The Richard Stockton College Of New Jersey Internal Audit Department

The Richard Stockton College Of New Jersey Internal Audit Department Audit Committee Presentation October 25, 2013 Carlton Skip Collins, CISA

WHO IS INTERNAL AUDIT at Richard Stockton College? Internal Audit is not just a department that reviews Financial and Information Technology areas, but is really comprised of a number of stakeholders with specific responsibilities as follows:

Stakeholders & Roles Board of Trustees determines and approves strategies, sets objectives and ensures the objectives are being met Audit Committee provides oversight of the College s financial practices and standards of conduct College President ultimately responsible for financial practices of the College and provides input for audit consideration and Management Requests Senior Management defines, develops, implements, and documents the internal control structure External Audit attests to the fair statement of financial results Internal Audit performs more detailed and specific audits of the College s financial operations

Definition of Internal Audit Internal Audit, as defined by the Institute of Internal Auditors, is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The purpose of the Office of Internal Audit is to provide quality auditing services to ensure the adequacy and effectiveness of the College s system of internal controls and the quality of performance by various operations.

How does Internal Audit perform their work? Internal Audit performs an audit risk assessment from which an annual audit plan is developed and presented to the Board of Trustees Audit Committee for their approval. Allowance is made for College President requests, Management Requests and special circumstances that may arise throughout the year.

Auditing consists of two major areas: 1. Financial areas such as: Financial Management over: Accounting, Accounts Receivable, Accounts Payable, Fixed Assets, Payroll, Depreciation, Cash Handling, Cash Management, Financial Reporting, Human Resources, Plant Operations and Purchasing Consideration will also be given to: The RSC Foundation The Stockton Seaview Country Club SASI

AND 2. Information Technology areas such as: Physical Security: Physical Access, HVAC, Fire Protection and UPS Backup/Contingency Planning: Data Backups and Restore Procedures, Offsite Storage, Business Resumption Plans and Annual Disaster Recovery Planning and Testing Change Management: Program Change Controls, Tracking and Change Approvals/Authorizations Network Controls: access only to authorized users

Yearly Auditing Cycle 1 Risk Assessment Audit Results 6 Reporting 7 1 Year Cycle Audit Schedule 2 Budget Analysis 5 3 Audit Program Audit Tests 4

1. AUDIT RISK ASSESSMENT A college-wide Audit Risk Assessment (ARA) is the first step in a risk management program of assessing audit risks, evaluating risks and controls, reviewing control effectiveness, and implementation of strategies to achieve the Board s acceptable risk level. The college-wide audit risk assessment for RSC began in 2013. The ARA includes identifying and ranking the key financial, operational, strategic, and information technology (IT) processes within the organization based on inherent and specific risks. The overall risk for each process is based upon the process s potential impact to the organization and the vulnerability of the risk occurring given the current environment. The risk environment is dynamic and will continue to change; therefore, risk should be assessed on an ongoing basis with a formal college-wide audit risk assessment performed periodically.

AUDIT RISK ASSESSMENT (continued) The Audit Risk Assessment (ARA) program used at RSC was developed using the Risk Dictionary model provided by the Association of College and University Auditors (ACUA). Accounts Payable was selected for the pilot department. Following review of the pilot program results, other selected departments will be presented with their ARA. Completed audit risk assessments from all selected departments will then be merged to obtain an overall audit risk position for the College, with higher risk areas summarized into an annual audit plan to be presented and approved by the Audit Committee of the Board of Trustees.

Audit Risk Assessment database RSC department (Accounts Payable) Mary Hughes, Financial AP Manager Management Category Area Risk Control User Explanation, if needed, for assigning values Financial Management Financial Management AP AP AP Inappropriate reimbursements and/or payments Inappropriate reimbursements and/or payments Improper use of direct pays Supervisory review and approval Segregation of duties Multiple level review/approval Example Example Example Probabilit IMPACT y of Risk (.01-.99) Occurrin g (.01-.99) Calculated Risk (J*K) Prob*IMP Calculated Risk Result 0.90 0.80 0.72 HIGH 0.75 0.55 0.41 medium 0.20 0.10 0.02 low Valid Risk Valid Prob. data IMPACT data Financial Management AP Improper use of direct pays Supervisory review and approval Example 0.00 FALSE Data err Col J Data err Col K Financial Management AP Improper use of direct pays System controls Example 2.00 0.60 1.20 HIGH Data err Col J Financial Management AP Improper use of direct pays Documented policies & procedures Example 0.95 0.00 0.00 FALSE Data err Col K

Yearly Auditing Cycle Risk Assessment Reporting Audit Schedule Audit Results 1 Year Cycle 2 Budget Analysis Audit Program Audit Tests

2. AUDIT SCHEDULE AND BUDGET Following the Audit Committee s approval of the proposed audit plan, a detailed budget is created, along with a schedule for executing the audit plan.

AUDIT SCHEDULE AND BUDGET Higher risk areas from Audit Risk Assessment to be in effect for the FY15 audit plan Start date Final Rpt. Due Date Department Audit Title/Number Prior Year Audit Aug 2013 Oct 2013 Internal Audit College wide Audit Risk Assessment: pilot test of Accounts Payable department in October, 2013. Audit Issue(s) Requestor Risk Est. hrs. None None Internal Audit High 100 Oct 2013 Jan 2014 Internal Audit College wide Audit Risk Assessment: for remainder of selected departments. None None Internal Audit High 100 Oct 2013 (books closed) Dec 2013 President's Office President's Office Expenditures FY13 Audit #1-2014 FY13 None Dr. Saatkamp Medium 75 Nov, 2013 Feb 2014 Management Request Police and Campus Safety Audit #2-2014 This audit will review various aspects of the Police and Campus Safety areas of the College with emphasis on compliance with the Clery Act. This audit will also include an Executive Exit audit of former Police Chief Glenn Miller, if deemed necessary. None Dr. Saatkamp Medium 250 Jan 2014 Feb 2014 Management Request Stockton Seaview Hotel & Golf Club TO BE DETERMINED or possible Related Party transactions (Audit #3-2014) None Ray Ciccone Chair, RSC BoT Audit Committee & ParenteBeard Medium 150 Feb 2014 Mar 2014 Internal Audit Review of the ARA with higher risk areas summarized None None Internal Audit High 50 Mar 2014 Mar 2014 Internal Audit Summarized higher risk areas presented to and approved by the Audit Committee for FY15 Audit Plan None None Internal Audit High 25 Feb 2014 Mar 2014 Management Request SASI - TO BE DETERMINED Audit #4-2014 None Ray Ciccone Chair, RSC BoT Audit Committee & ParenteBeard Medium 100

AUDIT SCHEDULE AND BUDGET Mar 2014 Mar 2014 President's Office Hammonton Campus (Kramer Hall) Audit #5-2014 Apr 2014 N/A Admin & Finance External Audit assistance Parente for Computer Services testing - hours TBD None None Dr. Saatkamp Medium 125 n/a None Parente- Beard Medium 25 Apr 2014 Apr 2014 Computer Services-Provost Information Technology Audit #5-2014 General None None Internal Audit High 150 Controls (High-level) Review (independent from Parente-audit areas TBD) - on hold June 2014 June 2014 Admin & Finance Payroll Operation Audit #6-2014 (incl. Kronos, FY05 None Planned & Medium 75 sep. of duties, vac-sick hrs abuse, wkr comp) AND Payroll Overtime - Payroll and supervisory controls - State Auditor FY07-08 June 2014 July 2014 Admin & Finance f/up Controller - Cash Audit #7-2014 (As time permits) - all areas receiving cash (to include Petty Cash areas, Athletics, Stockton Surplus sale email- Michael Ferraro 5/1/13, etc) FY05 None Planned and FSS&K from FY08 Medium 200 Available hrs 1400 Total hrs -----------> 1425 Possible audits (as time permits) Fiscal Affairs Fixed Assets Audit FY01 NA Planned High 250 Auxiliary Services Copier Contract Audit None None Planned Medium 150 Auxiliary Services Cell phone/land line employee abuse Audit None None Planned Medium 100 Fiscal Affairs Cash Management & Banking Services Audit None NA Planned Medium 125 Fiscal Affairs Accounts Payable Operational Audit None None Planned Medium 200

Yearly Auditing Cycle Risk Assessment Reporting Audit Schedule Audit Results 1 Year Cycle Budget Analysis 3 Audit Program Audit Tests

3. AUDIT PROGRAM An Audit Program consists of step by step procedures that dictate how an evaluation of an audit area is done and involves specific instructions as to what, and how much, evidence must be collected and evaluated. An Audit Programs main purpose is to help standardize the data collection and evaluation process. By following specific steps in the audit program the auditor ensures that all needed information is collected in an efficient manner.

Yearly Auditing Cycle Risk Assessment Reporting Audit Schedule Audit Results 1 Year Cycle Budget Analysis Audit Program Audit Testing 4

4. AUDIT TESTING Audit Testing consists of the auditor performing the same operation or procedure as either the user does manually or computer based applications if in place. For example, if performing a Payroll audit, the auditor may recalculate employees pay and compare their results to the original results. Another example would be verifying that checks processed by Accounts Payable for vendors are accurate and that services or goods were actually received.

Yearly Auditing Cycle Risk Assessment Reporting Audit Schedule Audit Results 1 Year Cycle Budget Analysis 5 Audit Program Audit Tests

5. AUDIT ANALYSIS The analysis phase of auditing involves determining whether the reported data is consistent with the sampled data used or verified by the auditor. The results of these tests provide the auditor with a degree of assurance regarding the reliability and adequacy of the controls, and a means of measuring operational effectiveness and accountability. The results of the audit analysis may result in additional testing and analysis.

Yearly Auditing Cycle Risk Assessment Reporting Audit Schedule Audit Results 6 1 Year Cycle Budget Analysis Audit Program Audit Tests

6. AUDIT RESULTS Through these analyses, the audit team is able to determine if client management is achieving the stated mission for their unit. The auditor documents the test samples and results, both positive and negative, in audit work papers.

Yearly Auditing Cycle Risk Assessment Reporting 7 Audit Schedule Audit Results 1 Year Cycle Budget Analysis Audit Program Audit Tests

7. REPORTING The auditor meets with the designated management representative during the course of the audit field work to discuss audit progress, audit test results, and conclusions and recommendation. The purpose of these meetings is threefold: to clarify any misunderstandings; enlist management s opinion and support in solving any problems discovered and to ensure timely implementation of recommendations. The goal is to discuss with management all significant weaknesses discovered during the course of the audit field work, and to achieve an agreement regarding corrective action to be taken by management prior to the release of the final audit report.

7. REPORTING (continued) The Internal Auditor prepares a draft of the audit report for the user stating the audit objective(s), the audit tests performed, the results of the audit tests, and a recommendation for improvement. This process is generally referred to as an Exit Conference. This draft is also provided to the Audit Chair for review and discussion. Based on the results of the Exit Conference, a final report is prepared. The final report includes the client s response to each recommendation, including action plans and time period for implementation. The final report will be issued to the members of the Audit Committee of the Board of Trustees.

7. REPORTING (continued) The last phase of Reporting is the Follow-up which occurs after a reasonable period of time. The audit client is requested to provide a status report on the corrective action taken to date. An evaluation is done to determine the effectiveness of the corrective action taken and whether the corrective action is acceptable. This phase generally includes limited sampled testing to ensure the remediation is effective.

FY14 Timetable October, 2013 Draft Audit Plan presented to Audit Committee, with explanation of how the FY14 audit plan was developed. FY14 planned audits/projects: October, 2013 Jan. 2014 Audit Risk Assessment completed October, 2013 President's Office Expenditures FY13 November, 2013 Summer Camps Cash review Nov. 2013 - Feb. 2014 Police and Campus Safety Audit (review aspects of the Police and Campus Safety areas with emphasis on Clery Act (Crime statistics reporting) compliance Nov. 2013 - Feb. 2014 The P&CS Audit will also include an Executive Exit audit of former Police Chief Glenn Miller Jan. 2014 Feb. 2014 Stockton Seaview Hotel & Golf Club (Related Party transactions)

FY14 Timetable (continued) Feb. - Mar. 2014 Stockton Affiliated Services, Inc. (SASI) tbd March, 2014 - Hammonton Campus (Kramer Hall) Audit #5-2014 April, 2014 Information Technology Audit #5-2014 General Controls Review (independent from ParenteBeard-audit areas) May, 2014 Payroll Operations (incl. Kronos, sep. of duties, vac & sick hours abuse) and Supervisory Overtime controls June - July, 2014 Controller Cash Audit - all areas receiving cash (to include Petty Cash areas, Athletics, Stockton Surplus sale, etc)

Budgeted Hours Audit Description 100 Audit Risk Assessment: pilot test of Accounts Payable department in October, 2013 (underway). 100 Audit Risk Assessment: for remainder of selected departments. Planned for October through January, 2014. 75 President's Office Expenditures FY13 Audit #1-2014. Currently underway. 250 Police and Campus Safety Audit #2-2013: This audit will review various aspects of the Police and Campus Safety areas of the College with emphasis on compliance with the Clery Act. This audit will also include an Executive Exit audit of former Police Chief Glenn Miller. Audits to begin in November, 2013 - February, 2014. 150 Stockton Seaview Hotel & Golf Club Audit #3-2014: (Related Party transactions). This audit will begin in January, 2014.

Budgeted Hours Audit Description 50 Audit Risk Assessment: Review of the completed ARA with higher risk areas summarized. 25 Audit Risk Assessment: Summarized higher risk areas presented to and approved by the Audit Committee for FY15 Audit Plan. 100 SASI - TO BE DETERMINED Audit #4-2014: This audit will begin in January, 2014. 125 Hammonton Campus (Kramer Hall) : This audit will begin in February, 2014. 25 External Audit assistance ParenteBeard: for Computer Services testing - hours TBD. Assistance provided as needed.

Budgeted Hours Audit Description 150 Information Technology Audit: General Controls (High-level) Review (independent from ParenteBeard audit areas. This audit will begin in April, 2014. 75 Payroll Operation Audit: (incl. Kronos, separation of duties, vacation/sick hours abuse) and Payroll Overtime to include Payroll Supervisory controls follow-up. This audit will begin in June, 2014. 200 Controller - Cash Audit #7-2014 - all areas receiving cash (to include Petty Cash areas, Athletics, Stockton Surplus sale. This audit will begin in June, 2014. 1425 Total Budgeted Hours for fiscal year 2014 Prepared by/dated: Carlton Skip Collins, RSC Auditor October 25, 2013 Approved by: Raymond R. Ciccone, Board of Trustees Audit Chairman

FY15 Timetable October, 2013 - Audit Risk Assessment (ARA) begins for all selected departments January, 2014 - Completion of the Audit Risk Assessment for selected departments February March, 2014 - Internal Audit review of the ARA with higher risk areas summarized March April, 2014 Summarized higher risk areas presented to and approved by the Audit Committee for FY15 Audit Plan (BoT mtg May 7, 2014)

Come Visit the Internal Audit Department at Richard Stockton College where our goal is to provide quality auditing services to ensure the adequacy and effectiveness of the College s system of internal controls and the quality of performance by various operations.

See us at http://www.stockton.edu and type Internal Audit in the Search box or http://intraweb.stockton.edu/eyos/page.cfm? siteid=60&pageid=1

QUESTIONS?