internal audit - university of oklahoma...4 internal audit charter •included in the university of...
TRANSCRIPT
Internal Audit OUHSC New Manager’s Training
Updated February, 2015
2
• To Describe the Role of Internal Audit at the
University of Oklahoma.
• To Define Fraud and to Inform Employees of their
Responsibility to Report Fraud to Internal Audit.
• To Explain the Audit Process and How to Work
Effectively with Internal Audit.
• To Convey the Concept of Internal Controls.
Presentation Objectives
Internal Audit
Department
Overview
3
4
Internal Audit Charter
• Included in the University of Oklahoma Board of
Regents’ Policy Manual.
• Required by State Law
• We are Authorized by the Board of Regents and the
President to have full, free, and unrestricted access to
all University functions, records, property and
personnel.
5
What is Internal Auditing?
Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations.
It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
Source: The Institute of Internal Auditors
6
What do we do?
Internal Audit Assesses:
• Adequacy of policy, procedures and internal controls.
• Compliance with laws, rules, regulations and
organizational guidelines.
• Organizational efficiency.
• Accuracy and reliability of accounting records.
7
• OU Norman Campus
• OU Health Sciences Center Campus
• OU Tulsa Campus
• Cameron University (Lawton)
• Rogers State University (Claremore)
• Any off-site location or function of
the above entities
Internal Audit Responsibility
Student Interns
Chandriga Suppiah
Amanda Dicken Robin Irvin, CIAAudit Manager Audit Manager
Jeremy Lynch Catherine McDaniel
Chief Audit Executive
OU INTERNAL AUDIT
University of OklahomaBoard of Regents David L. Boren
OU President
Clive Mander, FCA
Organizational Chart - 2015
Suzie Brewer
OU HSC OU Norman Quality AssuranceIT - all campuses
OU Tulsa Rogers State University Improvement ProgramOU Norman
Cameron University
Administrative Asst.
Special Investigations and
Carolyn Clink, CIA CFEAudit Director
Cindy Hall
IT Audit DirectorTim Marley, CPA CISA
Senior Auditor
Robert Green
Auditor
Ke'Yonna Wynn
Auditor
Kale ThaxtonAuditor
Bennett Pickar
Auditor
Samuel Perez Sarah PetrocchiErin Carroll
Kayli WarmkerJackson StoneHannah LeConte
Auditor
Senior Auditor
Alexandra Gerea
David Skrdla, CISA
IT Audit Manager
Auditor
IT AuditorAndy Thung, CISA
IT Auditor
Sandra AshfordAudit Manager
OU Internal Audit Profile
9
Professional Certifications Held Within the Department
Accounting/Auditing
•Fellow Chartered Accountant
•Chartered Tax Advisor
•Certified Public Accountants
•Certified Internal Auditors
Information Systems/Information Technology
•Certified Information Systems Auditors
•Certified Information Systems Security Professional
•Certified Information Security Manager
•GIAC Systems and Network Auditor
•Certified Information Privacy Professional
•Payment Card Industry (PCI) Security Standards Council Internal Security Assessor
OU Internal Audit Profile - Continued
10
Professional Memberships/Affiliations
•Association of College and University Auditors
•Institute of Internal Auditors
•Association of Healthcare Internal Auditors
•Oklahoma Society of Certified Public Accountants
•Information Systems Audit and Control Association
Professional Experience
•Public Accounting (Various Clients/Public and Private)
•Private Business/Industry
•Government
•Healthcare
•Retail
11
Code of Ethics
The Principles/Rules of Conduct We Adhere to:
• Integrity
• Objectivity
• Confidentiality
• Competency
Source: The Institute of Internal Auditors
Fraud
Awareness
12
13
Institute of Internal Auditors Standard
IIA Standard 1220.A1 states, “Internal auditors must exercise due
professional care by considering the:
•Extent of work needed to achieve the engagement's objectives;
•Relative complexity, materiality, or significance of matters to which
assurance procedures are applied;
•Adequacy and effectiveness of governance, risk management, and
control processes;
•Probability of significant errors, fraud, or noncompliance; and
•Cost of assurance in relation to potential benefits.”
•Fraud is the intentional misrepresentation or
concealment of a material fact that results in financial or
other damages to another party.
14
What is fraud?
15
Fraud or Error?
Intent
Unintentional Intentional
Fraud is Deliberate.
Fraud is Not an Accident.
16
Reporting Fraud
•As stated in the Regents’ Policy Manual,
all University employees have a duty to
report instances of suspected fraud to
Internal Audit.
•If you become aware of issues of potential
fraud or related misconduct, please contact
Internal Audit and speak directly with the
Director of Internal Audit.
Important Number/Email
405-325-3411
17
Reporting Fraud- Your Importance
Source: The Association of Fraud Examiners, Inc. 2010 Report to the Nations
Conclusion: You can make a difference!
18
Characteristics of Fraud Perpetrators
Source: The Association of Fraud Examiners, Inc. 2010 Report to the Nations
Internal Control
Fundamentals
19
What is an Internal Control?
20
COSO defines internal control as, “a
process, effected by an entity’s board of
directors, management and other personnel. This process is designed to provide reasonable assurance regarding
the achievement of objectives in
effectiveness and efficiency of operations,
reliability of financial reporting, and
compliance with applicable laws and
regulations.”
Source: The Committee of Sponsoring Organizations of the Treadway Commission
(COSO)
What is an Internal Control?
21
• An internal control is a process. It is a means to an end, not an
end in itself.
• An internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
• An internal control can provide only reasonable assurance, not
absolute assurance, to an entity’s management and board.
• An internal control is geared to the achievement of objectives in
one or more separate but overlapping categories.
Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Internal Controls - Roles and Responsibilities
22
Everybody in the organization has responsibility for internal
controls.
– Board of Regents
– President
– Vice-Presidents
– Deans
– Department Chairs
– Business Administrators
– Clinic Managers
– Accountants
– Administrative Personnel
– Other Personnel/Staff
Internal Controls - Roles and Responsibilities
23
Internal controls
are not Internal Audit’s responsibility.
• We do not make policy.
• We do not implement procedures.
• We are not responsible for the design, implementation,
and, reliability of internal controls.
• Internal Audit evaluates internal controls and the
related components.
• Internal Audit provides an objective assessment of
internal controls to determine if the controls in place
are functioning in an appropriate manner and to
determine if internal controls provide a reasonable
assurance regarding the effectiveness and efficiency of
operations, reliability of financial reporting, and
compliance with laws and regulations.
Internal Controls - Roles and Responsibilities
24
Internal controls cannot ensure success alone. The following can
still create problems:
– Poor Decisions
– Management Oversight
– Unethical Behavior
– Fraud
– Errors
– Undisclosed Conflicts of Interest
– Omissions
– Collusion
– Override of Controls
– Not Following Established Policies and Procedures
– Lack of Internal Policies and Procedures
– Unclear Roles and Responsibilities
25
Internal Control Elements – The COSO Model
Source: COSO
• Monitoring
• Control Activities
• Risk Assessment
• Information and Communication
• Control Environment
26
Control Environment
• Have clearly defined roles and responsibility.
• Competence of personnel.
• Delegate responsibility for tasks but do not
delegate accountability.
• Management philosophy and operating style.
• Avoid a “by any means” necessary approach.
27
Segregation of Duties
Authorization
Custody Recording
One person should not control and entire process from beginning to end.
Cash Receipts
28
• Are cash receipts logged when received?
• Are checks endorsed upon receipt?
• Who has custody of or access to the cash?
• Is all of the cash/checks received properly deposited?
• Is the cash deposited timely?
• Change or petty cash fund? periodic surprise cash counts?
• Are the duties of receiving and depositing segregated from
accounts’ reconciliations?
• Is the person reconciling using all documents?
Disbursements
29
• Who prepares and who authorizes the voucher?
• Who signs the invoices for payment?
• What is the business purpose?
• Are bills pre-paid or paid after-the-fact?
• Are bills paid within 45 days?
• Are goods properly maintained after they are received (are they
periodically inventoried, etc.)?
• Are payments to employees approved by someone higher in
institutional authority?
• Have purchases over $5,000 been approved by purchasing?
Procurement Card
30
• Is the cardholder the only user of the card?
• Are receipts properly maintained?
• Is a proper supervisor approving the purchases?
• Business purpose?
• Does the department have any approved exceptions to
the PCard policy?
• Reconciliation?
Payroll
31
• Do all hourly employees complete a time card?
• Do all monthly employees complete a paid leave form?
• Are time cards and paid leave forms signed by both the employees and their
supervisors?
• Do the time cards and paid leave forms agree to the data in the payroll
system?
• Who enters and approves the payroll system data?
• Do you verify paid leave balances?
• Overtime?
• Compensatory time?
• Payroll reconciliations?
• Termination Checklist?
Record Retention
32
• Do you know the record retention policies and
procedures?
• Do you request the authorization from the Record
Retention Officer prior to destroy any document?
Reconciliations
33
• Segregation of duties?
• Is the person performing the reconciliations signing
and dating?
• Is the account sponsor signing and dating the recs?
• Do you use all the supporting documentation?
• Is the account sponsor seeing all the originals?
The Audit
Process and How
to Work with
Internal Audit 34
35
The Institute of Internal Auditors requires risk analysis
rather than a rotational schedule for annual audit plans.
• The Internal Audit Department lists all auditable entities and functions and compiles them into an ‘audit universe.’
• A risk analysis is used to determine which audits to perform on an annual basis.
The Audit Selection Process Risk Analysis vs. Rotational Schedule
36
• Prior audit findings
• Perceived sensitivity
• Control environment
• Confidence in operating management
• Changes in people or systems
• Complexity
• Time since last audit
Risk Analysis Criteria
Types of Audits Performed
37
College and Departments, Clinics, Functional Units, Athletics, Information
Technology/Systems, Special Reviews, Special Investigations, Centers
and Institutes, Sponsored Programs.
Financial Operational Compliance
Audit Process, Step-by-Step
38
1. Engagement letter
2. Preliminary
request for
information
3. Audit planning
and audit program
development
4. Entrance
conference
Planning Fieldwork Reporting Post Audit
Review
1. Exit conference
2. Draft audit report
3. Final audit report, with
management responses and
scheduled completion dates
Phase 1 – Audit Planning
39
Challenges
• Inefficiency and Disruption to Operations
• Miscommunication
• Incomplete Information
• Confusion about the Audit’s Purpose
Suggested Actions
• Designate an Audit Liaison
• Educate the Auditors and Yourself
• Disclose Known Issues and Concerns Ahead of Time
• Ask Questions
Phase 2 – Fieldwork Assess Design of Internal Controls
40
Challenges
• Misunderstanding Your
Processes and Controls
• Important Details Omitted
Suggested Actions
• Illustrate/Process Flow Charts
• Describe Actual Activities
• Written policies and procedures
• Include Front Line Personnel
Phase 2 – Fieldwork - Continued Test Transactions and Analyze Results
41
Challenges
• Inadequate Documentation
• Unexecuted Documentation
• Missing Documentation
Suggested Actions
• Organize and Schedule Regular
Check-ins
• Explore Alternatives
Phase 3 – Reporting
42
Challenges
• Surprise Findings
• Unrealistic Recommendations
Suggested Actions
• Open Communication
• Informal Fieldwork Closing Meeting/Debriefing
• Review the Draft Report and React Timely
• Urge Practicality
Phase 4 – Post Audit Review
43
Challenges
• Follow-up Timeline not Realistic
• Changes in Personnel
• Recommendations not
Understood
Suggested Actions
• Develop a Plan of Action to
Address Concerns
• Assign
Responsibility/Accountability
• Perform a Self-Review
44
How to Work with Internal Audit
•We do not audit people we audit processes.
•Your proactive attention and engagement
can go a long way toward making an audit
more useful for you and your department.
45
Internal Audit Help Line
As part of our service to the
University, we encourage any
employee to contact us with
questions relating to internal
controls or to discuss any issue
relating to risks and exposures in
their area of responsibility.
Call (405) 325-3411 or
(405) 271-2532 (Ask for an audit
manager)
or
Email us at:
Further Information
46
• Visit our website at www.ou.edu/audit
• Main Office Norman Campus
1816 West Lindsey StreetPhone number: 405-325-3411
•
Satellite Office OUHSC Campus
Service Center Building Room 239
Phone number: 405-271-2532