- What is Internal Auditing?
- To whom does Internal Audit report?
- I just had other auditors in my area; why are you performing another audit?
- How are audits chosen?
- What types of audits are conducted?
- What are Internal Controls?
- Is IAAS responsible for maintaining the University’s systems of internal controls?
- What should I expect during an audit?
- Will I be kept informed during the audit process and will I have a chance for input before the audit report is issued?
- Is having an audit observation bad?
- My report has a lot of observations, are my operations that bad?
- Will good things I do be pointed out?
- Do I have to implement the auditors’ recommendations?
- How long does an audit take?
- How can Boise State employees help the internal auditing department?
- Can I ask IAAS for Assistance When I’m Not Being Audited?
- Why would I want to request an audit?
- Are auditors looking for fraud when performing audits?
- What should I do if I suspect someone is committing fraud?
- Who Audits the Auditors?
The Institute of Internal Auditors (IIA) definition is:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Audit and Advisory Services report directly to the University President. It also reports to the Audit Committee of the Idaho State Board of Education when requested.
In addition to being audited by IAAS, the University units and Departments may also be audited by external auditors. External auditors could include the outside CPA firm engaged to perform the audit of the University financials, Idaho Legislative Auditors, Federal Auditors, Environmental Health and Safety Auditors, or compliance auditors.
While we try to eliminate or reduce duplication of effort by coordinating our schedule with these other auditors, we have no control over their audit plans and our contact with them varies. Consequently, an area or department may occasionally be reviewed more than once during the year.
In addition, employees from the University Controllers office may perform “audits” of your area. However, these audits are very narrowly focused (often only on a small group of transactions) and are not as substantial as those performed by IAAS.
Each year IAAS prepares an assessment of risk exposures that may affect the University. An audit plan is then developed based on this assessment. The objective of the audit plan is to provide University management with information needed to mitigate those risks.
IAAS has prepared a plan which includes cyclical internal control reviews of campus units as well as audits focused on areas or processes identified in the audit risk assessment. A variety of factors are used to prioritize these audits including dollar materiality, quality of internal controls, degree of change or stability, complexity, and length of time since the last engagement. Available audit hours are also considered. The audit plan is revised and changed throughout the year.
Every year the Audit Director provides the University President with an audit plan for his approval.
There are many different types of audits. An audit may be of one or more of the following types:
These audits are examinations of financial transactions and systems/procedures used to process them. These types of audits may also include assessment of balances or amounts on financial statements or reports.
Compliance audits determine the degree to which the University or a University unit adheres to laws, regulations, policies, procedures, or contract agreements.
Operational audits are designed to test the efficiency and economy of operations. Performance audits are designed to audit progress towards goals or objectives established by University management.
Internal Audit undertakes investigative audits when circumstances or evidence suggest a fiscal irregularity involving University resources.
- Follow-up Audits
This work determines whether management has taken appropriate, effective and timely action to address previously reported issues.
Internal controls encompass a unit’s entire set of methods and procedures that are used in the day-to-day activities of the unit. These methods and procedures safeguard the unit’s assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed policies. Effective internal control systems are designed to ensure that resource use is consistent with laws, regulations, and policies, and to safeguard resources from waste, loss, and misuse.
No. University management is responsible for maintaining an adequate system of internal control. Internal Audit independently evaluates the adequacy of existing internal control systems by analyzing and testing controls, and makes recommendations to improve controls based on this analysis.
Unless we are conducting an investigative audit, you will be notified in advance that we will be starting an audit in your department, and we will request to set up an entrance meeting. The purpose of the entrance meeting is to explain the audit and the audit process. During the entrance, please ask questions, express your concerns, and make any special requests you might have.
After the entrance meeting, auditors will begin their field work. Fieldwork includes, but is not limited to:
- Formal and informal meetings or discussions with employees in your area
- Walk-through of systems and processes
- Examination of financial documentation
- Evaluation of IT systems used
- Transaction testing
Once fieldwork is complete, we will prepare a draft of all audit observations and recommendations. We will then schedule an exit meeting to discuss these observations with you. Again, during the exit meeting it is important that you communicate concerns and identify errors. If you disagree with an audit observation we will ask you to provide extra information to support your side and will re-perform work if necessary. Following the exit meeting, we will prepare and issue the final audit report (including management responses).
Will I be kept informed during the audit process and will I have a chance for input before the audit report is issued?
Yes. During the audit, the assigned auditor(s) will keep you and your employees informed of progress. Auditors may discuss some audit issues with you or your staff during the fieldwork. However, all issues will be discussed with you during the exit meeting at the end of field work.
During the fieldwork please ask questions and talk to the auditors. Please make time for them while they are performing your audit. Our auditors understand you are busy and have jobs to do. They will try to stay out of your way as much as possible. If you would like more frequent updates or are simply curious, just ask.
Take advantage of the exit meeting. Ask questions and don’t be afraid to disagree with an audit observation. The purpose of the exit meeting is to communicate issues and resolve any mistakes or misunderstandings. We will make reasonable efforts to work with you. Please remember that as much as we would like not to issue reports, IAAS does have an obligation to other stakeholders in your operations. Therefore, we are required to report on some issues.
No. Having IAAS put an audit observation in your report is not bad. Having an audit observation in an external audit report is bad. Having fraud occur in your area is very bad. Having inefficient operations is a waste of resources.
Our audit observations are simply meant to provide you with information so that larger issues might be prevented.
No. The list of observations we provide to you prior to the exit may seem overwhelming and make you feel as if your operations are poor. However, don’t view them as such. First, not all items are included in the final report. Some are provided only for your information. Second, we try to perform a comprehensive and detailed review. Doing so will always generate a long list of issues. We take the view that you are our client and we owe it to you to deliver this type of review and so that you have the best information available to you to make decisions.
Yes. We have recently started identifying commendable practices in our audit reports. Typically, auditors will identify these practices while performing their audit fieldwork. However, if there is something you are very proud of or want to share, please bring it to the auditors’ attention. We may include it in your report, share it with other units as a best practice, or recommend that the University adopt it campus-wide.
Yes and no. Obviously, if we have included an issue in a formal audit report it is something that needs to be addressed. However, you do not necessarily need to accept the specific recommendation of IAAS.
Our recommendations are provided because we don’t want to identify problems without offering solutions. Also, many of our observations are focused on financial or IT systems. Some employees do not have a strong background in these areas and prefer we provide them with a solution. If you have a different way of reasonably addressing the issue, then that is perfectly acceptable. Also keep in mind that we generally try to
provide a recommendation that can be implemented with the resources you currently have. If unlimited resources were available, our recommendation might be different.
Audits may last several days or several months and will vary in length depending on an area’s size, complexity, and the specific audit objectives. Not all the time devoted to the audit will be evident to you because of the amount of preparation, analysis, and related work needed to document the effort. The availability of audit documentation and the responsiveness of your department to audit requests and questions also affect the time required to complete an audit.
You can help with the following:
- Document and maintain procedures in easily accessible manuals. Include current organizational charts, detailed position descriptions, and duty lists.
- Develop an understanding of internal control structures: why, when, and how to separate duties; how to cross-check to ensure the accuracy of records; how to keep control accounts and reconcile data; and how to control automated systems for processing data.
- Maintain "audit trails" – the documents or evidence accompanying and supporting references to transactions or actions authorized by management. Adequate audit trails include:
- Requiring signature approvals
- Developing efficient forms or computerized processes to document important, routine decisions
- Maintaining memoranda documenting important and unusual decisions.
- Conduct and document your own quality control reviews, including action taken to address problems and adhere to requirements to retain documents.
Finally, if you suspect or know that someone is involved in some irregularity, please report the individual immediately by contacting the Internal Audit and Advisory Services. See the Reporting Fraud, Waste and Abuse link above for various ways of communicating with IAAS. You have a responsibility as a member of the Boise State University community to report irregularities.
Always! While our department’s mission is principally accomplished through formal audits, there is no need for you to rely solely on audits to utilize the resources of our department. IAAS acts as an in-house consultant on internal control matters, and will be happy to provide you with information and suggestions on controls in specific areas.
An audit is very beneficial to assess operations within your area and identify areas for improvement or change. This assistance may be especially helpful if you have recently assumed a new or additional supervisory role, have implemented (or are planning to implement) a new process or IT system, or a key employee has left.
Unless they are performing an investigative audit, auditors are not specifically searching for the existence of fraud. During a routine audit they are more concerned with ensuring that adequate systems of internal control exist to reduce the risk of fraud. However, procedures are performed that are meant to detect potential fraud and to assess your area’s exposure to fraud related risk.
If you suspect fraud or other questionable acts in your department contact your supervisor, University Counsel, or the Director of Internal Audit immediately. Do not try to investigate or resolve the activity yourself.
The Institute of Internal Auditors requires that an external review (Quality Assurance Review) be performed on the Internal Audit Department operations at least once every five years. These reviews can be performed by an external review team or can be a self assessment with independent validation by a qualified reviewer. These reviews cover compliance with IIA standards including independence and objectivity, audit planning and coverage, audit documentation and reporting, and staffing.