internal audit

This website is intended to familiarize the public with the Internal Audit Department (IAD) - how it works and the services that it provides.

IAD staff are trained professionals with extensive experience in both government and private industry. Our goal is to provide you with the professional support, particularly in the areas of internal control and business process improvement, that will allow you to more effectively fulfill your organizational mission.

We hope that you find this website helpful and we encourage your comments and suggestions on ways to improve it and make it more meaningful to you.

Go to the top of the page

What is Internal Audit?
The Internal Audit Department Charter
The Audit Process
Services and Points of Contact
Management Responsibility for Operations
Useful Links

What is Internal Audit?

In most organizations, there is considerable misunderstanding about the role of the internal audit department. To help clear up some common misunderstandings, we would like to briefly discuss what the Office of Higher Education Internal Audit Department does and how the audit process works in the Rhode Island system of public higher education.

The key role of Internal Audit is to provide the Board of Governors and system management with an independent and objective evaluation of internal controls over key business activities. This means we put a priority on reviewing the validity of financial and other management information, compliance with applicable laws and policies, and how effectively and efficiently operations run. Internal Audit is also responsible for:


Our focus is on processes and how to make them best work to achieve the Board's and the individual institution's strategic goals and objectives. If there are issues, we identify the business risks and their root causes and work with the organization to develop and implement cost effective solutions.

Annually, Internal Audit prepares a work plan showing scheduled projects. Projects are selected from the entire universe of system organizations, activities, and initiatives, based on business risk to the system. Input on business risk is sought from the Board, the Office of Higher Education, and management at each school. The Annual Audit Plan is then reviewed and approved by the Finance Committee of the Board. While this is the tool for scheduling most Internal Audit projects, other projects can be scheduled based on emerging issues or Board or management requests.

Internal audit engagements usually include the following activities:

Internal Audit Charter

Purpose

It is the policy of the Board of Governors to maintain an independent and objective Internal Auditing Department to provide value-added audit and advisory services to the Rhode Island system of public higher education (System).

Responsibilities

The Internal Audit Department has five primary responsibilities:

1. Financial and Management Information Integrity - Provides the Board of Governors and System senior management with a means to assure that financial and other management information is credible.

2. Internal Control - Monitors and evaluates the effectiveness and efficiency of the System's internal control environment and processes.

3. Operational Improvements - Evaluates System operations to identify process improvement and cost savings opportunities for management action, and assists in communicating and implementing best practices within and between operations.

4. Audit Coordination- Coordinates audit plans with the external auditors at the three institutions to ensure the timely, economical, and effective completion of the annual audit of financial statements and the annual OMB Circular A-133 compliance audit of Federal programs.

5. Recruitment and Training - Recruits talented individuals with financial backgrounds, provides training in operational auditing techniques and a broad exposure to System operations. Serves as a source for financial and operational personnel to fill positions within the System.

Authority

In carrying out their duties and responsibilities, members of the Internal Audit Department will have full, free, and unrestricted access to all activities, records, property, and personnel under the purview of the Board that are in any way related to the audit function. Determination of audit relationships will be made by the Commissioner of Higher Education or, upon appeal of that decision, by the Board of Governors.

Procedures

Internal audits are performed at all significant institution and Office of Higher Education activities, according to a risk based annual audit plan that is approved by the Finance Committee. Additional reviews may be performed at the request of the Board or System senior management. Resolutions to audit findings are sought during the performance of the audit. The management of each institution is responsible for responding to the recommendations of the Internal Audit Department within sixty calendar days from receipt of a report containing those recommendations.

Audit reports with significant audit findings, recommendations, and management responses are forwarded to the Commissioner, Associate Commissioner for Finance and Management, Finance Committee, and full Board for review and approval prior to issuance.  The status of management responses will be monitored by the Internal Audit Department on a regular basis to ensure that audit findings are resolved in a timely and effective manner.


Organization

The Internal Audit Department is managed by a Director, who reports to the Finance Committee of the Board of Governors through the Commissioner and Associate Commissioner for Finance and Management, on specific occasions, may have direct communication with the Finance Committee. Employees of the Internal Audit Department will be engaged or disengaged at the discretion of the Commissioner and Associate Commissioner for Finance and Management with the concurrence of the Board of Governors.

Professional Standards and code of Ethics

The Internal Audit Department subscribes to and complies with all applicable professional standards and codes of ethics, including the Institute of Internal Auditors "Standards for the Professional Practice of Internal Auditing" and the U.S. General Accounting Office "Government Auditing Standards".

The Audit Process

Internal Audit Work Process Flow
Internal Audit Work Process Flow Part 2

Overview Process Map

Internal Audit Work Process Flow
 
The following is designed to amplify and explain the OVERVIEW PROCESS MAP.
 
Goals:

Note: Most projects will follow this model.  Short fuse or sensitive projects, e.g., fraud investigations, will follow the model as closely as is practicable.

1. The Risk Assessment Model consists of the entire audit universe, e.g., discrete audit entities that have or use resources(sites or programs), internal control processes(payroll, purchasing), and priority initiatives (GASB 34/35 implementation).  Basically, it includes any activity that presents a significant business risk to the System. It is dynamically changing as the System organization, activities, and environment changes. It also includes a matrix showing who has responsibility for coverage, e.g., KPMG for A133 audits, and decision criteria for assessing and ranking audit risk. The objective is to provide a tool that allows IAD resources to be matched to risk priorities in an organized, rational manner.

2. The Audit Plan is a written document showing specific projects by quarter, prioritized and agreed upon with clients, OHE management, and Board.  It ties back to staff resources and availability. The Plan is a flexible document that will be updated quarterly to recognize current business requirements.  Audit Plans will be shared with institutional VP of Finance/Controllers for planning and coordination purposes.

3. The Schedule implements the Plan on a detailed level and is modified as necessary to accommodate management requirements. IAD staff should enter planned vacations, training, and other commitments as soon as  known.  Auditors will be given all quarterly assignments and be responsible for multi tasking and managing their schedules.

4. Management requests can and will come from everyone in the organizational chain.  We will try to accommodate as many as possible with an emphasis on those with the biggest return for the System as a whole.

5. A formal Announcement Memo from the Associate Commissioner, Finance & Management to the school provides a general outline of project scope, objectives, and timing.  Generally the memo is preceded by an informal call or Email from the Director or auditor in charge (AIC).

6. Project Planning is primarily the responsibility of the AIC  and consists of

7. The AIC will contact the Controller or manager involved directly before starting fieldwork and set up the Opening Conference to review the project objectives, scope, timing, and support requirements (people and information).  The AIC will make every reasonable effort to avoid unnecessary impositions on the client. In most cases, the AIC will offer to send copies of the audit program and test procedures.

8.  Field work:

9.  The AIC and staff will communicate with the client regularly during field work.  Ensure that they understand your issues and that you are sensitive to their work environment, constraints, and priorities.  Goal- no surprise or disagreements on facts at the Exit Conference.

10. The draft report for the Exit Conference should be as close to final as we can make it, lacking only management responses.

11.  The VP Finance, Controller, involved managers, etc. and IAD Director and AIC should be at meeting.  The agenda is to :

Work papers should be cross referenced and available for examination at the meeting.  The AIC will keep a master copy of the draft report and note all agreed upon changes for final report/management letter. Upon conclusion, the AIC will thank the organization for its cooperation and briefly summarize changes to all attendees and set a schedule for resolution.  The AIC will also write a brief memo for work papers listing attendees and summarizing action items and any major disputes.

12. The Audit Report, less the Management Responses, will generally be completed within one week after the Exit Conference and returned to the client for inclusion of written Management Responses (currently required within 60 days). After the Management Responses have been received, the completed report will be sent to the client for final review with 24 hour turn around.  Then reports will go through approval chain prior to Board approval and publication.

13.  Report distribution will include the State Auditor General and Bureau of Audit for all Board approved Audit Reports.

14.  Report wrap up will include the AIC ensuring that:

 

Services and Points of Contact

The Internal Audit Department (IAD) provides a variety of management assistance services, including:

 

Definition of Internal Control

Internal Control is a management process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

This definition reflects certain fundamental concepts: Effective administration involves planning, executing, and monitoring. Internal control is a tool used by administrators to accomplish these processes.
Sarbanes-Oxley principles and Statement on Auditing Standards (SAS) No. 112 will also be incorporated in any assessment of internal controls. 
 

Components of Internal Control

Internal control consists of five interrelated components derived from basic college and university operations and administrative processes as follows:

 

Management Responsibility for Operations

All levels of management are responsible for performing their unit's Mission Statement  by achieving the unit's goals and objectives through effective and efficient use of resources and compliance with applicable laws, regulations and policies.
 

Specific areas of responsibility include:


Internal Audit can assist management in discharging these responsibilities by providing an independent and objective evaluation of existing internal controls over business operations. Internal Audit can also help management develop improved controls and processes over operations. However, management always retains control over their own operations and ultimate responsibility for their performance.

Useful Links

Assn. of College & University Auditors - Extensive library of audit programs and tools available to members

Assn. of Government Cost Accountants - Updates on current developments in govt. accounting & current issue of "AGA Today"

AICPA Online - Updates on developments in business and government accounting and audit practices

Assn. of Certified Fraud Examiners - Current topics related to business fraud and training and reference resources

Rutgers Accounting Web- RAW - Excellent clearinghouse for links to business and accounting sites

CYBERCRIME - US Govt. site on all aspects of cyber crime

The Campus Computing Project - Addresses IT topics in higher education. Includes annual Campus Computing Survey

CANAUDIT, Inc. - Commercial training and consulting firm site but with many good freebie tools and references in DOWNLOAD

Committee of Sponsoring Organizations of the Treadway Commission- COSO - Bible on internal control concepts and references

SECURITY.VT.EDU - VA Tech's IT security page. Outstanding source for policies, procedures, tools, and links dealing with IT security

The Computer Security Resource Center - Technical site on IT security including specific security tests

PRO2Net - Main focus is on private sector accounting but some good business articles

SANS Institute - IT security professionals cooperative site. Contains current alerts on viruses and other IT security issues

Defense Contract Audit Agency- DCAA - Governmental audit guidance and publications

Audit Tools for Managers

 

For more information contact:

Finance and Management
Rhode Island Office of Higher Education

 

 

 

 

 

Last updated December 15, 2006