Date of Current Revision: January 2016
Primary Responsible Officer: Director, Audit and Management Services
Audit and Management Services was established by the Board of Visitors and president to provide an independent, objective assurance and consulting activity designed to add value and improve university operations. The department helps the university accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. This policy describes the general purpose, authority and responsibility of the office of Audit and Management Services.
The Board of Visitors has been authorized by the Commonwealth of Virginia to govern James Madison University. See Code of Virginia section 23-164.6; 23-9.2:3. The board has delegated the authority to manage the university to the president.
Institute of Internal Auditors (IIA)
The professional organization that establishes International Standards for the Professional Practice of Internal Auditing.
A process, effected by the Board of Visitors, management or other university personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- effectiveness and efficiency of operations (including financial and operational performance goals and safeguarding assets against loss)
- reliability of reporting (including internal/external financial and non-financial reporting)
- compliance with applicable laws and regulations (including university and departmental policies and procedures)
Examples of internal control activities include:
- proper authorization and approval
- documented review of information for accuracy, completeness and validity
- proper supervision
- physical security of assets
- written policies and procedures
- process documentation
- proper segregation of duties
- proper assignment and authorization to information systems, electronic applications and data
- procedures to secure data
This policy applies to all university departments, activities and personnel.
It is the policy of the university to support the internal auditing program established by the Board of Visitors and president. The program will comply with the International Standards for the Professional Practice of Internal Auditing established by the IIA.
6.1 Independence and Objectivity
Audit and Management Services will be independent, in organization and in function, from all university divisions. The Director of Audit and Management Services reports directly to the Audit Committee of the Board of Visitors and administratively to the president. The director will meet quarterly with the Audit Committee to report on activities of the department. In addition, the director will meet privately with the Audit Committee as needed.
Audit and Management Services personnel will have complete, free and unrestricted access to all university departments, activities, records, properties and personnel necessary for the completion of audits or special projects. When appropriate, special arrangements will be made for the examination of confidential information. In addition, Audit and Management Services personnel must maintain independence and objectivity and, therefore, will not be unduly influenced in selecting audit procedures, reporting and performing investigations. The director will be responsible for reporting situations that impair independence and objectivity of the audit staff to the president and the Audit Committee.
In order to maintain independence and objectivity, Audit and Management Services personnel will not:
- perform operational duties for the university
- initiate or approve accounting transactions external to the internal auditing department
- direct the activities of any university employee not employed by the internal auditing department, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors
6.2 Proficiency and Due Professional Care
Audit staff will possess the knowledge, skills and other competencies needed to perform their individual responsibilities. Each auditor will be required to obtain forty hours of continuing education each year to maintain professional proficiency. In addition, the department will collectively possess or obtain the knowledge, skills and other competencies needed to perform its responsibilities.
The audit staff will apply the skill expected of a reasonably prudent and competent internal auditor. Auditors should be alert to the significant risks that might affect university goals and objectives, operations or resources. However, audit assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.
6.3 Scope of Work
The scope of work of Audit and Management Services is to determine whether the university's network of risk management, control and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:
- risks are appropriately identified and managed
- interaction with the various governance groups occurs as needed
- significant financial, managerial and operating information is accurate, reliable and timely
- employees' actions are in compliance with policies, standards, procedures, and applicable laws and regulations
- resources are acquired economically, used efficiently and adequately protected
- programs, plans and objectives are achieved
- quality and continuous improvement are fostered in the university's control processes
- significant legislative or regulatory issues impacting the university are recognized and addressed appropriately
A risk-based audit plan will be utilized to accomplish the scope of work.
6.4 Risk-Based Audit Plan
Audit and Management Services will develop a risk-based annual audit plan, which will be approved by the Audit Committee. In addition, Audit and Management Services will inform the president and each vice president, prior to each fiscal year, of the audits scheduled for that year. Modifications may be made to the annual audit plan, based on management requests or new circumstances that come to the attention of Audit and Management Services. All modifications will be approved by the Audit Committee.
Frequency of a particular audit is ordinarily determined by the risk associated with the audit area. A formal risk assessment will be maintained for each audit area and used to develop the annual audit plan. In addition to the risk-based audits, the annual audit plan should include, to the extent practicable, time for special projects and follow-up audits.
The director will report semiannually to the Audit Committee on accomplishment of the annual audit plan.
6.5 Audit Process and Report Issuance
The director will be responsible for maintaining a departmental policies and procedures manual that will govern the performance of audits. All work papers will be reviewed to ensure quality.
Opportunities for improving internal controls, compliance and financial management may be identified during audits. At the conclusion of test work (last phase of the audit), a draft report will be submitted to the department head and the assistant vice president (or dean), and a meeting may be held to discuss the report. Any necessary revisions to the report will be made and a revised draft will be sent to the department head, with the assistant vice president (or dean) receiving a copy. The department head will be asked to provide, within one week, written responses to the report recommendations. Possible responses include the development of an action plan with an estimated completion date or acceptance of risk (based on a cost-benefit analysis). However, risks which jeopardize compliance with laws and regulations generally cannot be accepted.
Once responses are received, the draft report (with responses included) and an executive summary will be forwarded to the responsible vice president, with the department head and assistant vice president (or dean) receiving copies. Unless contacted by the vice president within one week, the final report will be issued. The original report will be sent to the president, and copies will be distributed to the Audit Committee, vice president, assistant vice president (or dean) and department head.
The final audit report will include an opinion on the adequacy of internal controls for processes reviewed, possible recommendations to ensure compliance and establish or enhance controls, and management responses to the recommendations. Audit reports are prepared to assist the president and administration in their decision making. Therefore, report distribution will be restricted to individuals who are organizationally responsible for the activity.
6.6 Follow-up Review
Audit and Management Services will perform follow-up reviews after audit reports are issued to determine the status of corrective action plans. A follow-up report will be submitted to the department head and assistant vice president (or dean) at the conclusion of each follow-up review. In addition, the results of individual follow-up reviews will be included in action plan status reports, which will be periodically submitted to the vice presidents, president and Audit Committee.
6.7 Coordination with External Auditing Agencies
The director will coordinate the department's audit efforts with the Auditor of Public Accounts and other external auditors.
It may be necessary under certain circumstances to request audits from external sources. After approval by the president, these requests will be coordinated through Audit and Management Services. The director will help ensure that external auditors have access to appropriate personnel and information that is relevant, complete and accurate. Additionally, Audit and Management Services will strive to minimize the time required by visiting auditors and limit disruptions to the conduct of normal business.
A copy of all audit reports issued by external auditors and responses to those reports will be provided to Audit and Management Services. Audit and Management Services may also perform appropriate follow-up on significant findings and provide status reports on implementation to the vice presidents, president and Audit Committee.
6.8 Implementation of New Systems and Major Modifications to Existing Systems
It is the responsibility of university management to establish adequate internal controls when information systems containing critical or sensitive information are implemented or modified. Upon request, Audit and Management Services may provide consulting or advisory assistance to university officials involved with implementing controls for systems.
6.9 Management and Quality Assurance
Audit and Management Services will comply with the International Standards for the Professional Practice of Internal Auditing established by the IIA, and every member of Audit and Management Services will comply with the Code of Ethics promulgated by the IIA. In addition to an ongoing, internal quality assurance program, an external quality assurance review will be performed at least once every five years (or at the discretion of the Audit Committee) by a qualified, independent reviewer.
The Director of Audit and Management Services is responsible for:
- maintaining an effective internal auditing program
- ensuring that audit results and actions taken are communicated to the Audit Committee and appropriate levels of university management
- keeping the Audit Committee informed of emerging trends and successful practices in internal auditing
- ensuring that the internal auditing program includes consulting (advisory) services, beyond assurance services, to assist management in meeting its objectives
Academic and administrative department heads are responsible for:
- allowing audit staff to have complete, free and unrestricted access to all university records and personnel necessary for the completion of audits and special projects
- providing responses (including action plans and completion dates) in accordance with this policy
- ensuring that action plans are completed in a timely manner
Vice presidents are responsible for approving action plans included in audit reports and have ultimate responsibility for implementation of the action plans.
Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination of employment.
The authority to interpret this policy rests with the Board of Visitors and is generally delegated to the Director of Audit and Management Services.
Previous version: December 2014
Approved by the President: April 2008
Approved by the Audit Committee of the Board of Visitors: May 2008