Internal Audit—Frequently Asked Questions
WHEN SHOULD I CALL THE INTERNAL AUDITS OFFICE?
Anytime! Internal Audit acts as an in-house consultant on internal control matters and provides guidance on control aspects of new systems and procedures. Contact us if you have questions or are in need of clarification regarding the information on our website or you would like to explore one of our advisory services that appeals to you (for example, an operational review to validate your processes and procedures).
Please direct questions and requests for audits to the Executive Director at 972-883-2693.
ARE SERVICES CONFIDENTIAL?
According to professional standards, internal auditors are expected not to disclose confidential information received, unless required to by legal or professional obligation. Every effort will be made to ensure confidentiality based on the specific facts and circumstances.
WHY WAS I SELECTED TO BE AUDITED?
The University conducts a regular, ongoing examination of its internal controls, and as part of this process, the Office of Internal Audits conducts approximately 20 audits annually. Primary considerations in establishing which units will be audited include evaluation of risk, the results and length of time of previous internal and external audits, and specific requests from administrators. Audits for many high risk units are scheduled on a three-year cycle, while other units are randomly selected for audits. In addition, internal audits are initiated to investigate possible irregularities. The Office prepares an annual plan which is reviewed and approved by the Audit Committee and The University of Texas System Audit Office to ensure that objectives, scope and allocated audit hours support management goals. The plan is primarily developed based on the assessment of various risk factors such as: significant financial investment or impact, required regulatory or legal compliance, complex transactions or environment, new technology or processes and prior audit experience. Management requests, external audit support and standard annual audits are also included. Additionally, there are always projects we undertake that were unanticipated when the annual plan was developed.
WHAT IS THE DIFFERENCE BETWEEN EXTERNAL AND INTERNAL AUDITORS?
External auditors work for public accounting firms and are primarily focused on financial reporting. Internal auditors are a management resource used to help identify risks and recommend ways to transfer, eliminate, or mitigate those risks. There are five types of risk an entity faces: strategic, operational, financial, compliance, and reputational. Some risks may be unavoidable. We recommend ways to manage an acceptable amount of risk. We do this by identifying and recommending best practices and internal control process improvements through our portfolio of services.
WHAT IS THE DIFFERENCE BETWEEN AUDIT AND COMPLIANCE?
For a detailed explanation of the specific roles of the Internal Audit function and the Compliance function, please see the Responsibilities of Institutional Compliance and Internal Audit. For an article explaining the partnership between Audit and Compliance, please see Audit and Compliance - A Natural Partnership.
WHY MIGHT I REQUEST AN AUDIT?
An audit is an opportunity to receive an independent appraisal of the effectiveness and efficiency of your unit's administrative activities. The timing of an audit can be an important factor in maximizing the resulting benefits. An audit can review administrative procedures to assess whether internal controls in your unit are adequate and to provide suggestions to improve the efficiency and effectiveness of your unit's administrative activities. Conversely, a periodic "checkup" to review your unit's administrative activity can help ensure that your procedures continue to provide the desired level of internal control and comply with University policy.
WHAT SHOULD I EXPECT WHEN AN AUDIT IS SCHEDULED FOR MY UNIT?
Although unannounced audits are initiated where appropriate, typically a representative of the Internal Audits Office will send an audit notification letter to inform you that your area is going to be audited. The representative will also schedule an entrance conference to discuss the planned objective and scope of the review and the logistics of conducting the audit. At this initial meeting, you should take the opportunity to discuss any concerns or questions you may have about the audit, to identify any issues or areas of special concern that you would like the audit to address, and to determine how you can facilitate the audit process. A typical audit has several stages, including preliminary research; data collection (some by interview), analysis, and review; an exit conference; and preparation and distribution of an audit report. Control weaknesses identified during the audit will be noted in the audit report, and a follow-up review will subsequently be performed to determine whether corrective action has been taken.
HOW LONG WILL AN AUDIT TAKE?
The length of the audit varies. The auditor in-charge assigned to your audit will give you a reasonable estimate of the time needed to complete the audit. An audit will result in a certain amount of time being diverted from your unit's usual routine, but every effort will be made to keep this disruption to a minimum. We appreciate your assistance and cooperation.
WHAT TYPES OF AUDITS ARE PERFORMED?
Audits can be placed in four categories: key financial, compliance, operational, and information technology audits. According to the U.T. System Audit Office, the purpose of these audits is:
- Financial Audits: "To provide support for the chief administrative officer and chief reporting officer certifications on the material accuracy of UTD's financial statements."
- Compliance Audits: "To provide assurance that the institution is in compliance with policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports."
- Information Technology Audits: "To provide assurance that information assets are secure, effective and reliable, are linked to the achievement of the organization's objectives, and are used in accordance with all applicable laws, rules and policies."
- Operational Audits: "To provide assurance that either: (1) assets are safeguarded, (2) resources are employed efficiently and economically, or (3) established operating and strategic goals and objectives are accomplished for all of the 'other high-risk areas' that are not covered under Key Financial and Operating, Institutional compliance, or Information Technology." Operational audits include departmental audits.
HOW WILL AUDIT FINDINGS BE REPORTED?
The appropriate people will be kept appraised of the auditor's findings throughout the course of the audit. At the conclusion of the audit, you will be provided a draft of the audit report for your review before the final version is issued. You will also be given the opportunity to discuss the draft audit report at an exit conference with the audit team members. If the report contains recommendations, written responses detailing corrective action, a projected implementation date, and the responsible party will be required. The response is included in the body of the report. All audit information is treated as confidential and is reported only to those within the institution who need to know. The final report is distributed to appropriate management personnel, the Audit Committee, the President, and UT System Administration.
WHAT IS INTERNAL CONTROL AND WHY IS IT IMPORTANT?
Internal control is a process in which all University employees participate. Internal controls are operating practices used to ensure reliable, accurate, and timely reporting, ensure assets are accounted for and safeguarded from loss, and to ensure operations are effective and efficient. They also ensure compliance with applicable laws and regulations. They are used everyday by managers, from the unit levels to the President. Internal controls are good business practice. University management is responsible for maintaining an adequate system of internal control. Internal Auditors independently evaluate the adequacy of the existing control system and make recommendations based on analyzing and testing controls.
WHAT ARE SOME EXAMPLES OF INTERNAL CONTROLS?
Examples of common internal controls include:
- policies and procedures (at the Federal, State, University, and unit level) that are communicated and establish what should be done, how, and by whom;
- approvals and authorizations that include a thorough review of supporting documentation to verify the validity of transactions;
- verifications and reconciliations (e.g., review and reconcile FRS reports, petty cash verifications. compare budgets to actual amounts);
- supervision including training, keeping employees informed of new policies and procedures, and performance reviews;
- safeguarding of assets (including passwords and other restricted information) against theft, destruction, deterioration, or misuse (ex. lock office, deposit cash receipts timely, limit access to procurement card);
- segregation of duties: dividing authorization, custody, and record keeping duties among different people so that someone can't both perpetrate and conceal an error or irregularity.
ARE AUDITORS LOOKING FOR FRAUD WHEN PERFORMING AUDITS?
Auditors conduct audits in accordance with the Institute of Internal Auditors' "International Standards for the Professional Practice of Internal Auditing." As such, auditors are not specifically searching for the existence of fraud, however improper activities may be identified. A control conscious organizational environment can reduce the risk of fraud.
WHO AUDITS THE AUDITORS?
It is required by state law that a Quality Assurance Review be conducted every three years on the Internal Audits office. A team of auditors outside of UTD performs this review.
Don’t see your question here? Give us a call.
Updated: April 23, 2013