Often clients are surprised when they receive a memo explaining that the auditor will contact them to schedule an opening meeting. This introduction to the engagement may leave a client wondering, “Why me?” or “What did I do wrong?” Confusion frequently follows these questions. Clients don’t understand the engagement process or how to prepare for the review. Some clients may even be confused as to what an internal auditor does and the role internal audit plays in the organization.
To ensure that the engagement process leads to success, it is important that clients understand their role in the review and are familiar with the internal audit function at the UNC System Office.
What is internal auditing?
When most people think of auditing, the first thing that comes to mind is financial auditing. While this is an important aspect of auditing, it is only one small facet.
The Institute of Internal Auditors defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes. See the Audit Services section of the site to learn more about the services internal audit can provide.
Does internal audit follow professional standards?
Internal audit follows the professional standards established by the Institute of Internal Auditors (IIA). As required by these Standards, internal audit undergoes an external quality assessment every five years to measure its compliance with IIA standards.
The IIA serves over 70,000 members and provides the internal auditing profession with standards, guidance, and information on internal auditing best practices. The IIA has a Code of Ethics, which has been adopted by internal audit. One of the standard’s requirements is that the purpose, authority, and responsibility of the internal audit function be defined in a charter. The Board of Governors Committee on Audit, Risk Management, and Compliance approved this charter.
How is internal audit Organized?
NCGS §143-746 requires the UNC System Office to maintain an internal audit function. In accordance with the Internal Audit Charter, internal audit operates as an independent appraisal function and reports functionally to the Committee on Audit, Risk Management, and Compliance of the Board of Governors and administratively to the UNC President (or his designee). At the UNC System Office, the internal audit function resides within Governance, Legal and Risk.
What are the purpose and objectives of internal audit?
Internal audit functions primarily as a service unit that assists all levels of management in the effective discharge of their responsibilities. This can be done by consulting and performing independent audits, reviews, and investigations. The office seeks to provide reasonable assurance to management that effective stewardship is maintained over the organization’s resources. Internal audit also serves as a liaison between management and external auditors.
In general, the objectives of internal audit are to:
- Evaluate the adequacy of the internal control structure within a department or unit
- Assess the extent of compliance with applicable laws, regulations, policies, and procedures
- Verify the existence of assets and ensure proper safeguards/protection of assets
- Evaluate the reliability and integrity of data produced by information systems
- Investigate concerns related to fraud, embezzlement, and theft
- Consult with management and provide methodologies, facilitation, focus, knowledge, technology, best practices, and independence that help solve managements’ problems
What is the scope of internal audit’s authority? In accordance with the internal audit charter and NCGS §116-40.7, internal auditors have unrestricted access to all records, assets, and other resources of the organization, which are necessary to accomplish its objectives. Internal audit ensures the safekeeping and confidentiality of all records and information used during an engagement to the extent provided by NCGS §116-40.7.
What is reviewed and why?
Internal audit develops an annual audit plan, which is reviewed and approved by the Board of Governors Committee on Audit, Risk Management, and Compliance and the UNC System president. This plan identifies the engagement projects to be conducted during the upcoming fiscal year; however, it can be amended to include requested reviews, special projects, or changes in priority.
Not all reviews are selected in the same way. An area can be selected for a review if:
- It is assessed as an area with high risk
- It is a cyclical engagement project
- Irregular conduct is alleged and a review is requested
- Management specifically requests a review
The most common method of selecting an area for an engagement is through the application of a risk assessment. Several factors are considered in the assessment:
- To what extent is the process or area required to comply with state or federal regulations?
- Is this area subject to a great deal of public scrutiny?
- Has recent organizational change occurred?
- What is the volume of activity?
- How reliant is the area on technology?
- When was the last time internal audit reviewed it?
- Have concerns about conduct resulted in a requested review?
- Does management have concerns that they want us to look into? Concerns can be about the internal structure, regulations, complexity of operations, or any prior audit findings
Throughout the year, needs are re-assessed and the audit plan may be amended to include requested reviews, special projects, or changes in priority.
Investigative engagements are normally requested by management and/or anonymous tips and focus on alleged, irregular conduct. Reasons for investigative engagements include: internal theft, misuse of state property, and/or conflicts of interest.
How is the scope of the engagement determined?
The scope of the engagement and/or review is determined from one or more of the following:
- Information collected during a preliminary survey, which includes interviews with the appropriate client personnel
- Assessment of risk associated with the client’s functions
- Evaluation of answers received on internal control questionnaires tailored for the assignment
- Client requests concerning topics, functions and/or time frames
Sometimes discoveries or events that occur during a project can change the scope of an engagement. If changes in scope are significant, the client receives notification.
How long does an engagement last?
Engagements and reviews vary in length. The amount of time required depends on the objectives of the engagement, the cooperation and availability of the client, and the complexity of the operation. An internal control review may take one to two weeks, while a broad-based engagement may take months. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the engagement.
What is the actual engagement process?
- The engagement or review is announced through an engagement letter. Internal audit notifies the client in writing when their area is selected for an audit. An engagement letter describes the general objectives of the engagement, the auditor in charge, the projected time frame of the engagement, and information the auditor may need the client to supply.
- An entrance conference is scheduled with the client to discuss the purpose, scope, and process of the engagement. The auditor and personnel deemed appropriate by the client attend the entrance conference. Clients are encouraged to present any questions or concerns they have about the engagement. Clients are also given the opportunity to request that a specific function or area of their office be examined during the engagement or in future work.
- A preliminary review is performed. During this portion of the engagement, the auditor will gain an understanding of the client’s operations and/or area being reviewed. The auditor may request written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the client’s operations. Internal controls may be reviewed and documented during this portion of the engagement.
- Fieldwork is conducted. This phase of the engagement includes testing the internal controls, collecting and analyzing data, and performing other procedures necessary to accomplish the objectives of the engagement. This phase of the engagement is the most time-consuming part of the review for the client because personnel will need to be available to answer questions and provide information. Internal audit realizes the value of each person’s time and tries to arrange meetings in advance and work around scheduling conflicts when possible. Also during this phase of the engagement, the auditor will strive to maintain an open communication with the client to ensure they are kept abreast of the initial observations so there are no surprises once the final report is issued.
- A draft report is prepared. After the fieldwork is completed, the auditor prepares a draft report, which will include an overview of area being audited, audit purpose, objectives, scope, methodology, reportable conditions, and recommendations. The draft report along with any non-reportable condition is shared with the client for review before the exit conference.
- An exit conference is scheduled. An exit conference is scheduled with the client to discuss the draft audit report. This conference is an opportunity to discuss the observations and clarify any ambiguities. Non-reportable conditions will also be discussed during the exit conference.
- A written management response to the draft audit findings and recommendations are submitted by the client (or primary department under review). After the exit conference, if necessary, changes are made to the draft report then shared with the client. The client is normally given anywhere from one to two weeks to respond to the draft report. The client prepares a response to each of the observations and recommendations and provides to internal audit. If circumstances arise that prohibits the client from responding to the report in the allotted time frame, the client should contact internal audit to request more time.
- The final report is issued. A final report is issued after the auditor receives the draft report with the client’s responses. The final report is distributed to the client, senior-level management, the president and the Board of Governors Committee on Audit, Risk Management, and Compliance.
- A follow-up review is conducted. Within a reasonable time after the final report is issued, a follow-up review is performed to verify the resolution of the observations. The review is concluded with a follow-up report, which lists the actions taken by the client to resolve the original observations. A draft of the follow-up report will be circulated to the client for discussion before the report is issued. The follow-up report will be circulated to the original report recipients and other UNC System Office officials as deemed appropriate.
If I call you with a question, are you going to audit me?
Typically, no. One service we provide is to help answer questions when you are not sure of the responsible office, would like assistance interpreting policies or regulations, or want guidance on implementing a new process. If we can’t answer the question for you, we try to help you find the right person to ask.
How long do I need to hold on to a document?
For guidance, review the Records Retention information and other links provided by UNC System Office’s Legal Affairs. If you still are not sure, please contact us.