higher education solutions 1 internal audit for colleges and universities by: wally wetherill,...
TRANSCRIPT
1
Higher Education Solutions
Internal Audit for Colleges and Universities
By:
Wally Wetherill, Regional Industry Partner – East Region
John McKay, Supervisory Consultant
OACUBO Conference
2
Higher Education Solutions
Internal Audit (IA)Assessing Risk Internal Audit Process-developing audit plans
and processExamples if IA workQuestions
Agenda
3
Higher Education Solutions
Internal Audit
Is the path to: Assessing and maintaining sufficiency in
compliance
Proactively addressing public scrutiny
Enabling transparency
4
Higher Education Solutions
Internal Audit Defined
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an institution's operations. It helps an institution accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. (Institute of Internal Auditors)
5
Higher Education Solutions
Internal Audit Simplified
Internal auditors are not external auditors Main objectives are different
Work is not primarily financial statement based
Do not render opinions
But do have some similar approaches
6
Higher Education Solutions
Internal Audit Simplified Internal auditors
Are independent on their institutional reporting (direct report to Audit Committee)
Develop annual work plans through risk assessment and collaboration with senior and departmental management
Focus of audit work is on:• Laws and regulations (compliance)
• Policy and procedures (adherence)
• Efficiencies
• Process improvements
7
Higher Education Solutions
Internal Audit Simplified
Internal auditors (continued) Communicate with and involve all levels of
personnel
Help educate the campus on compliance, controls and risk
Provides suggestions for improvement
Work together – on your terms – with the same goals
8
Higher Education Solutions
The Look of Internal Audit
In houseCo-sourcedOutsourced
* Regardless of how it is established, the process for conducting IA work remains the same
9
Higher Education Solutions
Establishing the IA Function
Define your look/structureAudit Charter – defines reporting structure
and authorityAudit Committee and Charter
10
Higher Education Solutions
Assess Risk
Enterprise Risk Management Management deploys and oversees ERM for the institution
• Define risk and opportunity
• Assess the risks and opportunities identified
• Management develops a means to proactively address the risks and opportunities identified:
► Avoid the risk – exit the activity giving rise to significant risk
► Reduce the risk – take action to reduce the likelihood or impact related to risk
► Share or insure the risk – transfer or share a portion of the risk in an effort to reduce the risk level
► Accept the risk - take no action
11
Higher Education Solutions
Assess Risk
Enterprise Risk Management (continued) ERM may be based on COSO’s ERM Framework
model• As defined:
► A process, effected by an institution’s board of trustees, management and other personnel, applied a strategy setting and across the enterprise, designed to identify potential events that may affect the institution, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objections. (Committee of Sponsoring Organizations of the Treadway Commission _ COSO)
12
Higher Education Solutions
Assess Risk
Enterprise Risk Management (continued) COSO framework
• Framework consists of five interrelated components:► Control environment
► Risk assessment
► Control activities
► Information and communication
► Monitoring
14
Higher Education Solutions
Assess Risk
Enterprise Risk Management (continued) Four major areas of risk
• Operational (process and procedures)
• Financial
• Regulatory
• Reputational
Why is ERM important today in colleges and universities?
15
Higher Education Solutions
Assess Risk
BOARD OF TRUSTEES/REGENTS
ACCREDITORS &AUDITORS ANALYSTS
DONORS
HIGHER EDINSTITUTION
Seeking enhancedvisibility into the risksof the Institution
Instituting ERM ratingscriteria for public debtissuers
Seeking assurance onstewardship of donated funds
Promoting greater accountabilityfor risk management
Enterprise Risk Management (continued) Why is ERM important today in colleges and
universities
16
Higher Education Solutions
Assess Risk
Internal audit risk assessment Process
• Considers results of ERM• Defines the audit universe and auditable areas• Establishes a consistent scoring structure
Examine scores Apply risk rating
• Rank each auditable unit/function• Becomes basis for allocating audit resources
17
Higher Education Solutions
Assess RiskRisk Profile – Heat Map
High
Moderate
Low
HighModerateLow
Off-CampusFacilities
ConstructionManagement (Facilities)
Central BillingOffice
UtilitiesOffice of ResearchAdministrationDeferred
MaintenanceEndowment
UniversityRelations
Gifts &RestrictedFunds
Financial Reporting
Auxiliary Services
PropertyManagement
InformationTechnology
18
Higher Education Solutions
Assess Risk Internal audit risk assessment (continued)
Areas of risk assessment at a college (representative list)• Student billing and collections• Financial aid and grants• Information technology• Business office• Athletics• President’s office• Purchasing and accounts payable• Payroll and benefits• Human resources• Security• Contract management• Facilities/construction management• Student clubs• International programs
19
Higher Education Solutions
Develop Audit Plans
Audit plan Identify the audit schedule for each auditable
unit/function based on risk assessment• High risk areas first
Determine plan rotation• Typically 3 to 5 years
Plan is fluid and can (and probably will) change based on audit work
20
Higher Education Solutions
Develop Audit Plans
Annual audit plan List of areas to cover in the year
Should detail time line and lead individuals
Should have status meetings or communication tool to provide updates and status of plan
Include audit committee reporting time line
21
Higher Education Solutions
Internal Audit Project Process
Meet with area personnel to identify: Processes
Policies and procedures
Laws and regulations
Management concerns
Review information to develop an internal audit program
Request additional information
22
Higher Education Solutions
Internal Audit Project Process
Perform testing Documentation
Inquiry
Observation
Share and obtain input on results with area management
Prepare written observations and recommendations
23
Higher Education Solutions
Internal Audit Project Process
Obtain management’s responsesPrepare audit report Issue report to departmental management,
upper management and the audit committee/ board
Follow up on status of previous findings is important
24
Higher Education Solutions
Examples of Internal Audit Work Process improvement analysis
Eliminate duplication of effort Eliminate unnecessary steps Streamline to promote efficiency
Compliance testing (more specific to regulatory or statutory rules) Financial aid Human resources Payroll and benefits Fund development and administration Grants Contracts
25
Higher Education Solutions
Examples of Internal Audit Work Policy and procedure adherence Internal control advisory services for process or system
changes/enhancements Internal control testing External audit assistance Special projects to address items of immediate concern
Athletics Student groups International programs Travel and expenses Off site programs
26
Higher Education Solutions
Conclusions – Internal Audit
Proactively addresses compliance by being aware of and testing of laws and regulations
Serves as a tool to address public scrutiny Indicates management and the board are interested in
doing things the right way and correcting items that may be off the mark
Provides a resource to the board and management to complete special assignments to address items of concern
Results provided by an independent party carry more weight with the public and stakeholders
27
Higher Education Solutions
Conclusions – Internal Audit
Promotes transparency in campus processes Results are formally reported
Results include statements from management as to how any issues will be addressed
Results provide ownership for corrective plan
Results indicate cases in which everything is being performed as intended when there are no or few written findings
Results available for management and the board