DIXIE STATE COLLEGE OF UTAH
POLICIES AND PROCEDURES MANUAL
Policy No: 18
Policy: INTERNAL AUDIT
6-18 - INTERNAL AUDIT
To establish the college’s policy regarding internal audits, the authority and responsibilities of the Internal Audit Department, and general procedures for conducting audits.
The Internal Audit Department derives its authority directly from the College President and the Board of Trustees as specified in Utah Code 63I-5-302 and is authorized to conduct such reviews of College organizational units or functional activities as are necessary to accomplish its objectives.
The Internal Audit Department is authorized access to all institutional records and physical properties relevant to the performance of audits, except as prohibited by law.
The Scope of internal audits encompasses the examination and evaluation of the adequacy and effectiveness of the following:
Internal Controls and the quality of performance in carrying out assigned responsibilities.
Reliability and integrity of financial and operating information and the means used to identify, measure, classify and report such information. Reviews may involve objective standards such as generally accepted accounting principles, or subjective standards such as sound business and management practices.
Review of systems to ensure compliance with policies, plans, procedures, laws and regulations which could have a significant impact on operations.
Verification and valuation of department assets.
The Scope of internal audits is also limited to auditing functions only in order to maintain the independence of the auditor. Management functions remain the responsibility of the College administration and campus personnel.
The first responsibility for College operations and internal controls lies with Management. Internal Audit can have no operational duties that might compromise audit independence. By the independent nature of audit activities, no one within Internal Audit shall assume authority or responsibility for any activities audited, investigated, or reviewed (Utah Code 63I -5-302-(1)(b)(ii)). Internal Audit’s involvement in no way relieves any department heads, supervisors, or others in managerial positions of the responsibilities assigned to them.
Responsibilities of the Internal Audit Department
Develop in coordination with the Internal Audit Committee, an orderly program for selecting appropriate audits and a budget for the Internal Audit Department.
This plan and budget is approved by the President and by the Board of Trustee’s Audit Committee.
Conduct all audits in a professional and competent manner and accordance with standards established for the professional practice of internal auditing including appropriate and well organized workpapers.
Timely communication to appropriate officers of any serious deficiencies noted in an audit.
Maintain open communication with the audited department supervisor and administration, before, during, and after fieldwork. However, the regular communication conduit may not function during other internal work such as special projects or investigations, depending upon security needs. Relevant administrators involved in each work project will be advised as to objectives, findings, issues, and recommendations.
Coordinate and provide support as appropriate with external auditors in an effort to eliminate duplication of efforts or reduce outside audit scope and costs.
Prepare formal reports of findings, conclusions, and recommendations upon completion of the audit and forwarding completed audit reports to the President and Board of Trustee Audit Committee.
Disclosure of Audit Information. Until audits or reviews are completed, reviewed by the President, the Campus Audit Committee, and the Board of Trustee Audit Committee and accounted to the Board of Trustees, all information gathered in the process is considered to be part of a DRAFT document, and classified as “Protected” under Utah Code 63G-2-101, et.seq. (“GRAMA” – Government Records Access and Management Act). Once finalized and reported to the Board of Trustees, audits and reviews become public information except as restricted by GRAMA. If Information is released prematurely or for any personal reasons, it shall constitute a violation of GRAMA, and may result in dismissal and/or potential legal action against the internal auditor.
Maintaining the independent and professional proficiency of internal audit staff members to assure objectivity and due professional care in conducting all internal audit work.
Audit. A systematic process of measuring intended results against actual conditions. An audit results in communicating the results to interested users in a report format. Audits may follow various objectives determined by the audit scope. They may include a number of areas of focus, such as the following types:
Department Review. A current period analysis of administrative functions, to evaluate the adequacy of controls, safeguarding of assets, efficient use of resources, compliance with related laws, regulations and college policy and integrity of financial information.
Financial Audit. A historically oriented, independent evaluation performed for the purpose of attesting to the fairness, accuracy and reliability of financial data.
Operational Audit. A future-oriented, systematic, and independent evaluation of organizational activities. Financial data may be used, but the primary sources of evidence are the operational policies and achievements related to organizational objectives.
Information Systems (IS) Audit. There are three basic kinds of IS Audits that may be performed:
General Controls Review. A review of the controls which govern the development, operation, maintenance, and security of application systems in a particular environment.
Application Controls Review. A review of controls for a specific application system. This would involve an examination of the controls over the input, processing, and output of the system data. Data Communications issues, program and data security, system change control, and data quality issues are also considered.
System Development Review. A review of the development of a new application system. This involves an evaluation of the development process as well as the product. Consideration is also given to the general controls over a new application, particularly if the new operating environment or technical platform will be used.
Limited Review. A systematic process of inquiries and analytical procedures that are designed to detect material weaknesses and/or nonconformance to generally accepted accounting principles and other applicable standards. A limited review provides narrow scope but specific answers to the questions raised. Consequently, a review may disclose certain important matters, but not necessarily all matters disclosed in a full audit. Limited reviews usually require no follow-up actions to determine compliance. However, requests from the appropriate authority (Trustee Audit Committee, College administration, USHE Commissioner’s office, USHE Board of Regents, etc.), may require a compliance review.
Special Project. A work product summarizing information gathering on a specific subject, reviewing specific work performed by a department within the institution, or providing answers to specific questions or need for clarification. These projects generally cover one-time concerns and do not require any follow-up unless requested by the proper authority. Special projects generally aim to satisfy questions, so they may follow a memorandum format or another style best suited to convey the required information.
Investigative Audit. An audit that takes place as a response to a report of perceived concern with an individual’s or a department’s compliance to college policy, federal law, or state law. Members of the campus community may report concerns of improper activity to the Internal Audit Director on a confidential basis or through the Silent Whistle reporting system.
Internal Controls. The plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, increase compliance with applicable rules and regulations, and encourage adherence to prescribed managerial policies.
Risk Assessment – Audit Planning
Annual Audit Plan
The Internal Audit Committee will determine, based on a number of inputs, the audit needs of the College for the coming year. The Internal Audit Committee may revise the plan during the year as needed. The annual audit plan will be developed based on a number of inputs from various sources.
Board of Regents Mandated Audits - The Board of Regents has mandated that certain audits be performed. The Internal Audit Committee establishes the yearly rotation of all such audits.
Requests from Vice Presidents and Key Administrators.
Findings from Audits both Internal and External.
Evaluations of Systems –Reviews of system flowcharts and related documentation, which pinpoint weaknesses in the internal controls or ineffective policies and procedures.
Miscellaneous Testing including Audit Surveys.
Silent Whistle Requests.
Based on the information received, the Internal Audit Committee will determine, using risk assessment techniques and their own experience, which areas would be most productive for audits. These areas will then be listed in order of priority and will become the audit plan for the coming year.
General Procedures for Conducting of Audits.
Independence of the auditor and the department should be maintained whenever possible.
All audits should include following:
Opening Conference. Internal Audit will ordinarily provide advance notice of the audit to the department head and other responsible administrators. An opening conference will be arranged where specific audit objectives, plans, and Procedures will be discussed. Surprise audits may also be undertaken if appropriate in the circumstances.
Audit Planning. Auditors will devote a substantial portion of time in the initial phase of an audit to develop a plan for every audit. The audit plan includes risk identification, a preliminary list of interviewees, seeking appropriate and important criteria/ standards, outlining the initial scope of audit work, identifying appropriate documents and other data to review, and initial testing if appropriate.
This process leads to an audit program that is designed to act as a guide or roadmap for the audit itself. An audit program may be modified during an audit if circumstances require it. However, having a written program ensures that all areas are covered that are deemed important and that necessary tests are completed so audit program questions can be answered.
Conduct of Fieldwork. Audit fieldwork consists of interviews with responsible employees, observation of Procedures, examination of documentation, and other audit or analytical Procedures considered necessary in the circumstances. Audit observations and tentative findings and recommendations will normally be discussed with responsible employees of the audited department throughout the course of fieldwork.
Draft Report. Some time during the end of fieldwork, the auditors will begin drafting a preliminary report. This report provides a guide to Internal Audit in completing fieldwork as well as preliminary information on audit issues for the auditee. A more finalized copy goes to the auditee either at the pre-closing conference or before.
Pre-closing Conference. Internal Audit will hold a pre-closing conference with the auditee and other relevant stakeholders. During the conference, the auditors will review all issues/findings with all participants. At that time, all involved have an opportunity to discuss differences, interpretations of information, the criteria and methods used, and work to resolve differences if any exist. The auditors will use this meeting to correct inaccuracies and misinformation, recheck calculations if warranted, and clarify information. At the discretion of Internal Audit, the pre-closing conference may result in revisions to findings or recommendations.
Auditee Response. An auditee will respond, using a template provided by Internal Audit, to each finding and recommendation. The response provides the auditee with the opportunity to state any corrective action taken since the audit beginning, as long as the action can be verified independently. This format also allows the auditee to formulate his/her own plan of action to address any problems or deficiencies. Normally, the auditee should respond to all findings and recommendations within thirty (30) calendar days of receiving the response template. Since these responses come from outside Internal Audit, they go into the report exactly as provided to Internal Audit.
As determined by the Internal Auditor Director, an extension may be granted for special circumstances if requested. The extension shall not be longer than thirty (30) calendar days unless approved by the President or his/her designee.
The response should indicate with respect to each finding and recommendation:
A statement of agreement or disagreement. If disagreement, specific provisions of the report to which exception is taken should be identified and
A concise statement of actions undertaken or planned in response to the recommendation, as well as a timetable for implementation.
Closing Conference. A closing conference will be held in which a preliminary draft of the audit report will be reviewed, any differences of fact or interpretation discussed, and any appropriate corrections or revisions made. The auditee and all areas affected by audit findings should be invited to the closing conference.
Response to Final Audit Report. Upon receipt of the responses, Internal Audit shall forward the draft audit report and responses to the cognizant vice president, and other vice presidents affected by the findings together with explanatory comments. The vice president(s) should respond in writing to the Internal Audit Director, within 15 calendar days that he/she has reviewed, agrees or disagrees with the audit report and response.
Final Audit Report. After considering the responses of the audited department head and the cognizant vice president, and after making any changes which may be appropriate, the final audit report shall be submitted to the president. Additional reports shall be submitted to the cognizant vice president, vice president of administrative services, head of the audited department, and the executive director of business services. A copy of the responses of the department head and the cognizant vice president will be included in the final report.
Compliance Review. Within a reasonable time following the release of the audit report, ordinarily six months, Internal Audit will conduct a review of actions taken in response to the audit report. At the completion of the review, a compliance report will be distributed to those who received the original audit report. The compliance report will state if appropriate steps have been initiated by the audited department, and will identify any items where further action is considered necessary. If the report indicates substantial noncompliance, the cognizant vice president shall investigate the reasons for noncompliance, and submit a letter of explanation and resolution to the president, with a copy to Internal Audit who will submit the letter to the Board of Regents audit review subcommittee.
Audit Ethical Conduct
The goal of the internal audit process is to assist the College in accomplishing its objectives by providing an independent appraisal of risk management, internal controls, effectiveness, efficiency, and compliance with applicable laws, regulations, rules, and procedure. It is designed to add value and improve the College’s operations.
If this goal is to be achieved, there must be a good working relationship between auditor and auditee. Professional attitudes must be maintained at all times including respect for the auditor and auditee.
The procedures listed above provide for lines of communications in order to maintain professional working relationships. In addition, the Internal Audit Department should:
Strive to assist all members of management in the efficient and effective discharge of management’s responsibilities. To do so, Internal Audit provides facts and recommendations or compilations of information concerning a manager’s area of responsibility.
In most instances, issued reports or investigations will identify those involved only by job title or responsibilities. Auditors identify individuals only in this way because the positions themselves maintain responsibility for specified areas and do not depend upon particular characteristics of the current jobholder. Expectations remain the same, regardless of who fills the position currently. Internal Audit will alter this practice by request from the President or his/her designee.
Working papers are the property of the College. Workpapers should be well organized and prepared and record the time required to complete the audit. Workpapers should document, at a minimum, the following aspects of the audit process:
The examination and evaluation of the adequacy and effectiveness of the system of internal controls.
The auditing procedures performed, the information obtained, and the conclusions reached.
The Internal Audit Director will insure the audit workpapers are being completed appropriately. At least yearly, the campus audit committee will review the workpapers to see if they meet the guidelines outlined in this policy.
The Internal Audit Department should exemplify professionalism at all times as it works with college departments, recognizing changing work loads and department circumstances.
At minimum, Internal Audit complies with GRAMA and other relevant laws. Internal Audit will:
File and retain audit reports and investigations in perpetuity.
Maintain correspondence and other materials, not pertaining to specific audits, as required in relevant law.
Retain working papers for a minimum of three (3) years after the finalization of the audit (and follow-up).
Store special projects and limited scope audits for a minimum of two (2) years after completion.
Associated Policies and Documents
Guidelines and Procedures
Internal Audit Director Job Description and Responsibilities