Frequently Asked Questions
- What is Internal Auditing?
- How are areas selected for internal audits?
- What happens during an audit?
- What do I do if I suspect fraud?
- What is risk?
The Department of the State Internal Auditor (DSIA) defines internal auditing within the Commonwealth as "an integral part of the overall internal control system". The Institute of Internal Auditors defines internal auditing in this way:
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
That's nice but what does it mean? Believe it or not, we are on your side, and attempt to be as "user friendly" as possible. Our purpose is to help you more effectively perform your job. The following items are a sampling of the things we do.
*Evaluate your operations for ways to improve your effectiveness or efficiency.
*Help you comply with various University, State and Federal policies.
*Ensure that you have proper controls in place to protect you, your employees and the University.
*Provide you with advice regarding systems, policies, procedures etc.
Audit and Management Services performs an annual risk assessment to ensure that key audit areas (departments or activities) at the University are examined on a sufficiently frequent basis. Risk assessment scores for potential audit areas are updated at the conclusion of audits or when we become aware of significant changes (e.g., restructuring, new departments or services, etc.). Also, we request that departments complete a risk survey every other year to ensure that we are aware of major changes. The risk scores for each audit area are derived by assigning numerical ratings for nine weighted risk factors.
The updated risk assessment score is then used to develop the Long Range Audit Plan and Resource Analysis, which covers a five year period. The frequency of audits for an area is determined by evaluating the level of risk in audit areas. The higher the risk score assigned to a given area, the greater the audit frequency. In addition to scheduled audit areas, the plan also includes time for special projects. Such projects may be requested by University management or may be performed as a result of suspected fraud, waste or abuse.
Annual Audit Plans are derived from the Long Range Plan and, more importantly, input from Vice Presidents. Each year we ask the Vice Presidents to review the Long Range Plan and provide this input. When possible, the Annual Audit Plan is adjusted to incorporate additions or changes suggested by the Vice Presidents. A key goal of our department is to provide adequate resources to address requests from management to do projects involving consultative services, analyses and efficiency reviews.
The Long Range and Annual Audit Plans are approved by the Audit Committee of the Board of Visitors. All audits scheduled for any particular year on the Long Range Plan may not be included on the Annual Audit Plan for that year due to resource constraints, a larger volume of special projects or other variables.
- Request for Information
The President, Vice President, Assistant Vice President and the Department Head are notified that an audit will be performed. Specific information required to begin the audit is requested at this time.
- Determining the Scope of an Audit
After reviewing the information provided, considering the information systems for which the department has responsibility, and meeting with the Department Head, the scope of the audit is determined.
- Communicating the Scope
The scope of the audit is communicated to the Vice President, Assistant Vice President and Department Head.
- Detailed Understanding of Activity
A detailed understanding of each activity included in the audit is developed by reviewing documentation provided by the department and interviewing key personnel. Flowcharts are often used to document this understanding. Departments are asked to review the flowcharts for accuracy and completeness.
- Evaluating Internal Controls
Internal controls, compliance, effectiveness and efficiency may be evaluated for each activity included in the scope of the audit. Control objectives are identified, ranked, and assessed as part of the evaluation process. Examples of control objectives are: authorization, approvals, verification of accuracy and completeness of information, reconciliations, security of assets, segregation of duties and assignment of access to information.
- Audit Findings Noted During the Evaluation of Controls
During the control evaluation process and throughout the audit, suggestions for improving or establishing controls are considered and, if approved by the Director, audit finding sheets are forwarded to the department. At this point we are just trying to determine whether findings are correct. After determining the accuracy of the findings, we focus on recommendations. When we make a recommendation, the department may suggest an alternative. We are always willing to evaluate an alternative recommendation and determine whether it achieves the control objective that is needed to mitigate risk.
- Communicating Inadequate Controls
At this point, we conclude whether or not internal controls are adequate. If, after considering the controls in place, we conclude that controls are not adequate, a memorandum will be sent to the Vice President, Assistant Vice President and the Department Head communicating our conclusion. This memo will include an explanation as to why we believe the controls are not adequate. We will also determine at this point if audit test work will be performed.
- Testing Controls
After identifying the controls and safeguards that are in place for each activity, an audit program documenting the test work to be performed is developed. Test procedures are then completed to determine if the controls are functioning as intended.
- Audit Findings Noted During Test Work
As described previously, findings are developed and forwarded to departments.
- Conclusion of Test Work
Findings are evaluated, and an opinion on the effectiveness of controls is formed.
- Draft Audit Report
A draft audit report is prepared and forwarded to the Department Head for his/her review. The report is sent to the Department Head to provide an opportunity to express concerns or disagreement with the findings and recommendations included in the draft report.
- Meeting with the Vice President
After reviewing the draft report with the Department Head, a meeting is scheduled with the Vice President, the Assistant Vice President, and the Department Head to discuss the report.
- Requesting Responses to Draft Audit Report
After this meeting, the report is submitted to the Vice President, who has 30 days to respond to the report. Final responses are to be provided by the Vice President.
- Final Report
The final report, which includes management responses, is distributed to the President, Vice President, Assistant Vice President and the Department Head. The final report is also distributed to the Audit Committee of the Board of Visitors. The report categorizes findings as compliance, major control or minor control findings. All major findings included in audit reports are reviewed to determine their impact on the University's overall control structure. Major findings with significant impact are included in a report entitled "Report of Major Control Findings". This report is distributed to the President, Vice Presidents, and the Audit Committee in conjunction with Board meetings.
According to University Policy 1603 employees are required to immediately notify the Director of Audit and Management Services of circumstances which suggest that a fraudulent transaction has occurred. Fraudulent transactions can include, but are not limited to, the following prohibited acts:
- misappropriation of cash or funds with falsification of documents;
- unauthorized use of University property and resources;
- falsifying entries to payroll and travel records;
- charging personal purchases to the University;
- unauthorized use of University employees/time.
Upon notification of a possible fraud, the Director of Audit and Management Services will inform the appropriate Vice President and the President. Audit and Management Services will then complete a review to determine if there is a reasonable possibility that a fraud has occurred. If we conclude that a reasonable possibility of fraud exists, we will prepare a letter for the President's signature reporting the possible fraudulent transaction to the Auditor of Public Accounts and the Department of State Police in accordance with Section 2.1-155.3 of The Code of Virginia. We may also consult with JMU Public Safety. Further investigation of the possible fraud, with the objective of prosecution, is the responsibility of Public Safety, and the appropriate Commonwealth attorney.
In addition, any JMU employee may anonymously report suspicious activities to the State Employee Fraud, Waste and Abuse Hotline (1-800-723-1615), maintained by the Department of the State Internal Auditor (DSIA). Audit and Management Services may be required to investigate these activities and report findings to DSIA.
The Institute of Internal Auditors defines risk as "The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Examples of adverse events, which may occur due to the absence of internal controls or the ineffective use of resources, include:
- the potential for financial loss;
- the inappropriate disclosure of data;
- destruction/loss of data;
- inaccurate or incomplete data; and
- any form of embarrassment.
As the University increases the use of technology, additional risks may exist. Examples of such risks include:
- intentional destruction of student or faculty files;
- unauthorized access to student or faculty files;
- destruction of files due to viruses;
- attack of files servers or other devices; and
- loss of grading capabilities due to destruction of information.
The above actions could be perpetrated by someone within the JMU community or an outsider, therefore increasing the University's vulnerability.