North Carolina Office of the State Auditor Honesty Integrity Professionalism

Internal Auditing in North Carolina Agencies and Institutions Presented by Jeff Henderson, Deputy State Auditor North Carolina Office of the State Auditor June 6, 2008

Why conduct this audit? The Office of the State Auditor initiated this audit to assess the internal auditing function across the state. The audit stemmed from increasing public awareness and concern over fraudulent activities in government entities and large organizations in the private sector.

Why conduct this audit? The presence of a functioning internal audit operation is a key component of a good system of internal control. Internal auditors evaluate systems within an organization, help to prevent and detect errors and irregularities, help ensure the reliability and integrity of financial and operational information and compliance with laws and regulations, and help safeguard assets.

Why conduct this audit? Internal auditors also function as management consultants by identifying problems and recommending methods to improve the effectiveness and efficiency of an organizations operations.

Objectives The objectives of the audit were twofold: 1. To determine whether North Carolina state agencies, universities, and community colleges had sufficient internal audit resources. 2. To assess the level of compliance that existing internal audit functions have achieved with generally recognized internal audit principles and best practices.

What was covered by this audit? 31 major general government agencies and their component units, all 16 universities in the University of North Carolina System, and all 58 colleges in the community college system. The audit covered the three year period from July 2002 through June 2005.

What did we do? We surveyed all state agencies, which included the universities and community colleges. We visited several general government agencies, universities and community colleges, including some that did not have an internal audit function. We interviewed senior management and internal audit staff.

What did we do? We reviewed laws, rules, regulations, policies, and procedures related to the internal audit function. We examined reports and studies, both internal and external, regarding internal audit operations. We reviewed each entitys organizational structure, audit plan, and operating standards and identified whether audit risk assessments were conducted.

What did we do? And we reviewed personnel files, job descriptions, training records, time sheets, and a sample of audit reports.

What did we find? We found that all universities, one community college, and 13 state agencies had internal audit functions. Overall though we found the internal audit function in North Carolina is inadequately staffed and is in need of more direct guidance from the General Assembly.

Results Our audit report included 10 audit findings. The first finding is the most critical, and I will spend a little more time on it. This first finding dealt with the overall internal audit function for the State of North Carolina. The remaining findings address specific areas of concern within those agencies with existing internal audit functions.

Finding 1 North Carolina State Government and Its Institutions Lack Sufficient Internal Audit Resources a. There are 75 entities within state government with no internal audit function. These agencies have just under 25,000 employees and have operating expenditures of nearly $5.9 billion.

Finding 1 b. There are a number of agencies with inadequately staffed internal audit functions. Three of these agencies are the Department of Health and Human Services, the Department of Natural and Economic Resources, and the Department of Public Instruction. DHHS, with total expenditures of approximately $13 billion, has seven internal auditors. DENR and DPI, with total expenditures of approximately $569 million and $7.7 billion respectively, have one internal auditor each.

Finding 1 c. The skill sets of some internal staffs are not adequate. In the ever increasing complexity of our operating environments, the ability to audit computer operating systems is a critical need; however, we found very few internal auditors with technical expertise to meet this need.

Finding 1 Recommendations: 1. Legislation is needed: a.to establish minimum requirements for the development of an internal audit function at the agency level, b.to specify the minimum staffing criteria and qualifications, c.to mandate the internal auditing standards with which the states internal audit function should comply. 2. Adequate funding should be provided to establish the internal audit functions.

Finding 1 Recommendations: 3. Statewide staffing of internal audit functions should be increased. Every agency should have some form of internal audit function. An assessment will need to be made to determine the level of staffing and funding. In some cases, centralized internal audit efforts should be considered. 4. The scope of the internal audit function should be broader than preventing fraud and safeguarding assets. It should include review and evaluation of internal controls and compliance with laws and regulations.

Finding 1 Recommendations: 5. All internal audit functions should be following the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing. 6. Quality control should be maintained by having a peer review in accordance with the Institute of Internal Auditors Standards. 7. An internal audit charter is needed for each internal audit function.

Finding 1 Recommendations: 8. Independence of the internal audit function should be maintained by requiring that the internal audit function report to the agency head, college president, or university chancellor, and to the audit committee of any oversight board. 9. An annual audit plan should be formulated by each internal audit function based on an agency- wide risk assessment.

Finding 2 Some Internal Audit Organizations Do Not Follow Any Professional Auditing Standards –These internal audit organizations should adopt and follow recognized professional standards.

Finding 3 Internal Audit Organizations Are Not Obtaining Quality Assurance Reviews by Outside parties –All internal audit organizations should obtain an external quality assessment review at regular intervals.

Finding 4 Some Internal Audit Sections Do Not Report to the Highest Management Level Within the Organization –The internal audit organizations mentioned within should revise their internal audit reporting structures so that the internal audit function reports to the highest level within the organization.

Finding 5 Some Internal Audit Organizations Did Not Execute an Annual Audit Plan While Others Did Not Perform Risk Assessments to Develop an Audit Plan –Internal audit organizations should comply with internal auditing standards by establishing an annual audit plan based on an effective risk assessment.

Finding 6 Internal Auditors Were Often Assigned Tasks Unrelated to Their Primary Job Responsibilities –Management should ensure that internal auditors focus their efforts on conducting audits and strengthening internal controls.

Finding 7 Some Internal Audit Sections Did Not Have an Audit Charter –All entities should have an internal audit charter consistent with the Institute of Internal Auditors standards.

Finding 8 Some Internal Audit Sections Lacked Adequate Policies and Procedures –Policies and procedures governing the internal audit function should be established and maintained.

Finding 9 The Office of Information Technology Services No Longer Has a Fully Dedicated Information Systems Internal Auditor Position –ITS should reestablish an internal information systems auditor position separate from the statewide information technology compliance responsibilities.

Finding 10 The Department of Transportations Internal Audit Section Has Experienced Significant Difficulties with Completing Audits and Producing Audit Reports –The Chief Internal Auditor should report directly to the Secretary and/or to the audit committee of the Board of Transportation, and the Secretary should take steps to improve the performance of the internal audit section.

State Response to Audit The General Assembly responded to this audit in 2007 by enacting House Bill 1401 entitled The North Carolina Internal Audit Act. Basically this law required the establishment of a program of internal auditing in state government. –It required internal audits to comply with current standards for the professional practice of internal auditing issued by the Institute of Internal Auditors. –It set minimum qualifications for internal auditors. –It established the Council of Internal Auditing which is to oversee the implementation of the Act.

State Response to Audit The General Assembly also enacted House Bill 1551 entitled The State Governmental Accountability and Internal Control Act. This law required the establishment of a strong and effective system of internal control within State government and to clearly indicate responsibilities related to that system of internal control. –It required the State Controller, in consultation with the State Auditor, to establish comprehensive standards, policies, and procedures to ensure a strong and effective system of internal control within State government. –It stated that management of each state agency bears full responsibility for establishing and maintaining a proper system of internal control within that agency. –It required each State agency to maintain documentation of the system of internal control within that agency.

North Carolina Office of the State Auditor Public Website: or by contacting: Kenneth Barnette Kenneth Barnette Performance Audit Manager Performance Audit

North Carolina Office of the State Auditor Jeff Henderson Jeff Henderson Deputy State Auditor

Questions?