What does Internal Audit Look for?

Basically, Internal Audit looks at what is happening and compares it to what should be happening, as defined by:

  • Laws, rules, regulations, policies
  • Sound business practices
  • Strategic Planning – clarity of objectives/goals; risk assessment
  • Culture, Management Style, Synergism
  • Knowledge of authority
  • Clarity of responsibilities
  • Communication
  • Awareness of applicable laws, rules, regulations, policies
  • Presence of controls to ensure objective are achieved
  • Segregation of responsibilities
  • Monitoring
  • Evaluation and continuous improvement

Risk Assessment

A risk assessment is the identification and analysis of relevant risks associated with the achievement of objectives.  Annually, Internal Audit considers an assessment of risks in conjunction of the annual audit plan. This assessment is informal in nature and is prepared with input from management, risks identified at other universities, and current economic concerns. The risk assessment forms the basis for the annual audit plan.

 Annual Audit Plan

The annual audit plan includes audits required by University policy, by UL System policy or requests, management requests, and those areas identified during the risk assessment process as having higher exposure to risks. The audit plan outlines the projects for the fiscal year, including the audit objectives, type of audit, and budget hours allocated to each project.  The plan is approved by the University President and the Board of Supervisors of the UL System.  Deviations from the annual plan require the President’s approval.

Types of Audits

  • Operational Audits examine if the use of University’s resources are being used effectively and efficiently. An operational audit includes elements of compliance, financial and electronic data processing audits.
  • Financial Audits examine accounting and reporting financial transactions, authorizations, and receipt and disbursement of funds to determine there are sufficient controls over cash and cash-like assets and there are adequate controls over the acquisition and use of resources.
  • Compliance Audits determine if the University is in compliance with state and federal laws and regulations, with UL System policies and procedures, with grants and other contractual agreements, and applicable University policies.
  • Internal Control Reviews focus on the components of the University’s major business activities, including grants and contracts, physical security, inventory and equipment, payroll and benefits, and cash handling.
  • Investigative Audits are performed when necessary.  These audits focus on alleged civil or criminal violations of state, federal or university polices and procedures that may result in prosecution or disciplinary action.
  • Information Systems Audits examine if internal control operations of automated information processing systems and how people use those system. Generally these audits evaluate input, output, and processing controls; backup and recovery plan; and system security.
  • Follow-up Audits are conducted after an internal or external audit report has been issued.  It is performed to determine if sufficient corrective action has been implemented relative to the original report.

Planning

During the planning stage of an audit, the auditor reviews prior audit reports issued for the area or department, applicable polices and procedures, laws and regulations and other relevant information. It is during this stage that the scope of work is determined and an audit program is developed to meet the objectives of the audit.

Notification/Entrance Conference

Departments or areas selected for audit will be notified in most cases, by e-mail.  This notification will include the purpose, objectives and scope of the audit of department under review.  There are cases in which the department may not be notified prior to audit, due to the nature of the audit (impromptu cash counts or investigations of alleged improper activity).  An entrance conference may or may not be scheduled. Basically it will depend on; if the nature of the audit warrants a physical meeting or a meeting is requested by upper management.

Fieldwork

During this stage, the auditor identifies, examines, and collects sufficient and reliable data to accomplish the scope and objectives of the audit. The auditor communicates and discusses any opportunities identified with management and the appropriate personnel.

Draft Audit Report/Exit Conference

Once the fieldwork is completed, a draft report is prepared.  The draft report communicates to management and the appropriate personnel the results of the audit process and recommendations.  The report accompanies a notification, generally by e-mail, stating that fieldwork has been completed and management’s response to any identified opportunities for improvement or observations is requested.  An exit conference may or may not be scheduled. In most cases, it will depend on; if the nature of the results warrants a physical meeting or a meeting is requested by upper management.

Final Report and Distribution

Management responses are incorporated into the draft report to produce the final report.  The final report is distributed to the President, the President’s Cabinet, the System Director of the UL System, and the audited department’s administration and management.

Follow Up Report

The follow-up process is to determine if management has implemented the corrective action as indicated in management’s response in the initial audit report.  The follow-up report is due to the University of Louisiana System approximately six months after the final report.

Internal Controls are operating practices or activities that are established to provide reasonable assurance that specific objectives will be achieved.

Primary objectives of an internal control system are:

  • Compliance with applicable policies, procedures, plans, laws, regulations and contracts;
  • Reliability and integrity of information;
  • Economic and efficient use of resources; and
  • Safeguarding of assets.

Accomplishment of these objectives increases the likelihood that the goals and objectives established by the University will be met.

The 5 “Components of Internal Control” represent those means by which the University can achieve its objectives:

  1. Control Environment – sets the overall tone of the organization;
  2. Risk Assessment – management’s identification of risk;
  3. Information and Communication System – a means of recording transactions and communicating responsibilities;
  4. Monitoring – assessment of internal control over time; and
  5. Existing Control Activities -policies and procedures established to ensure that management’s directives are carried out.

Controls are any action taken by management to increase the likelihood that established goals and objectives are achieved.

Controls can be directive, preventative or detective. Directive controls are those designed to establish desired outcomes; preventative controls are designed to prevent errors, irregularities or undesirable events from occurring; and detective controls are those designed to detect and correct undesirable events which have occurred.  Below are several examples of each control.

 Directive Controls

  • Policies and procedures
  • Laws and regulations
  • Training seminars
  • Job descriptions
  • Meetings

Preventative Controls

  • Segregation of duties (authorization, recordkeeping & custody of the related assets should not be performed by the one same individual)
  • Physical control over assets
  • Locking office door to discourage theft
  • Using passwords to restrict computer access
  • Shredding documents with confidential information

Detective Controls

  • Exception reports which list incorrect or invalid entries or transactions
  • Reviews and comparisons
  • Reconciliations
  • Physical counts of inventories

Internal Control is not always good if:

  • It is excessive.   A control that unnecessarily increases the complexity of a transaction process without adding value to the activity being controlled is ineffective and a waste of resources; and
  • Have costs that outweigh the derived benefits.

Establishing and maintaining a system of internal controls is the responsibility of management. In order to maintain effective internal controls, management should:

  1. Maintain adequate policies and procedures;
  2. Communicate these policies and procedures; and
  3. Monitor compliance with policies and practices.