Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bill Harrison Chief Internal Auditor October 10, 2012

Similar presentations

Presentation on theme: "Bill Harrison Chief Internal Auditor October 10, 2012"— Presentation transcript:

1 Bill Harrison Chief Internal Auditor October 10, 2012
Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012

2 Learning Outcomes Understand the internal and external audit environment Key players Purpose and structure of the Office of Audit Services Audit process Understand internal control concepts and standards Understand practices/procedures to ensure a “clean” audit

3 Definition of Auditing
An unbiased examination and evaluation of financial information, operational processes, or compliance with laws and regulations in an organization. It can be done internally (by employees of the organization) or externally (by an outside firm). An IRS examination of a taxpayer's return or other transactions. Work performed in accordance with standards. Source:

4 What do Auditors Do? For the most part, audits are conducted by independent public accounting firms, federal, state, and local government auditors, or internal auditors. In addition to financial statement audits, the professional literature describes other types of audits such as attestation engagements and performance audits When complete, auditors generally issue a written report with a conclusion that confirms or denies management’s adherence to an existing set of criteria such as generally accepted accounting principles, government laws and regulations, or internal policies and procedures.

5 Criteria Condition Effect Cause Recommendation(s)
Audit Findings Criteria Condition Effect Cause Recommendation(s)

6 Audit Organizations Government Accountability Office – GAO
Offices of Inspector General – OIG Vermont State Auditor Internal Auditors – Office of Audit Services Financial Statement/A-133 Auditors Other Independent Auditors

7 Government Accountability Office

8 Offices of Inspector General

9 Tip #1 Understand the environment: Visit agency and OIG web sites
Read OIG semiannual reports/audit reports at those agencies dealing with colleges and universities: NSF, HHS, DoED, DoD, NASA, USDA Join a professional society Attend UVM Audit Committee meetings Read meeting minutes

10 Tip #2 Read and understand UVM’s Government Reviews Protocol, an official University Operating Procedure. Always remember: there are a number of departments on campus to help you deal with external requests for information including Sponsored Project Administration, Audit Services, Compliance Services, and General Counsel.

11 Office of Audit Services
Organizational Structure Audit Charter Audit standards Audit Selection, Planning, Reporting and Follow-up Processes

12 UVM Organization Chart

13 Organization Chief Internal Auditor Office/Program Support Senior
Deputy Internal Auditor Senior Auditor Office/Program Support Senior

14 Audit Services Home

15 Audit Charter The Office of Audit Services is an independent and objective assurance and consulting activity within the University of Vermont (UVM) that provides the Board of Trustees and management with observations, recommendations and advice designed to add value and improve the effectiveness of the University's risk management, control, and governance processes.

16 Audit Charter, cont… Provide a comprehensive audit program
Access to all university employees and records Allocate resources, set frequencies, select subjects, determine scopes of all internal audits Obtain assistance from UVM personnel

17 Audit Charter, cont… Can’t perform any operational duties for UVM
Initiate or approve any accounting transactions outside of the Office of Audit Services Direct activities of any UVM employees

18 Audit Standards The IIA Red Book provides standards for independence and ethical conduct, planning, reporting, and closing audit projects.

19 How are Audits Selected?
Required audits Annual risk-based audit plan Management requests EthicsPoint Investigations

20 The Audit Process Planning and Risk Assessment Fieldwork Reporting

21 The Audit Process Planning Communication with management
Initial data request A detailed understanding of the organization is developed by reviewing relevant policies, procedures, and records and interviewing or surveying University employees Follow-up Data Request

22 The Audit Process Risk Assessment We can’t look at everything!
Determines the scope of the audit

23 The Audit Process Fieldwork
After finalizing the audit plan and risk assessment, the auditor begins the fieldwork phase. Fieldwork typically consists of testing transactions for conformity with applicable university policies and procedures, and assessing the adequacy of internal controls.

24 The Audit Process Reporting
After the fieldwork is completed, the auditor prepares a report. The report generally consists of several sections and includes: the distribution list, background information, summary of results, detailed presentation of results and recommendations, management response, and the objectives, scope, and methodology followed. Discussion Draft, Final Draft, Final Report

25 The Audit Process Audit Follow-up
The purpose of the follow-up is to verify that any agreed- upon corrective actions have been completed. The auditor will interview staff, reperform tests, or review new procedures to perform the verification.

26 How to Ensure a “Clean” Audit Opinion
COSO Internal Control Framework Control Activities

27 COSO Internal Control Framework
Adopted by UVM Board of Trustees Five Essential Elements Control Environment Risk Assessment Control Activities Information and Communication Monitoring

28 Control Environment The control environment sets the tone of an organization. It is the foundation for all other components of internal control. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization. Source: Wikipedia

29 Risk Assessment Every entity faces a variety of risks from external and internal sources that must be assessed. Risk assessment is a prerequisite for determining how the risks should be managed. The starting point is business objectives. Source: Wikipedia

30 Risk Assessment-Example
Occurrence — the transactions actually took place Completeness — all transactions that should have been recorded have been recorded Accuracy — the transactions were recorded at the appropriate amounts Cutoff — the transactions have been recorded in the correct accounting period Classification — the transactions have been recorded in the proper accounts

31 Control Activities Control activities are the policies and procedures that help ensure management directives are carried out. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. Source: Wikipedia

32 Information and Communication
Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. Source: Wikipedia

33 Monitoring Internal control systems need to be monitored. This means that there is a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Source: Wikipedia

34 Control Activities for a “Clean” Audit
Authorization Preparation Review and Approval Segregation of Duties Delegation of Authority Recordkeeping Training Periodic Monitoring

35 Authorization Prior to initiation, transactions should be authorized by a person with budget approval authority, knowledge of institutional policies and procedures, and a clear understanding of the business purpose of the proposed transaction.

36 Preparation Assistance in using systems or preparing forms should be provided by business or administrative professionals; however, all payment requests should be signed and dated by the individual who incurred the expense or received the service. All requests should include a detailed description of the business purpose underlying the transaction when it is not readily discernible from the supporting documentation.

37 Review and Approval Requests for reimbursement or payment should be reviewed and approved by the requestor’s supervisor. Review and approval of transactions by the supervisor generally provides for adequate segregation of incompatible activities and reinforces employee awareness of a sound control environment.

38 Separation of Duties Duties (roles) are assigned to individuals in a manner so that no one individual can control a process from start to finish. Separation of duties provides a system of checks and balances by other individuals. It allows an opportunity for someone to catch an error before a transaction is fully executed and/or before a decision is made based on potentially erroneous data. In addition, having adequate separation of duties reduces the ‘opportunity’ factor that might encourage an employee to commit fraud or to embezzle.

39 Delegation of Authority
Authority to approve expense transactions should only be delegated to those who have sufficient authority and responsibility over the initiator of the transactions. The specific delegation of authority should be documented.

40 Recordkeeping Sufficient and appropriate records should be created and retained for each transaction to provide evidence of authorization and/or approval, business purpose, adherence to university policy and procedures, and external requirements. Business purpose should be stated such that someone with no prior knowledge of the transaction could reasonably determine the benefit to the University.

41 Tip #3 Read and understand our Record Retention policy
Sufficient, appropriate records as required by University policy and external requirements. For the period required.

42 Information and Communication
COSO Summary Monitoring Information and Communication Control Activities Risk Assessment Control Environment Authorization Preparation Review and Approval Separation of Duties Delegation Recordkeeping

43 Tip #4 UVM promotes ethical values – Our Common Ground, Statement of Commitment and Expectation in the Workplace, Code of Business Conduct. There is no perfect system Report questions or issues that may involve violations of our code of business conduct or other policy standards or legal requirements

44 The Bottom Line Really just common sense
Become familiar with University policies and any external requirements in your area of responsibility If you think business practices may be too informal, talk with your unit management or contact us Report incidents or situations that may involve violations of the University's Code of Business Conduct or other policy standards or legal requirements If you’re contacted by an external auditor, follow the procedures described in our Government Reviews Protocol

45 Contacts Office of Audit Services Bill Harrison John Copoulos Jennifer Sheridan Kyle Sowles Tom Leene Amy Vile

Download ppt "Bill Harrison Chief Internal Auditor October 10, 2012"

Similar presentations

Ads by Google