Skip to main content

Internal Audit

What is an Audit?

An audit can be defined as a formal or official examination and verification of the activities of a unit, department, or University function/process which will result in a written report.

  • The objectives of the audit will be to determine the adequacy and effectiveness of associated internal controls and may include a review of the following:

    • Compliance with laws, regulations, and policies,
    • Reliability and integrity of financial and operational information,
    • Effectiveness and efficiency of operations, and
    • Safeguarding of assets
  • An audit usually can be classified into one or more of the following categories:

    • Compliance,
    • Operational,
    • Information technology,
    • Financial, and
    • Investigative

One of Internal Auditing’s primary goals is to reduce the University’s risk or exposure to loss. Some audits may be mandated, while others are specifically designed to evaluate University operations or address management concerns.

Annual Audit Plan

Each year, Internal Audit goes through an audit planning/risk assessment process to develop a two-year audit plan. Risk assessment results and input from management are compiled into the two-year audit plan which is provided to the Cabinet for review and input. The two-year audit plan is approved annually by the President of the University.

Factors that influence the risk assessment and the selection and scheduling of audits include the following:

  • Mandated audit requirements
  • The degree of risk or exposure to loss for the University
  • Requests from the University administration and/or department leadership

Flexibility is built into the audit plan to allow Internal Audit to address management requests and special projects. Departments may contact Internal Audit to request an audit or consulting services.

The Audit Process

The most successful audits are those where the auditors and the client have a collaborative and constructive working relationship. Our objective is to get client input and have continuous involvement and communication so that the client understands the process and why we are doing it.

The audit process generally consists of four stages:

1. Planning

  1. Audit notification letter
  2. Hold enterance conference
  3. Gather background information

Internal Auditing sends out a notification letter addressed to the client (e.g., Dean, Chair) to inform them of the audit. University leadership, up to and including the President, are copied on the notification.
Then an entrance conference is scheduled and held with Internal Auditing and the client to:

  • Review the audit process and anticipated timeline
  • Obtain a high-level overview of the unit/ department mission, structure, and operations
  • Identify the audit scope
  • Identify key risks or areas of concern for review

Through independent research and requests for documents, Internal Auditing will gather background information to inform audit activities.


2. Fieldwork

  1. Conduct meetings/interviews
  2. Review documentation and processes
  3. Test transactions and documentation

Meetings/interviews are held with the client to learn about policies, procedures, processes, systems and the related key controls in place. Internal Auditing will review documentation and test transactions and processes to evaluate whether the controls are reliable and working effectively.


3. Reporting

  1. Hold exit conference/Discuss audit
  2. Provide audit draft report
  3. Auditee provides responses
  4. Issue final audit report

At the conclusion of the audit, Internal Auditing and the client hold an exit conference to formally review, discuss, and confirm any observations resulting from the audit testing. Audit observations are shared with the client through fieldwork. A draft audit report is issued, and the client is asked to provide a response to each observation. Once the responses are obtained, a final audit report is issued. The final report is shared with the client and University leadership.


4. Follow-Up

  1. Send open observations and request status update
  2. Audit client provides status update
  3. Issue memo showing status of audit observations

Internal Auditing follows up with the client twice a year (e.g., January and June) until the open audit observations and recommendations are fully implemented or the risk is accepted by management. The client provides a status update, and then Internal Auditing issues a follow up memo on the status of each observation.

Common Internal Audit Findings

  • 1. Process/Procedure Documentation:

    The department does not have documented policies and procedures for day-to-day business and administrative processes including:

    • Account Reconciliation
    • Purchasing
    • Reviewing and approving expenditures
    • Processing vouchers
    • Departmental Credit Card processing
    • Check/cashing handling and deposit process

    These procedures should include a brief description of each process, name and title of personnel responsible for each task, name and title of personnel responsible for reviewing/approving the activity, and any required documentation. Procedures should be reviewed and/or updated on an annual basis.

  • 2. Account Reconciliation - Budget Officer Review:

    The department does not reconcile Colleague or Agresso to department records (shadow system) and/or this reconciliation is not reviewed by the Budget Officer. All accounts should be reconciled on a monthly basis and Budget Officers should review the reconciliation.

  • 3. Segregation of Duties:

    Inappropriate or lack of segregation of duties. Revenue should not be received, recorded, and reconciled by one individual. Purchases should not be made, received, and reconciled by one individual.

  • 4. Revenue -Timely Deposits:

    Deposits are not made in a timely manner. All cash/checks received should be deposited within 3 business days.

  • 5. Expenditures - Documented Business Purpose:

    Vouchers lacking a documented business purpose for the items. All expenses must have adequate supporting documentation to clearly substantiate/document the business reason for the purchase.

  • 6. Expenditures - Contract Dates:

    Agreements for Services must be signed by the vendor, Budget Officer, and purchasing department (as required) prior to the service beginning.

  • 7. Expenditures-Timely Payment:

    Timely payments. All vouchers must be paid within 30 days of the invoice date and all JP Morgan statements must be paid by the due date. This includes time for the Comptroller's Office to process the voucher.

  • 8. Expenditures - Receipt of Goods/Services:

    Purchases lacking proof of receipt of goods. All items not purchased in person should have documentation to prove receipt of goods. The person receiving the item can sign/date the packing slip or the invoice to acknowledge receipt of the goods.

  • 9. Business Continuity and Disaster Recovery Plan:

    The department does not have a business continuity and disaster recovery plan. All departments should work with their IT department to. ensure all critical programs and files are appropriately backed up and that the departments needs are addressed if technology is unavailable.

  • 10. Social Media Accounts:

    Social media accounts utilized by the department should have written policies and procedures regarding:

    • Creating social media accounts
    • Accessing social media accounts
    • Maintaining/changing passwords
    • Guidelines for social media content
    • Using social media responsibly
    • Monitoring accounts for appropriate content