Frequently Asked Questions
- What is Internal Auditing?
- How are areas selected for internal audits?
- What happens during an audit?
- What do I do if I suspect fraud?
- What is risk?
The Department of the State Internal Auditor (DSIA) defines internal auditing within the Commonwealth as "an integral part of the overall internal control system". The Institute of Internal Auditors defines internal auditing in this way:
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."
The following items are a sampling of the things we do.
*Evaluate your operations for ways to improve your effectiveness or efficiency.
*Help you comply with various University, State and Federal policies.
*Ensure that you have proper controls in place to protect you, your employees and the University.
*Provide you with advice regarding systems, policies, procedures etc.
Audit and Management Services performs an annual risk assessment to ensure that key audit areas (departments or activities) at the University are examined on a sufficiently frequent basis. Risk assessment scores for potential audit areas are updated at the conclusion of audits or when we become aware of significant changes (e.g., restructuring, new departments or services, etc.). Also, we request that departments complete a risk survey every other year to ensure that we are aware of major changes. The risk scores for each audit area are derived by assigning numerical ratings for nine weighted risk factors.
The updated risk assessment score is then used to develop the Long Range Audit Plan and Resource Analysis, which covers a five-year period. The frequency of audits for an area is determined by evaluating the level of risk in audit areas. The higher the risk score assigned to a given area, the greater the audit frequency. In addition to scheduled audit areas, the plan also includes time for special projects. Such projects may be requested by University management or may be performed as a result of suspected fraud, waste or abuse.
Annual Audit Plans are derived from the Long Range Plan and, more importantly, input from Vice Presidents. Each year we ask the Vice Presidents to review the Long Range Plan and provide this input. When possible, the Annual Audit Plan is adjusted to incorporate additions or changes suggested by the Vice Presidents. A key goal of our department is to provide adequate resources to address requests from management to do projects involving consultative services, analyses and efficiency reviews.
The Long Range and Annual Audit Plans are approved by the Audit Committee of the Board of Visitors. All audits scheduled for any particular year on the Long Range Plan may not be included on the Annual Audit Plan for that year due to resource constraints, a larger volume of special projects or other variables.
Schedule the Audit
Audits are scheduled based upon the annual audit plan approved by the audit committee of the JMU Board of Visitors with input provided by the Audit Committee, Vice Presidents and the President. AMS periodically completes risk assessments for the purposes of audit planning. Risk factors included in the assessment may include financial, compliance, reputational, physical security, health and safety, and other factors. Audits with higher risks are given priority over lower risk audits.
The Vice President, Assistant Vice President or Dean, and the Department Head are notified that an audit will be performed. Specific information required to begin the audit is requested at this time.
Determine the Scope of an Audit
After reviewing the information provided by the department and further discussions with key personnel, the scope of the audit is determined and communicated to the Vice President, Assistant Vice President and Department Head.
Develop Understanding of Activities
A detailed understanding of each activity included in the scope of the audit is developed by reviewing policies and procedures, examining documentation provided by the department and interviewing key personnel. The department and AMS then identify the risks and controls associated with these activities.
Evaluate Internal Controls
AMS evaluates the design and application of internal controls identified for each activity included in the scope of the audit. Standard controls (e.g., authorizations, approvals, reconciliations, documentation, and segregation of duties) are evaluated as part of this process. If control weaknesses are found, AMS makes recommendations to enhance or establish controls.
Test Controls: After identifying the controls that are in place for each activity and evaluating controls design and application, AMS develops an audit program to test if the controls are functioning as intended. Compliance with applicable policies or laws is also tested. Errors or exceptions found during testing are discussed with applicable personnel and recommendations to mitigate the risk(s) identified are explored.
Draft Audit Report: At the conclusion of the test work, AMS issues a draft report on the effectiveness of controls, including recommendations for improvements. The draft report is sent to the Department Head to provide an opportunity to express concerns or disagreement with the findings and recommendations. A revised draft is issued based on discussions with the Department Head and forwarded to the Assistant Vice President or Dean for review.
Exit Conference: A meeting may be scheduled with the Vice President, the Assistant Vice President or Dean, and Department Head to discuss the report. The purpose of this discussion is to provide the department with an opportunity to express concerns or disagreements with the draft opinion and/or recommendations. AMS revises the draft report based on the results of this discussion as necessary.
Request Management Responses: After the meeting, the Department Head is asked to provide witten responses to the draft report. AMS incorporates the department's responses into the revised draft and forwards it to the Assistant Vice President or Dean and Vice President for review.
Issue Final Report: The final report, which includes management responses, is distributed to the President, Vice President, Assistant Vice President or Dean, and the Department Head. The final report is also distributed to the Audit Committee of the Board of Visitors.
According to University Policy 1603 employees are required to immediately notify the Director of Audit and Management Services of circumstances which suggest that a fraudulent transaction has occurred. Fraudulent transactions can include, but are not limited to, the following prohibited acts:
- misappropriation of cash or funds with falsification of documents
- unauthorized use of University property and resources
- falsifying entries to payroll and travel records
- charging personal purchases to the University
- unauthorized use of University employees/time
Upon notification of a possible fraud, the Director of Audit and Management Services will inform the appropriate Vice President and the President. Audit and Management Services will then complete a review to determine if there is a reasonable possibility that a fraud has occurred. If we conclude that a reasonable possibility of fraud exists, we will prepare a letter for the President's signature reporting the possible fraudulent transaction to the Auditor of Public Accounts and the Department of State Police in accordance with Chapter 14 Section § 30-138 of the State Code of Virginia.
We may also consult with JMU Public Safety. Further investigation of the possible fraud, with the objective of prosecution, is the responsibility of Public Safety, and the appropriate Commonwealth attorney.
In addition, any JMU employee may anonymously report suspicious activities to the State Employee Fraud, Waste and Abuse Hotline (1-800-723-1615), maintained by the Office of the State Inspector General (OSIG). Audit and Management Services may be required to investigate these activities and report findings to DSIA.
The Institute of Internal Auditors defines risk as "The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Examples of adverse events, which may occur due to the absence of internal controls or the ineffective use of resources, include:
- noncompliance with Federal and State laws
- cash receipts lost or stolen
- incorrect payroll amount to be paid to employee
- inaccurate or incomplete data
- inadequately trained staff
- any form of embarassment
As the University increases the use of technology, additional risks may exist. Examples of such risks include:
- data breach/leak of protected information
- unauthorized access to student records
- unavailability of critical computer systems
- inappropriate destruction or retention of data
- failure to comply with PCI Data Security Standards
The above actions could be perpetrated by someone within the JMU community or an outsider, therefore increasing the University's vulnerability.