This website is intended to familiarize the public with the Internal Audit
Department (IAD) - how it works and the services that it provides.
IAD staff are trained professionals with extensive experience in both government
and private industry. Our goal is to provide you with the professional support,
particularly in the areas of internal control and business process improvement,
that will allow you to more effectively fulfill your organizational mission.
We hope that you find this website helpful and we encourage your comments
and suggestions on ways to improve it and make it more meaningful to you.
What is Internal Audit?
The Internal Audit Department Charter
The Audit Process
Services and Points of Contact
Management Responsibility for Operations
What is Internal Audit?
In most organizations, there is considerable misunderstanding about the
role of the internal audit department. To help clear up some common misunderstandings,
we would like to briefly discuss what the Office of Higher Education Internal
Audit Department does and how the audit process works in the Rhode Island
system of public higher education.
The key role of Internal Audit is to provide
the Board of Governors and system management with an independent and objective
evaluation of internal controls over key business activities. This means
we put a priority on reviewing the validity of financial and other management
information, compliance with applicable laws and policies, and how effectively
and efficiently operations run. Internal Audit is also responsible for:
- Coordinating the activities of external auditors
- Performing special projects for the Board or management
- Providing technical assistance and "best practices" to operations
Our focus is on processes and how to make them best work to achieve the
Board's and the individual institution's strategic goals and objectives.
If there are issues, we identify the business risks and their root causes
and work with the organization to develop and implement cost effective
Annually, Internal Audit prepares a work plan showing scheduled projects.
Projects are selected from the entire universe of system organizations,
activities, and initiatives, based on business risk to the system. Input
on business risk is sought from the Board, the Office of Higher Education,
and management at each school. The Annual Audit Plan is then reviewed and
approved by the Finance Committee of the Board. While this is the tool for
scheduling most Internal Audit projects, other projects can be scheduled
based on emerging issues or Board or management requests.
Internal audit engagements usually include the following activities:
- Scheduling an opening conference to discuss audit objectives, scope,
timing, and intended report format and distribution
- Evaluating internal control systems with managers and operators
- Testing to ensure proper operation of internal control systems
- Developing conclusions based on test results
- Devising cost effective recommendations with management and operators
- Reviewing audit issues and draft audit reports with management and
- Preparing and distributing an audit report, including management's
responses to the issues raised
- Following up to ensure all issues raised in audit reports have been
Internal Audit Charter
It is the policy of the Board of Governors to maintain an independent and
objective Internal Auditing Department to provide value-added audit and
advisory services to the Rhode Island system of public higher education
The Internal Audit Department has five primary responsibilities:
1. Financial and Management Information
Integrity - Provides the Board of Governors and System senior management
with a means to assure that financial and other management information is
2. Internal Control - Monitors and evaluates
the effectiveness and efficiency of the System's internal control environment
3. Operational Improvements -
Evaluates System operations to identify process improvement and cost savings
opportunities for management action, and assists in communicating and implementing
best practices within and between operations.
4. Audit Coordination- Coordinates audit plans with the
external auditors at the three institutions to ensure the timely, economical,
and effective completion of the annual audit of financial statements and
the annual OMB Circular A-133 compliance audit of Federal programs.
5. Recruitment and Training
- Recruits talented individuals with financial backgrounds, provides training
in operational auditing techniques and a broad exposure to System operations.
Serves as a source for financial and operational personnel to fill positions
within the System.
In carrying out their duties and responsibilities, members of the Internal
Audit Department will have full, free, and unrestricted access to all activities,
records, property, and personnel under the purview of the Board that are
in any way related to the audit function. Determination of audit relationships
will be made by the Commissioner of Higher Education or, upon appeal of
that decision, by the Board of Governors.
Internal audits are performed at all significant institution and Office
of Higher Education activities, according to a risk based annual audit plan
that is approved by the Finance Committee. Additional reviews may be performed
at the request of the Board or System senior management. Resolutions to
audit findings are sought during the performance of the audit. The management
of each institution is responsible for responding to the recommendations
of the Internal Audit Department within sixty calendar days from receipt
of a report containing those recommendations.
Audit reports with significant audit findings, recommendations, and management
responses are forwarded to the Commissioner, Associate Commissioner for
Finance and Management, Finance Committee, and full Board for review and
approval prior to issuance. The
status of management responses will be monitored by the Internal Audit
Department on a regular basis to ensure that audit findings are resolved
in a timely and effective manner.
The Internal Audit Department is managed by a Director, who reports to
the Finance Committee of the Board of Governors through the Commissioner
and Associate Commissioner for Finance and Management, on specific occasions,
may have direct communication with the Finance Committee. Employees of
the Internal Audit Department will be engaged or disengaged at the discretion
of the Commissioner and Associate Commissioner for Finance and Management
with the concurrence of the Board of Governors.
Professional Standards and code of Ethics
The Internal Audit Department subscribes to and complies with all applicable
professional standards and codes of ethics, including the Institute of Internal
Auditors "Standards for the Professional Practice of Internal Auditing"
and the U.S. General Accounting Office "Government Auditing Standards".
The Audit Process
Internal Audit Work Process Flow
Internal Audit Work Process Flow Part 2
Overview Process Map
Internal Audit Work Process Flow
The following is designed to amplify and explain the OVERVIEW PROCESS MAP.
- To minimize surprises by open communication throughout process
- To optimize value added by matching resources with priorities and focusing
on problem solving
- To increase efficiency by using standard processes, encouraging cooperation,
and reducing duplication
Note: Most projects will follow this model. Short fuse or sensitive
projects, e.g., fraud investigations, will follow the model as closely as
1. The Risk Assessment Model consists of the entire audit universe, e.g.,
discrete audit entities that have or use resources(sites or programs), internal
control processes(payroll, purchasing), and priority initiatives (GASB 34/35
implementation). Basically, it includes any activity that presents
a significant business risk to the System. It is dynamically changing as the
System organization, activities, and environment changes. It also includes
a matrix showing who has responsibility for coverage, e.g., KPMG for A133
audits, and decision criteria for assessing and ranking audit risk. The
objective is to provide a tool that allows IAD resources to be matched to
risk priorities in an organized, rational manner.
2. The Audit Plan is a written document showing specific projects by quarter,
prioritized and agreed upon with clients, OHE management, and Board.
It ties back to staff resources and availability. The Plan is a flexible
document that will be updated quarterly to recognize current business
Audit Plans will be shared with institutional VP of Finance/Controllers
for planning and coordination purposes.
3. The Schedule implements the Plan on a detailed level and is modified
as necessary to accommodate management requirements. IAD staff should enter
planned vacations, training, and other commitments as soon as known.
Auditors will be given all quarterly assignments and be responsible for
multi tasking and managing their schedules.
4. Management requests can and will come from everyone in the organizational
chain. We will try to accommodate as many as possible with an emphasis
on those with the biggest return for the System as a whole.
5. A formal Announcement Memo from the Associate Commissioner, Finance
& Management to the school provides a general outline of project scope,
objectives, and timing. Generally the memo is preceded by an informal
call or Email from the Director or auditor in charge (AIC).
6. Project Planning is primarily the responsibility of the AIC and
- Establishing a project number and preliminary time budget and schedule
- Learning everything possible about the assigned project from all available
personnel, reviews of financials and other management reports, research
into technical areas- e.g., construction auditing
- Developing a risk assessment memo- what do you expect to find, what
specific risks have to be considered, control environment, financial/operational
performance, the impact of emerging issues (e.g., PeopleSoft implementation
and GASB 34/35)-
- Based on risk assessment, developing specific audit objectives, scopes,
and a detailed audit program to test them
- Reviewing the assessment and audit program with director and rest of staff
- Ensuring that areas are not being covered by another group, e.g., State
- Determining special resources needed, e.g., IT assistance, and client
PBCs, documentation, and personnel support required
- Electronically filing as much documentation as possible in IAD directory
to reduce manual files and provide assistance for future projects
- Project planning will be performed in compliance with IIA and GAO standards.
7. The AIC will contact the Controller or manager involved directly before
starting fieldwork and set up the Opening Conference to review the project
objectives, scope, timing, and support requirements (people and information).
The AIC will make every reasonable effort to avoid unnecessary impositions
on the client. In most cases, the AIC will offer to send copies of the audit program
and test procedures.
8. Field work:
- Will be professionally performed and documented in accordance with
IIA and GAO standards
- As each area of the audit program is covered, any issues should be
brought to the attention of the Controller/manager for immediate resolution
and then, if necessary, written up as a draft audit finding with recommendations going to Controller/manager
- Work papers should support audit program tests and be cross referenced
to any audit findings
- To the maximum extent possible, auditors should use existing client
documentation for tests and work papers and avoid special reports solely
for audit use
- Where possible, use electronic work papers and spreadsheets- customized
- Prepare a draft audit report cross referenced to work papers
- Work papers and the draft audit report will be given to the Director
- The AIC is responsible for clearance of all review notes
- The AIC will deliver a draft audit report to the Controller/manager
and arrange the Exit Conference
9. The AIC and staff will communicate with the client regularly during
field work. Ensure that they understand your issues and that you are sensitive
to their work environment, constraints, and priorities. Goal- no surprise
or disagreements on facts at the Exit Conference.
10. The draft report for the Exit Conference should be as close to final
as we can make it, lacking only management responses.
11. The VP Finance, Controller, involved managers, etc. and IAD Director
and AIC should be at meeting. The agenda is to :
- Agree on facts of audit issues, priority, reasonableness of recommendations,
and final wording
- Secure management commitment to specific corrective action by a determined
- Determine which items will be included in formal audit report sent
to Board and which items will be included in local management letter
with limited distribution
Work papers should be cross referenced and available for examination at
the meeting. The AIC will keep a master copy of the draft report and
note all agreed upon changes for final report/management letter. Upon conclusion,
the AIC will thank the organization for its cooperation and briefly summarize
changes to all attendees and set a schedule for resolution. The AIC will also write a brief memo
for work papers listing attendees and summarizing action items and any major
12. The Audit Report, less the Management Responses, will generally be
completed within one week after the Exit Conference and returned to the
client for inclusion of written Management Responses (currently required
within 60 days). After the Management Responses have been received, the
completed report will be sent to the client for final review with 24 hour
turn around. Then reports will go through approval chain prior to
Board approval and publication.
13. Report distribution will include the State Auditor General and
Bureau of Audit for all Board approved Audit Reports.
14. Report wrap up will include the AIC ensuring that:
- All work papers and reports are properly filed-manual or electronic
- All audit findings and management commitments are entered into the
IAD stewardship report for quarterly follow up with the school Controllers
- Customer survey form is sent out, returned, and recorded
Services and Points of Contact
The Internal Audit Department (IAD) provides a variety of management assistance
- Financial Reviews (normally done in conjunction with
external auditors)- These are "traditional" audits of financial records,
such as accounts receivable or inventory. The objective is to determine
the reasonableness of financial records. Results will be communicated
to unit management and usually incorporated in the external auditor's
report on the financial statements.
- Operational Reviews - These are projects directed by
the Board and OHE management, based on perceived business risks. The focus
is on assessing specific processes and identifying cost effective ways
to improve internal controls, efficiency, and effectiveness. Examples
would be reviewing a construction project for compliance with contract
terms or evaluating the internal controls over a purchasing process. Written
audit reports are prepared, discussed with unit management and staff,
and then submitted to the BOG for approval.
- Management Assist - For projects with System-wide
impact or of high importance to individual institutions, IAD will provide
consulting assistance to help design plans and achieve effective
implementation. Assistance might take the form of facilitating project/problem
solving teams, flow charting processes, or performing activity based
costing (ABC) analyses and financial indicators. Status reports, in various
formats, depending on the project, will be provided to unit management
board. Assistance can either be directed by OHE or requested by the
- Stewardship - Internal Audit also coordinates overall
internal control initiatives to ensure that the System's internal control
environment provides reasonable assurance to OHE management and the
Board that organizational objectives are being achieved. A prime example
of this is the Quarterly Stewardship Report for each institution, listing
outstanding audit issues and the status of corrective action. The report
is reviewed with school management before being presented to the Board.
- Technical Research - Internal Audit can assist with
questions dealing with OHE policies, RI State laws, regulations and policies,
accounting and internal controls, and general business practices.
- Investigations - At the direction of OHE or the request
of management, Internal Audit will investigate suspected cases of unethical
behavior, including fraud, theft, and abuse of position. Depending on
the facts uncovered, such cases may be referred to management,
OHE, the Board, or legal authorities for further action.
Definition of Internal Control
Internal Control is a management process designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.
This definition reflects certain fundamental concepts:
- Internal control is a process. It is a means to an end, not an end
- Internal control is performed by people. It's not merely policy manuals
and forms, but people functioning at every level of the institution.
- Internal control is geared to achieve objectives in several overlapping
categories- operations, finance, and compliance.
- Internal control can be expected to provide only reasonable assurance
to an institution's leaders regarding achievement of operational, financial
reporting, and compliance objectives.
Effective administration involves planning, executing, and monitoring. Internal
control is a tool used by administrators to accomplish these processes.
Sarbanes-Oxley principles and Statement on Auditing Standards (SAS) No. 112
will also be incorporated in any assessment of internal controls.
Components of Internal Control
Internal control consists of five interrelated components derived from
basic college and university operations and administrative processes as
- Control Environment - The core of any educational institution is its
people. They are the engine that drives the organization. Their individual
attributes (integrity, ethical values, and competence) and the environment
in which they operate determine the success of the institution.
- Risk Assessment - Colleges
and universities must be aware of and deal with the risks they face. They
must set objectives that integrate key activities so the total organization
operates in concert. They also must establish mechanisms to identify,
analyze, and manage the related risks.
- Control Activities - Control
policies and procedures must be established and executed to help ensure
that actions necessary to achieve the institution's objectives are effectively
- Information and Communication -
Surrounding these activities are information and communication systems.
These enable the organization's people to capture and exchange the information
needed to conduct, manage, and control its operations.
- Monitoring - The entire process must be monitored and modified as necessary.
Thus, the system can react dynamically to changing conditions.
Management Responsibility for Operations
All levels of management are responsible for performing their unit's Mission
Statement by achieving the unit's goals and objectives through effective
and efficient use of resources and compliance with applicable laws, regulations
Specific areas of responsibility include:
- Maintaining a high ethical tone throughout the organization
- Assessing and managing their organization's business risks
- Developing cost effective internal controls over all operations
Internal Audit can assist management in discharging these responsibilities
by providing an independent and objective evaluation of existing internal
controls over business operations. Internal Audit can also help management
develop improved controls and processes over operations. However, management
always retains control over their own operations and ultimate responsibility
for their performance.
Assn. of College & University Auditors
- Extensive library of audit programs and tools available to members
Assn. of Government Cost Accountants
- Updates on current developments in govt. accounting & current issue
of "AGA Today"
AICPA Online - Updates on developments
in business and government accounting and audit practices
Assn. of Certified Fraud Examiners -
Current topics related to business fraud and training and reference resources
Rutgers Accounting Web- RAW
- Excellent clearinghouse for links to business and accounting sites
CYBERCRIME - US Govt. site on all aspects
of cyber crime
The Campus Computing Project -
Addresses IT topics in higher education. Includes annual Campus Computing
CANAUDIT, Inc. - Commercial training and
consulting firm site but with many good freebie tools and references in
Committee of Sponsoring Organizations of the
Treadway Commission- COSO - Bible on internal control concepts and references
SECURITY.VT.EDU - VA Tech's IT security
page. Outstanding source for policies, procedures, tools, and links dealing
with IT security
The Computer Security
Resource Center - Technical site on IT security including specific security
PRO2Net - Main focus is on private
sector accounting but some good business articles
SANS Institute - IT security
professionals cooperative site. Contains current alerts on viruses and other
IT security issues
Defense Contract Audit Agency- DCAA -
Governmental audit guidance and publications
Tools for Managers
For more information contact:
Finance and Management
Rhode Island Office of Higher Education
Last updated December 15, 2006