Indiana University Internal Audit

Transcription

1 Indiana University Internal Audit What to Expect When You Are Audited November 21, 2013 Christine Swafford, CPA, CIA, CISA, CRMA Director, Indiana University Internal Audit

2 2 Objectives Introduction to Internal Audit Overview of Internal Audit purpose and activities How audits are selected Audit process Value added

3 3 Internal Audit at Indiana University Who are the auditors? What is internal audit? Why do we exist? What responsibilities and authority do we have? How do we decide what we re going to audit? How do we want to relate to and work with other university personnel?

4 4 Who are the auditors? 12 professional staff and one administrative assistant System-wide responsibility with staff located in BL and IUPUI Organization chart and other information at: Staff hold various certifications: CPA, CIA, CISA, CFE, CRMA, CMA

5 5 Your thoughts please: Financial focus? Compliance police? Trouble makers? People who come in after the battle and bayonet the wounded? Satan s spawn? What is Internal Audit?

6 6 What is Internal Audit? Internal auditing is an independent, objective, assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control, and governance processes.

7 7 Accounting Accounting vs. Auditing Includes the collection, classification, summarization, and communication of financial data. It involves the measurement and communication of business events. Auditing Considers business events too, but does not have the responsibility to measure and report them. Rather, auditing is primarily analytical and investigative and focused on the evaluation of various processes an organization employs to meet it s objectives..

8 8 Our Mission: Why does Internal Audit exist? Internal Audit can and should have a major impact on the effective administration of the university. We accomplish this by collaboratively working with other university personnel to identify, evaluate, and mitigate risks to the organization.

9 9 What responsibility & authority do we have? Internal Audit Charter outlines responsibility and authority

10 10 Introduction Internal Audit Charter (excerpts) Indiana University supports Internal Audit as an independent appraisal function to examine and evaluate University activities as a service to management and the Board of Trustees. The mission of Internal Audit is to support members of the University in the effective discharge of their responsibilities. To this end, Internal Audit will furnish them with analyses, recommendations, counsel, and information concerning the activities examined.

11 11 Internal Audit Charter Organization & Board Reporting The Internal Audit Director will report to the Vice President and General Counsel, with dotted line reporting to the Finance and Audit Committee of the Board of Trustees. The committee will have final approval of the hiring, firing and salary changes for the Director.

12 12 Internal Audit Charter Authorization & Responsibilities Internal Audit has the authority to audit all parts of the University and shall have full and complete access to any of the organization's records, physical properties, and personnel relevant to the performance of an audit. Documents and information given to internal auditors during a periodic review will be handled in the same prudent manner as by those employees normally accountable for them.

13 13 Internal Audit Charter Authorization & Responsibilities (continued) Internal Audit will have no direct responsibility or authority for any of the activities or operations they review. They should not develop and install procedures, prepare records, or engage in activities that would normally be reviewed by internal auditors. Furthermore, an internal audit does not in any way relieve other persons in the University of the responsibilities assigned to them.

14 14 Mission Objectives Internal Audit Charter Determine the accuracy and propriety of financial transactions Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies, systems, processes and procedures Verify the existence of University assets and ensure that proper safeguards are maintained to protect them from loss Determine the level of compliance with University policies and procedures, and state and federal laws and regulations

15 15 Internal Audit Charter Mission Objectives (continued) Evaluate the accuracy, effectiveness and efficiency of the University's electronic information and processing systems Determine the effectiveness and efficiency of organizations in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements Coordinate audit efforts with, and provide assistance to, the Indiana State Board of Accounts and other external auditors Investigate fraud and other allegations of misconduct

16 16 How do we decide what to audit? In a word.risk We use risk assessment at two levels within internal audit: 1. Development of a risk-based annual audit plan 2. Selection of focus areas within individual audit topics

17 17 Risk Based Annual Audit Plan Annual risk assessments done in conjunction with senior administrative personnel from all parts of the University community Audit Plans focused on the areas of highest risk that come out of the risk assessment process Annual Audit Plan presented to IU Board of Trustees for review and approval Periodic updates to audit plans based on updated or new risk information

18 How do we want to relate to and work with other University personnel? We desire to work collaboratively with you in a communicative and transparent environment. Key points: Collaborate Communicate Transparency 18

19 19

20 20 Type of Audit Activities Operational/Financial Audit Information Technology Audit Required Audits Assist External Auditors Transitional Management Review Administrative Management Review Consulting Allegation Investigations Risk Assessments

21 21 Risk Based Auditing Every audit we perform is risk based. Risks are anything that could jeopardize the achievement of your organizational or process objective or goals Risks are the things that can go wrong and can be at various levels; University Department Process

22 22 Risk Assessment Risk assessment is a process intended to; Identify significant risks Assess those risks What is the likelihood of occurrence? What is the potential impact? Manage risks through Avoidance Transfer or Sharing (Insurance) Mitigate with Controls Acceptance

23 23 You probably know, but haven t formally identified most of your risks For each objective, ask yourself: What could go wrong? What assets do we need to protect? How could someone steal from us? What is our greatest legal exposure? Could we be out of compliance with IU policy, or applicable laws or regulations? What else? Identifying Risks

24 24 Typical risks all organizations face Errors in financial & other reporting Non- compliance with policies, regulations, and laws Sub-optimized operational efficiency & effectiveness Loss of assets tangible & informational Unauthorized use or damage to data Damage to reputation Fraud

25 25 Assessing Risks Likelihood probability of occurrence Impact effect on IU/your organization Loss of resources Loss of public trust Violation of policies, laws, regulations Bad publicity Decreased enrollment What else? What about high impact/low likelihood risks?

26 26 Audit Process Overview Assignment Announcement Letter ( ) Entrance Meeting Preliminary planning and research Scope and objectives meeting Risk Assessment and Control Evaluation Meeting Preliminary work is completed

27 27 Audit Process Overview (continued) Fieldwork and communications Draft report Quality Assurance Review Draft report final review Draft report sent to client Exit meeting, if needed Report issued Follow-up review

28 28 Audit Process Assignment & Announcement We assign 1-2 auditors to work on your audit, usually a senior auditor and an auditor. If the project has an IT component, and IT auditor may also be assigned in addition to the 1-2 financial/operational auditors. An announcement is sent to the client announcing the audit activity.

29 29 Audit Process Entrance Meeting The Entrance Meeting is schedule with the key participants, generally the unit head and the fiscal officer at a minimum We go over the process of how the audit will flow and any risk areas or areas of concern the unit would like us to include in the audit. We will also discuss ways we believe the audit will add value to the unit.

30 30 Audit Process Preliminary Planning & Research We look at a bunch of stuff: Web sites, Past audits Risks at other universities with similar operations IUIE queries Interviews we ask a lot of questions of all key staff and sometimes others Risk Assessment and Control Evaluation (RACE) Matrix prepared Background Memo document prepared

31 31 Audit Process Internal Planning and Evaluation This phase is internal. The audit team meets with the Director and Executive Director to review and answer questions related to the background memo and RACE matrix. Purpose is to ensure we are focused on highest risks to the operation and are adding value.,

32 32 Audit Process RACE Meeting with Client We share the RACE matrix with you and meet to go over the document to: Ensure we have documented processes and controls accurately Make sure we didn t miss any risks Discuss audit strategy and next steps

33 33 Audit Process Fieldwork and Communications Fieldwork = our audit plan, the steps and testing we plan to carry out to test the internal controls Communications: Should be often, transparent, and collaborative Issues or findings should be discussed as they are discovered to ensure our understanding of the process and facts If issues are identified, action plans to fix the issues are discussed and often times resolution is started during the audit

34 34 Audit Process Findings Meeting We meet with the client and go over each finding We cover what the problem is, what the criteria is which makes it an issue, what the root cause is (why it happened), and the risks to the unit if the issue is not fixed. Key point A client action plan to fix the finding is developed and discussed at the meeting.

35 35 Five Ways You Benefit 1. Confirmed controls were effective (assurance) Objective assessment of operations / governance/ etc. Provides guidance to see the relevance of internal controls

36 36 Five Ways You Benefit 2. Facilitated new processes or procedures to improve effectiveness of control environment and operational environment Improved or implemented segregation of duties Identified areas where fraud could occur and verified controls Shared or facilitated best practices Shared Internal Audit staff expertise Demonstrated to management which control processes are cost-beneficial and which are not.

37 37 Five Ways You Benefit 3. Facilitated new processes or procedures to improve efficiencies of control environment and operational environment Provided contacts to leverage university assets

38 38 Five Ways You Benefit 4. Facilitated solution to existing problem Created continuous monitoring application

39 39 Five Ways You Benefit 5. Demonstrated to management which areas within the organization contain the greatest/least amount of risk Provided the Risk Assessment Control Environment document

40 40 Summary If you are selected for an audit, you can expect: Objective and independent focus on RISK Lots of questions Collaborative and transparent communications Value added benefits

41 41

42 42 Questions? Christine Swafford

43 Back-up Slides 2014 Internal Audit Plan Detail 43

44 44 Audit Plan for Fiscal Year 2014 by Location University Administration Export Controls Human Subjects - IRB Consulting - Departmental Research Computing Management Programs Involving Children Policy Compliance Risk Assessment - Clery Act Risk Assessment - Financial Aid Program Development Risk Assessment - PS & IA Work plan Development Federal Awards Audit - Assist State Board of Accounts* University Financial Audit - Assist State Board of Accounts* Investment Processes and Controls Employment Documentation Licensing and Trademarks Custodial Fund Operations and Controls Henry Strong Loan* Payroll Processes and Controls Campus Card Systems - Regional Campuses VP & CFO - TMR Disposal of Electronic Equipment - All Campuses Data Classification Process and Policies Affiliate Access to University Information 200 Sub-Total %

45 45 Audit Plan for Fiscal Year 20134by Location (cont.) Bloomington Hours Percent Consulting - Center for Survey Research Financial Practices Consulting - Center for Genomics & Bioinform. Financial Practices Public Safety & Institutional Assurance Review Jacobs School of Music - AMR IU Art Museum Operations Bradford Woods Intensive English Program Revenue Processing Drosophila Center Revenue Processing School of Journalism IT General Controls Cognitive Science IT General Controls School of Informatics and Computing IT General Controls Chemistry IT General Controls School of Optometry IT General Controls Dean Kelley School of Business - TMR VP Diversity, Equity and Multicultural Affairs - TMR Radio and TV - Assist State Board of Accounts* Document Service Centers NCAA Agreed Upon Procedures - Assist External Auditor* NCAA Compliance - Eligibility Bylaw Athletics Team Travel Football Ticket Settlements* Basketball Ticket Settlements* Optometry Clinics Billing System 200 Sub-Total %

46 46 Audit Plan for Fiscal Year 2014 by Location (cont.) Indianapolis IACUC - Dental School IACUC - School of Science Schools of Public Health at IUPUI and BL - AMR NCAA Agreed Upon Procedures - Assist External Auditor* Public Safety and Institutional Assurance Review Camp Brosius Revenue Processing IUPUI Scholarship Office University College IT General Controls School of Social Work IT General Controls McKinney School of Law Dean - TMR Consulting - Athletics Operational Process Reviews Dentistry Clinic Billing System Grad Med Ed - Residency Management Systems & Processes School of Medicine Compliance with Mobile Device Policy School of Medicine IT General Controls # School of Medicine IT General Controls # School of Medicine IT General Controls # School of Medicine IT General Controls # School of Medicine IT General Controls # School of Medicine IT General Controls # Consulting - Validation of Funds for School of Medicine Dean Consulting - School of Medicine Financial Reporting School of Medicine NIH Salary Cap Limitations Risk Assessment - Clinical Systems Applications 100 Sub-Total %

47 47 Audit Plan for Fiscal Year 2014 by Location (cont.) East Public Safety and Institutional Assurance Review EA Chancellor - TMR 100 Sub-Total 200 2% Kokomo Public Safety and Institutional Assurance Review KO Chancellor - TMR 100 Sub-Total 200 2% Northwest Public Safety and Institutional Assurance Review 100 Sub-Total 100 1% South Bend Public Safety and Institutional Assurance Review Financial Aid Operations SB Chancellor -TMR 100 Sub-Total 350 3% Southeast Public Safety and Institutional Assurance Review SE Chancellor - TMR 100 Sub-Total 200 2% University Totals 11, %

48 48 Audit Plan for Fiscal Year 2014 by Audit Type Finance & HR Hours Percent Bradford Woods Document Service Centers Drosophila Center Revenue Processing Intensive English Program Revenue Processing Camp Brosius Revenue Processing IU Art Museum Operations Consulting - School of Medicine Financial Reporting Consulting - Validation of Funds for School of Medicine Dean Custodial Fund Operations and Controls Employment Documentation Henry Strong Loan* Investment Processes and Controls Licensing and Trademarks School of Medicine NIH Salary Cap Limitations Payroll Processes and Controls 300 Sub-Total %

49 49 Audit Plan for Fiscal Year 2014 by Audit Type (cont.) Information Technology Hours Percent Affiliate Access to University Information Campus Card Systems - Regional Campuses Chemistry IT General Controls Cognitive Science IT General Controls School of Informatics and Computing IT General Controls School of Journalism IT General Controls School of Optometry IT General Controls School of Social Work IT General Controls University College IT General Controls Consulting - Departmental Research Computing Management Data Classification Process and Policies Dentistry Clinic Billing System Optometry Clinics Billing System Disposal of Electronic Equipment - All Campuses Grad Med Ed - Residency Management Systems & Processes Risk Assessment - Clinical Systems Applications School of Medicine Compliance with Mobile Device Policy School of Medicine IT General Controls # School of Medicine IT General Controls # School of Medicine IT General Controls # School of Medicine IT General Controls # School of Medicine IT General Controls # School of Medicine IT General Controls #6 150 Sub-Total %

50 50 Audit Plan for Fiscal Year 2014 by Audit Type (cont.) Academic & Student Affairs Hours Percent Center for Genomics & Bioinform. - Consult Financial Practices Center for Survey Research - Consult Financial Practices Financial Aid Operations IUPUI Scholarship Office Risk Assessment - Financial Aid Program Development 100 Sub-Total 850 7% Athletics Hours Percent Athletics Team Travel Basketball Ticket Settlements* Football Ticket Settlements* NCAA Compliance - Eligibility Bylaw IUPUI Consulting - Athletics Operational Process Reviews 200 Sub-Total 700 6% Other Significant Processes & Activities Hours Percent Export Controls Human Subjects IRB IACUC - Dental School IACUC - School of Science Programs Involving Children Policy Compliance Public Safety and Institutional Assurance Review - BL Public Safety and Institutional Assurance Review - EA 100

51 51 Audit Plan for Fiscal Year 2014 by Audit Type (cont.) Other Significant Processes & Activities (cont.) Hours Percent Public Safety and Institutional Assurance Review - IN Public Safety and Institutional Assurance Review - KO Public Safety and Institutional Assurance Review - NW Public Safety and Institutional Assurance Review - SB Public Safety and Institutional Assurance Review - SE Risk Assessment - PS and IA Workplan Development Risk Assessment - Clery Act 100 Sub-Total % Organizational Transition Management Reviews (TMR) Jacobs School of Music AMR Fairbanks School of Public Health - AMR Kelley School of Business Dean - TMR VP Diversity, Equity and Multicultural Affairs - TMR East Campus Chancellor TMR McKinney School of Law Dean - TMR Kokomo Campus Chancellor - TMR South Bend Campus Chancellor - TMR Southeast Campus Chancellor - TMR VP & CFO - TMR 200 Sub-Total %

52 52 Audit Plan for Fiscal Year 2014 by Audit Type (cont.) Assist External Auditors Federal Awards Audit - Assist State Board of Accounts* University Financial Audit - Assist State Board of Accounts* NCAA Agreed Upon Procedures - Assist External Auditor* NCAA Agreed Upon Procedures - Assist External Auditor* Radio and TV - Assist State Board of Accounts* 50 Sub-Total 425 4% *Required/Recurring Audits University Totals 11, %

53 53 Audit Plan for Fiscal Year Summary Hours Items Percent 1 Hours Items Percent Planned Audits 11, % Fiscal 2013 in Process % Prior Audit Follow-ups % Allegations/Investigations % Totals 13, %