- What is Internal Auditing?
- To whom does Internal Audit report?
- I just had other auditors in my area; why are you performing another audit?
- How are audits chosen?
- What types of audits are conducted?
- What are Internal Controls?
- Is IAAS responsible for maintaining the University’s systems of internal controls?
- What should I expect during an audit?
- Will I be kept informed during the audit process and will I have a chance for input before the audit report is issued?
- Is having an audit observation bad?
- My report has a lot of observations, are my operations that bad?
- Will good things I do be pointed out?
- Do I have to implement the auditors’ recommendations?
- How long does an audit take?
- How can Boise State employees help the internal auditing department?
- Can I ask IAAS for Assistance When I’m Not Being Audited?
- Why would I want to request an audit?
- Are auditors looking for fraud when performing audits?
- What should I do if I suspect someone is committing fraud?
- Who Audits the Auditors?
The Institute of Internal Auditors (IIA) definition is:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Audit and Advisory Services (IAAS) reports directly to the Idaho State Board of Education Audit Committee and administratively to the University President.
In addition to being audited by IAAS, the University units and departments may also be audited by external auditors. External auditors include the outside CPA firm engaged to perform the annual audit of the University financial statements, and could include Idaho Legislative Auditors, Federal Auditors, Environmental Health and Safety Auditors, or other auditors. In addition, employees from the University Controllers office may perform “audits” of your area. However, these audits are very narrowly focused (often only on a small group of transactions) and are not as substantial as those performed by IAAS. While we try to eliminate or reduce duplication of effort by coordinating our schedule with these other auditors, an area or department may occasionally be reviewed more than once during the year.
Each year IAAS prepares an assessment of risk exposures that may affect the University. An annual audit plan is then developed based on this assessment. The IAAS plan includes cyclical internal control reviews of campus units as well as audits focused on areas or processes identified in the audit risk assessment. A variety of factors are used to prioritize these audits including materiality, quality of internal controls, degree of change or stability, complexity, and length of time since the last internal audit was performed. The audit plan may be revised during the year if more exigent University risks arise. The Executive Director IAAS finalizes a draft of the audit plan and reviews it with the University President for input. It is then submitted to the State Board of Education Audit Committee for review, input and approval.
There are many different types of audits. An audit may be of one or more of the following types:
These audits are examinations of financial transactions and systems/procedures used to process them. These types of audits may also include assessment of balances or amounts on financial statements or reports.
Compliance audits determine the degree to which the University or a University unit adheres to laws, regulations, policies, procedures, or contract agreements.
Operational audits are designed to test the efficiency and economy of operations. Performance audits are designed to audit progress towards goals or objectives established by University management.
Internal Audit undertakes investigative audits when circumstances or evidence suggest a fiscal irregularity involving University resources.
- Follow-up Audits
This work determines whether management has taken appropriate, effective and timely action to address previously reported issues.
Internal controls encompass a unit’s entire set of methods and procedures that are used in the day-to-day activities of the unit. These methods and procedures safeguard the unit’s assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed policies. Effective internal control systems are designed to ensure that resource use is consistent with laws, regulations, and policies, and to safeguard resources from waste, loss, and misuse.
No. University management is responsible for maintaining an adequate system of internal control. Internal Audit independently evaluates the adequacy of existing internal control systems by analyzing and testing controls, and makes recommendations to improve controls based on this analysis.
Unless we are conducting an investigative audit, you will be notified in advance that we will be starting an audit in your department, and we will request to set up an entrance meeting. The purpose of the entrance meeting is to explain the audit and the audit process. During the entrance, please ask questions, express your concerns, and make any special requests you might have.
After the entrance meeting, auditors will begin their field work. Fieldwork includes, but is not limited to:
- Formal and informal meetings or discussions with employees in your area
- Walk-through of systems and processes
- Examination of financial documentation
- Evaluation of IT systems used
- Transaction testing
Once fieldwork is complete, we will prepare a draft of all audit observations and recommendations. We will then schedule an exit meeting to discuss these observations with you. Again, during the exit meeting it is important that you communicate concerns and identify errors. If you disagree with an audit observation we will ask you to provide extra information to support your side and will re-perform work if necessary. Following the exit meeting, we will prepare and issue the final audit report (including management responses).
Will I be kept informed during the audit process and will I have a chance for input before the audit report is issued?
Yes. During the audit, the assigned auditor(s) will keep you and your employees informed of progress. Auditors may discuss some audit issues with you or your staff during the fieldwork. However, all issues will be discussed with you during the exit meeting at the end of field work.
During the fieldwork please ask questions and talk to the auditors. Please make time for them while they are performing your audit. Our auditors understand you are busy and have jobs to do. They will try to stay out of your way as much as possible. If you would like more frequent updates or are simply curious, just ask.
Take advantage of the exit meeting. Ask questions and don’t be afraid to disagree with an audit observation. The purpose of the exit meeting is to communicate issues and make sure they are accurately resolved. We will make reasonable efforts to work with you.
Having an IAAS observation in your report is not necessarily bad. Our audit observations are meant to provide you with information so that you can effectively manage risks in your area of responsibility that may prevent you from achieving your objectives. Observations generally assist you in performing your responsibilities more adequately and effectively.
Not necessarily. The list of observations we provide to you prior to the exit meeting are opportunities we have identified to help you manage risks more adequately and effectively. We take the view that you are our client and we strive to provide you with the best and most comprehensive information for to you to make decisions to improve the procedures and controls in your area of responsibility.
Yes. Typically, IAAS will identify best practices while performing audit fieldwork. However, if there is something you are very proud of or want to share, please bring it to the auditors’ attention. We may include it in our report, share it with other units as a best practice, or recommend that the University adopt it campus-wide.
Our recommendations are provided because we don’t want to identify problems without offering suggested solutions. The decision to implement the suggested solutions is up to management. We want to discuss our recommendations further if there are disagreements to ensure that any differences in opinion are accurately discussed, considered, and resolved. In some cases this could result in a recommendation being modified or dropped from our report. However, if after the discussions, there continues to be disagreement on the recommendation, IAAS is required to bring the matter to the attention of the University President and the State Board of Education Audit Committee, if considered necessary, for final resolution.
Audits may last several days or several months and will vary in length depending on an area’s size, complexity, and the specific audit objectives. Not all the time devoted to the audit will be evident to you because a lot of the time for preparation, analysis, and related audit work can be performed without direct assistance. The availability of audit documentation and the responsiveness of your department to audit requests and questions also affect the time required to complete an audit.
You can help with the following:
- Document and maintain procedures in easily accessible manuals. Include current organizational charts, detailed position descriptions, and duty lists.
- Develop an understanding of internal control structures: why, when, and how to separate duties; how to cross-check to ensure the accuracy of records; how to keep control accounts and reconcile data; and how to control automated systems for processing data.
- Maintain “audit trails” – the documents or evidence accompanying and supporting references to transactions or actions authorized by management. Adequate audit trails include:
- Requiring signature approvals
- Developing efficient forms or computerized processes to document important, routine decisions
- Maintaining memoranda documenting important and unusual decisions.
- Conduct and document your own quality control reviews, including action taken to address problems and adhere to requirements to retain documents.
Finally, if you suspect or know that someone is involved in some irregularity, please report the individual immediately by contacting the University Compliance Office. You can also contact IAAS directly. You have a responsibility as a member of the Boise State University community to report irregularities.
While our department’s mission is principally accomplished through formal audits, there is no need for you to rely solely on audits to utilize the resources of our department. IAAS acts as an in-house consultant on internal control matters, and will be happy to provide you with information and suggestions on controls in specific areas.
An audit is very beneficial to assess procedures and controls within your area, identify risks and identify areas for improvement or change. This assistance may be especially helpful if you have recently assumed a new or additional supervisory role, have implemented (or are planning to implement) a new process or IT system, or have had key employee turnover.
Unless they are performing an investigative audit, auditors are not specifically searching for the existence of fraud. During a routine audit they are more concerned with ensuring that adequate systems of internal control exist to reduce the risk of fraud. However, procedures are performed that are meant to detect potential fraud and to assess your area’s exposure to fraud related risk.
If you suspect fraud or other questionable acts in your department contact your supervisor, the University Compliance Office, or IAAS. Do not try to investigate or resolve the issue yourself.
The Institute of Internal Auditors requires that an external review (Quality Assurance Review) be performed on the Internal Audit Department operations at least once every five years. These reviews can be performed by an external review team or can be a self assessment with independent validation by a qualified reviewer. These reviews cover compliance with IIA standards including independence and objectivity, audit planning and coverage, audit documentation and reporting, and staffing. We have included a copy the report on our last review in the Quality Assurance Review section.