Auditing Program/Charter
Date of Current Revision: February, 2004
Responsible Office: Director, Audit & Management Services
- PURPOSE
This policy describes the general purpose and functions of the Office of Audit and Management Services. - AUTHORITY
The auditing program was established by the Board of Visitors and President to provide an independent, objective assurance and consulting activity designed to add value and improve University operations. The program assists members of the Board and University management in the effective discharge of their duties. To accomplish this, Audit and Management Services provides opinions and consulting services related to internal controls, compliance and use of resources, which will help management accomplish its goals and objectives in an efficient and effective manner. Consequently, the program is an integral part of the overall internal control structure of the University. - DEFINITIONS
Institute of Internal Auditors (IIA):
The professional organization that establishes Standards for the Professional Practice of Internal Auditing.
Internal Controls:
Management actions or procedures included in a process for the specific purpose of providing reasonable, but not absolute assurance that:
- Information generated will be reliable and complete;
- State, University, and departmental policies, plans and procedures will be complied with;
- Assets will be properly safeguarded; and
- Goals and objectives will be accomplished in an effective and efficient manner.
- APPLICABILITY
This policy applies to all University departments, activities and personnel. - POLICY
It is the policy of the University to support the internal auditing program established by the Board of Visitors and President. In addition, the program will comply with the Standards for the Professional Practice of Internal Auditing established by the Institute of Internal Auditors (IIA). - PROCEDURES
6.1 Independence and Objectivity
The organization/reporting structure of Audit and Management Services has been established at a high level to ensure that the department will be independent, in organization and in function, from all University divisions. The Director of the department reports directly to the Audit Committee of the Board of Visitors and administratively to the President. The Director will meet quarterly with the Audit Committee of the Board of Visitors to report on activities of the department. In addition, the Director will meet privately on an annual basis or as appropriate with the Audit Committee to discuss items of mutual interest.
Audit and Management Services personnel will have complete, free, and unrestricted access to all University departments, activities, records, properties, and personnel necessary for the completion of audits or special projects. Where appropriate, special arrangements will be made for the examination of confidential information. In addition, Audit and Management Services personnel must maintain objectivity and, therefore, will not be unduly influenced in selecting audit procedures, reporting, and performing investigations. The Director will be responsible for reporting situations that impair independence and objectivity on the part of the audit staff to the President and the Audit Committee.
6.2 Proficiency and Due Professional Care
Audit staff should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. Each auditor will be required to obtain forty hours of continuing education each year to maintain professional proficiency. In addition, the department should collectively possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
The audit staff should apply the skill expected of a reasonably prudent and competent internal auditor. Auditors should be alert to the significant risks that might affect University goals and objectives, operations, or resources. However, audit assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.
6.3 Scope of Work
Audit and Management Services evaluates and contributes to the improvement of risk management and control processes by:
- Identifying and evaluating significant exposures to risk and contributing to the improvement of risk management;
- Evaluating whether internal controls, as designed and represented by management, are adequate and functioning as intended; and
- Evaluating the University’s management process, through which goals are established, communicated and monitored.
6.4 Risk Based Audit Plan - RESPONSIBILITIES
The Director of Audit and Management Services is responsible for maintaining an effective internal auditing program, and for ensuring that the results of examinations and actions taken are communicated to the Audit Committee of the Board of Visitors and appropriate levels of University management.
Academic and Administrative Department Heads are responsible for:
- Allowing audit staff to have complete, free, and unrestricted access to all University records and personnel necessary for the completion of audits and special projects;
- Providing an action plan with a completion date for each recommendation included in the draft audit report within the time frames stated above; and
- Ensuring that action plans are completed in a timely manner.
- SANCTIONS
Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination of employment. - EXCLUSIONS
None - INTERPRETATION
The authority to interpret this policy rests with the Board of Visitors.
The Audit Committee of the Board of Visitors has approved a risk based long-range audit plan and staffing analysis for performing audits of all major activities and functions of the University. The plan covers a five-year period. Each year, Audit and Management Services will update the long-range audit plan and develop an annual audit plan, which will also be approved by the Committee. Modifications may be made to the annual plan, based on management requests or new circumstances that come to the attention of Audit and Management Services. All modifications will be approved by the Committee.
The Director will report semiannually to the Audit Committee on accomplishment of the annual audit plan. Audit and Management Services will communicate to each Vice President, at the beginning of the year, which audits are scheduled for that year.
Frequency of a particular audit is ordinarily determined by the risk associated with the audit area. A formal risk assessment will be maintained for each audit area. Audit and Management Services will solicit management's opinions on what risks are critical to the University and the relative importance of each risk. The Director of Audit and Management Services will make the final recommendation to the Audit Committee of the Board of Visitors on the risk assessment process to be used by Audit and Management Services. Formal approval of the process will be made by the Committee.
Participation by internal auditors in special projects should be incorporated, to the extent practicable, in the annual audit plan.
6.5 Audit Process and Report Issuance
The Director of Audit and Management Services will be responsible for maintaining a departmental policies and procedures manual that will govern the performance of audits. All work papers will be reviewed to ensure compliance.
Any control or security concerns identified during an audit will be presented in written form and discussed with the department at the conclusion of various phases of the audit. At the conclusion of the test work (last phase of the audit), an initial draft of the audit report will be discussed with the department head(s) or appropriate managers in charge of activities included in the scope of the audit.
After any necessary revisions to the report have been made, a revised draft will be sent to the department head, and the department head will be asked to provide action plans with estimated completion dates within two weeks.
After management’s action plans are inserted into the draft report, the report will be forwarded to the Assistant Vice President or Dean. If applicable, copies will also be submitted to management between the department head and Assistant Vice President or Dean. Unless contacted by the Assistant Vice President or Dean, Audit and Management Services will forward the report to the Vice President in one week. If the opinions on controls are 'inadequate' or if the report includes controversial findings, then a meeting with the Vice President and Assistant Vice President or Dean will be scheduled to discuss the report. Audit and Management Services will forward the final report to the President in one week unless contacted by the Vice President.
The final audit report will include an opinion on the adequacy and effectiveness of internal controls for areas reviewed, possible recommendations to establish compliance and establish or enhance controls, and management action plans for addressing recommendations. The final audit report will be distributed to the Audit Committee of the Board of Visitors, the President of the University, and to the departments involved. Audit reports are not considered public documents and will be restricted to individuals who are organizationally responsible for the activity.
6.6 Follow-up Review
Audit and Management Services will perform follow-up reviews after audit reports are issued to update the Vice Presidents on the status of corrective action plans. The follow-up review also enables Audit and Management Services to monitor major control deficiencies, which are reported to the President and the Audit Committee of the Board of Visitors.
6.7 Coordination with External Auditing Agencies
The Director of Audit and Management Services will coordinate the department’s audit efforts with the Auditor of Public Accounts and other external auditors.
It may be necessary under certain circumstances to request audits from external sources. After approval by the President, these requests should be coordinated through Audit and Management Services. The Director of Audit and Management Services will help ensure that external auditors have access to appropriate information and personnel, and that information gathered is relevant, complete and accurate. Additionally, Audit and Management Services can provide assistance in scheduling conferences with areas to be audited, minimize the time required by visiting auditors, and reduce disruptions to the conduct of normal business.
A copy of all audit reports issued by external auditors and responses to those reports will be provided to Audit and Management Services. Audit and Management Services will also perform appropriate follow-up on significant findings and provide status reports on implementation to the Vice Presidents, President and the Audit Committee of the Board of Visitors.
6.8 Implementation of New Systems and Major Modifications to Existing Systems
It is the responsibility of University management to establish adequate internal controls when information systems containing critical or sensitive information are implemented or modified. Upon request, Audit and Management Services may provide consulting or advisory assistance to University officials involved with implementing controls for systems.
6.9 Management and Quality Assurance
Audit and Management Services will perform in a manner that complies with the Standards for the Professional Practice of Internal Auditing established by the Institute of Internal Auditors (IIA), and every member of Audit and Management Services will comply with the Code of Ethics promulgated by the IIA. An internal quality assurance program will be in effect to evaluate the operations of the department. An external quality assurance review will be performed at least once every five years (or at the discretion of the Audit Committee of the Board of Visitors) by a qualified, independent reviewer.
February, 2004
Dr. Linwood H. Rose, President
Index Terms
Audit
Internal Controls