JMU - Policy 1601
Policy #1601
Auditing Program/Charter
Date of Current Revision: May, 2008
Responsible Office: Director, Audit and Management Services
1. PURPOSE
This policy describes the general purpose and functions of the Office of Audit and Management Services.
2. AUTHORITY
The auditing program was established by the Board of Visitors and President to provide an independent, objective assurance and consulting activity designed to add value and improve University operations. The program assists members of the Board and University management in the effective discharge of their duties. To accomplish this, Audit and Management Services provides opinions and consulting services related to internal controls, compliance and use of resources, which will help management accomplish its goals and objectives in an efficient and effective manner. Consequently, the program is an integral part of the overall internal control structure of the University.
3. DEFINITIONS
Institute of Internal Auditors (IIA):
The professional organization that establishes Standards for the Professional Practice of Internal Auditing.
Internal Controls:
Management actions or procedures included in a process for the specific purpose of providing reasonable, but not absolute assurance that:
- information generated will be reliable and complete;
- Federal, State, University and departmental requirements will be complied with;
- assets will be properly safeguarded; and
- goals and objectives will be accomplished in an effective and efficient manner.
4. APPLICABILITY
This policy applies to all University departments, activities and personnel.
5. POLICY
It is the policy of the University to support the internal auditing program established by the Board of Visitors and President. In addition, the program will comply with the Standards for the Professional Practice of Internal Auditing established by the Institute of Internal Auditors (IIA).
6. PROCEDURES
6.1 Independence and Objectivity
The organization/reporting structure of Audit and Management Services has been established at a high level to ensure that the department will be independent, in organization
and in function, from all University divisions. The Director of the department reports directly to the Audit Committee of the Board of Visitors and administratively to the President. The Director will meet quarterly with the Audit Committee to report on activities of the department. In addition, the Director will meet privately with the Audit Committee as needed.
Audit and Management Services personnel will have complete, free, and unrestricted access to all University departments, activities, records, properties, and personnel necessary for the completion of audits or special projects. Where appropriate, special arrangements will be made for the examination of confidential information. In addition, Audit and Management Services personnel must maintain objectivity and, therefore, will not be unduly influenced in selecting audit procedures, reporting, and performing investigations. The Director will be responsible for reporting situations that impair independence and objectivity of the audit staff to the President and the Audit Committee.
In order to maintain independence and objectivity, Audit and Management Services personnel will not:
- perform operational duties for the University;
- initiate or approve accounting transactions external to the internal auditing department;
- direct the activities of any University employee not employed by the internal auditing department, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.
6.2 Proficiency and Due Professional Care
Audit staff should possess the knowledge, skills and other competencies needed to perform their individual responsibilities. Each auditor will be required to obtain forty hours of continuing education each year to maintain professional proficiency. In addition, the department should collectively possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities.
The audit staff should apply the skill expected of a reasonably prudent and competent internal auditor. Auditors should be alert to the significant risks that might affect University goals and objectives, operations, or resources. However, audit assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.
6.3 Scope of Work
The scope of work of Audit and Management Services is to determine whether the University’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:
- risks are appropriately identified and managed;
- interaction with the various governance groups occurs as needed;
- significant financial, managerial and operating information is accurate, reliable and timely;
- employees’ actions are in compliance with policies, standards, procedures, and applicable laws and regulations;
- resources are acquired economically, used efficiently and adequately protected;
- programs, plans and objectives are achieved;
- quality and continuous improvement are fostered in the University’s control processes; and
- significant legislative or regulatory issues impacting the University are recognized and addressed appropriately.
A risk-based audit plan will be utilized to accomplish the scope of work.
6.4 Risk-Based Audit Plan
Each year, Audit and Management Services will develop a risk-based annual audit plan, which will be approved by the Audit Committee. Modifications may be made to the annual audit plan, based on management requests or new circumstances that come to the attention of Audit and Management Services. All modifications will be approved by the Committee.
The Director will report semiannually to the Audit Committee on accomplishment of the annual audit plan. Audit and Management Services will communicate to each Vice President, at the beginning of the year, which audits are scheduled for that year.
Frequency of a particular audit is ordinarily determined by the risk associated with the audit area. A formal risk assessment will be maintained for each audit area.
Participation by internal auditors in special projects should be incorporated, to the extent practicable, in the annual audit plan.
6.5 Audit Process and Report Issuance
The Director of Audit and Management Services will be responsible for maintaining a departmental policies and procedures manual that will govern the performance of audits. All work papers will be reviewed to ensure compliance.
Opportunities for improving controls, financial management and the University’s image may be identified during audits. Any control or security concerns identified during an audit will be presented in written form and discussed with the department at the conclusion of various phases of the audit.
At the conclusion of test work (last phase of the audit), a draft report will be submitted to the department head and the Assistant Vice President (or Dean), and a meeting will be held to discuss the report. After the meeting any necessary revisions to the report will be made and a revised draft will be sent to the department head, with the Assistant Vice President (or Dean) receiving a copy. At that time the department head will be asked to provide, within one week, written responses to the report recommendations. Possible responses include the development of an action plan (with an estimated completion date) or acceptance of risk. However, risks which jeopardize compliance with laws and regulations generally cannot be accepted.
Once responses are received, the draft report (with responses included) and an Executive Summary will be forwarded to the Vice President, with the department head and Assistant Vice President (or Dean) receiving copies. Unless contacted by Vice President within one week, the final report will be issued. The original report will be sent to the President, and copies will be distributed to the Audit Committee, Executive Assistant to the President, Vice President, Assistant Vice President (or Dean) and department head.
The final audit report will include an opinion on the adequacy and effectiveness of internal controls for areas reviewed, possible recommendations to establish compliance and establish or enhance controls, and management responses to the recommendations. Audit reports are not considered public documents and will be restricted to individuals who are organizationally responsible for the activity.
6.6 Follow-up Review
Audit and Management Services will perform follow-up reviews after audit reports are issued to determine the status of corrective action plans. A follow-up report will be submitted to the department head and Assistant Vice President (or Dean) at the conclusion of each follow-up review. In addition, the results of individual follow-up reviews will be included in action plan status reports, which will be periodically submitted to Vice Presidents, the President and the Audit Committee.
6.7 Coordination with External Auditing Agencies
The Director of Audit and Management Services will coordinate the department’s audit efforts with the Auditor of Public Accounts and other external auditors.
It may be necessary under certain circumstances to request audits from external sources. After approval by the President, these requests should be coordinated through Audit and Management Services. The Director of Audit and Management Services will help ensure that external auditors have access to appropriate information and personnel, and that information gathered is relevant, complete and accurate. Additionally, Audit and Management Services can provide assistance in scheduling conferences with areas to be audited, minimize the time required by visiting auditors, and reduce disruptions to the conduct of normal business.
A copy of all audit reports issued by external auditors and responses to those reports will be provided to Audit and Management Services. Audit and Management Services will also perform appropriate follow-up on significant findings and provide status reports on implementation to the Vice Presidents, President and the Audit Committee of the Board of Visitors.
6.8 Implementation of New Systems and Major Modifications to Existing Systems
It is the responsibility of University management to establish adequate internal controls when information systems containing critical or sensitive information are implemented or modified. Upon request, Audit and Management Services may provide consulting or advisory assistance to University officials involved with implementing controls for systems.
6.9 Management and Quality Assurance
Audit and Management Services will perform in a manner that complies with the Standards for the Professional Practice of Internal Auditing established by the Institute of Internal Auditors (IIA), and every member of Audit and Management Services will comply with the Code of Ethics promulgated by the IIA. An internal quality assurance program will be in effect to evaluate the operations of the department. An external quality assurance review will be performed at least once every five years (or at the discretion of the Audit Committee of the Board of Visitors) by a qualified, independent reviewer.
7. RESPONSIBILITIES
The Director of Audit and Management Services is responsible for:
- maintaining an effective internal auditing program;
- ensuring that the results of examinations and actions taken are communicated to the Audit Committee of the Board of Visitors and appropriate levels of University management;
- keeping the Audit Committee informed of emerging trends and successful practices in internal auditing; and
- ensuring that the internal auditing program includes consulting services, beyond assurance services, to assist management in meeting its objectives. Examples may include process design and advisory services.
- allowing audit staff to have complete, free, and unrestricted access to all University records and personnel necessary for the completion of audits and special projects;
- providing responses (including action plans and completion dates) in accordance with this policy; and
- ensuring that action plans are completed in a timely manner.
Vice Presidents are responsible for approving action plans included in audit reports and have ultimate responsibility for implementation of the action plans.
8. SANCTIONS
Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination of employment.
9. EXCLUSIONS
None
10. INTERPRETATION
The authority to interpret this policy rests with the Board of Visitors.
Previous version: February, 2004
Approved by the President: April, 2008
Approved by the Audit Committee of the Board of Visitors: May 2008
Index Terms
Audit
Internal Controls
Policy 1601 PDF Version
Publisher:
University Policy Committee
For Information Contact:
Policy Committee
JMU
Harrisonburg, Virginia 22807
(540) 568-4248
Last Modified: 11/20/2009
Privacy Statement