normally requested on an as-needed basis by management or by anonymous tips and/or requests. Investigative audits typically focus on specific topics and may include alleged irregular conduct, non-compliance with established policies or laws, misuse of State/university resources, false time reporting, internal theft, and/or conflicts of interest.
- Any dishonest or improper act by an employee such as those that violate the law, waste money, results in gross mismanagement or abuse, or endangers public health and safety, are a concern. In addition, North Carolina General Statute § 143B-920 requires all state employees, including employees of the UNC System Office, to report theft or misuse of state property. Per UNC System Office finance policies and procedures, such information should be reported to internal audit or legal. When potential violations are reported, internal audit will evaluate and investigate as promptly and discreetly as possible.
- To report suspected fraud, waste, or abuse, please visit the System Office Hotline to submit a concern.
What is reviewed and why?
Internal audit develops an audit plan, which is reviewed and approved by the Board of Governors Committee on Audit, Risk Management, and Compliance and the UNC System president. This plan identifies the engagement projects to be conducted during the upcoming fiscal year. However, throughout the year, needs are re-assessed and the audit plan may be amended to include requested reviews, special projects, or changes in priority.
Not all reviews are selected in the same way. An area can be selected for a review if: the area is assessed as high risk, it is a cyclical engagement project, irregular conduct is alleged, or management requests a review. The most common method for selecting an area or topic for a review is through the application of a risk assessment. Several factors are considered in this assessment:
- To what extent is the process or area required to comply with state or federal regulations?
- Is this area subject to a great deal of public scrutiny?
- Has recent organizational change occurred?
- What is the volume of activity?
- How reliant is the area on technology?
- When was the last time internal audit reviewed it?
- Have concerns about conduct resulted in a requested review?
- Does management have concerns that they want us to look into? These could include concerns about the internal structure, regulations, complexity of operations, or prior audit findings.
Since investigative engagements are normally requested by management and/or are initiated by anonymous tips, these focus on the alleged, irregular conduct. Reasons for investigative engagements may include: internal theft, misuse of state property, noncompliance with rules or regulations, and/or conflicts of interest.
How is the scope of the engagement determined?
The scope of the engagement and/or review is determined from one or more of the following:
- Information collected during a preliminary survey, which includes interviews with the appropriate client personnel
- Assessment of risk associated with the client’s functions
- Evaluation of answers received on internal control questionnaires tailored for the assignment
- Client requests concerning topics, functions and/or time frames
Sometimes discoveries or events that occur during a project can change the scope of an engagement. If changes in scope are significant, the client receives notification.
How long does an engagement last?
Engagements and reviews vary in length. The amount of time required depends on the objectives of the engagement, the cooperation and availability of the client, and the complexity of the operation. An internal control review may take one to two weeks, while a broad-based engagement may take months. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the engagement.
What is the actual engagement process?
- The engagement or review is announced through an engagement letter. Internal audit notifies the client in writing when their area is selected for an audit. An engagement letter describes the general objectives of the engagement, the auditor in charge, the projected time frame of the engagement, and information the auditor may need the client to supply.
- An entrance conference is scheduled with the client to discuss the purpose, scope, and process of the engagement. The auditor and personnel deemed appropriate by the client attend the entrance conference. Clients are encouraged to present any questions or concerns they have about the engagement. Clients are also given the opportunity to request that a specific function or area of their office be examined during the engagement or in future work.
- A preliminary review is performed. During this portion of the engagement, the auditor will gain an understanding of the client’s operations and/or area being reviewed. The auditor may request written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the client’s operations. Internal controls may be reviewed and documented during this portion of the engagement.
- Fieldwork is conducted. This phase of the engagement includes testing the internal controls, collecting and analyzing data, and performing other procedures necessary to accomplish the objectives of the engagement. This phase of the engagement is the most time-consuming part of the review for the client because personnel will need to be available to answer questions and provide information. Internal audit realizes the value of each person’s time and tries to arrange meetings in advance and work around scheduling conflicts when possible. Also during this phase of the engagement, the auditor will strive to maintain an open communication with the client to ensure they are kept abreast of the initial observations so there are no surprises once the final report is issued. This typically means a summary of results is prepared and shared with the client.
- A draft report is prepared. After the fieldwork is completed, the auditor prepares a draft report, which will include an overview of area being audited, audit purpose, objectives, scope, methodology, reportable conditions, and recommendations. The draft report along with any non-reportable condition is shared with the client for review before the exit conference.
- An exit conference is scheduled. An exit conference is scheduled with the client to discuss the draft audit report. This conference is an opportunity to discuss the observations and clarify any ambiguities. Non-reportable conditions will also be discussed during the exit conference.
- A written management response to the draft audit findings and recommendations is submitted by the client (or primary department under review). After the exit conference, if necessary, changes are made to the draft report then shared with the client. The client is normally given anywhere from one to two weeks to respond to the draft report. The client prepares a response to each of the observations and recommendations and provides to internal audit. If circumstances arise that prohibits the client from responding to the report in the allotted time frame, the client should contact internal audit to request more time.
- The final report is issued. A final report is issued after the auditor receives the draft report with the client’s response(s). The draft is shared with and reviewed by senior management (including the president). After this review, the final report is distributed to the client, senior-level management, the president and the Board of Governors Committee on Audit, Risk Management, and Compliance.
- A follow-up review is conducted. Within a reasonable time after the final report is issued, a follow-up review is performed to verify the resolution of the observations. The review is concluded with a follow-up report, which lists the actions taken by the client to resolve the original observations. A draft of the follow-up report will be circulated to the client for discussion before the report is issued. The follow-up report will be circulated to the original report recipients and other UNC System Office officials as deemed appropriate.
If I call you with a question, are you going to audit me?
Typically, no. One service we provide is to help answer questions when you are not sure of the responsible office, would like assistance interpreting policies or regulations, or want guidance on implementing a new process. If we can’t answer the question for you, we try to help you find the right person to ask.
How long do I need to hold on to a document?
For guidance, review the Records Retention information and other links provided by UNC System Office’s Legal Affairs. If you still are not sure, please contact us.