Just what does an internal auditor do? How does the internal auditor select areas
to review? What happens when your function or program is reviewed? Does anyone actually
check up on the auditor? Many University employees don't give audits a second thought
until their area is selected for review. So, here is some general information about
the University's Office of Internal Audit to help you understand the function and
role of the Office.
Just who is the internal auditor? An internal auditor monitors, assesses, and analyzes organizational risk and controls; reviews and either corroborates or refutes information; and ensures compliance with policies, procedures, and laws. Working in partnership with management, the internal auditor provides the Audit Committee of the Board of Trustees, the President, and component head managers with assurance that risks are mitigated and that the organization's corporate governance is strong and effective. And, when there is room for improvement, the internal auditor makes recommendations for enhancing processes, policies, and procedures. But mostly, the internal auditor is a University employee just like you.
Why does UVI have an internal audit function? The Office of Internal Audit exists by Charter to assist University management and the Audit Committee of the Board of Trustees in effectively fulfilling their responsibilities. The Office is charged with examining and evaluating the policies, procedures, and systems in place at the University to ensure: the reliability and integrity of information; compliance with policies, plans, laws, and regulations; the safeguarding of assets; and the economical and efficient use of resources. Or, in simpler words, the internal auditor is here to help.
Where does the audit function fit in the organization? The internal auditor reports functionally to the Audit Committee of the Board of Trustees and administratively to the President. The Office of Internal Audit is staffed with an internal auditor and an administrative specialist, so we are a small office with a big job.
What's the difference between external and internal auditors? External auditors can be government auditors (such as the Federal and Virgin Islands inspectors general) or independent public accounting firms that the University hires to prepare its audited financial statements. Government auditors focus primarily on compliance with government regulations and generally tend to review compliance with special conditions contained in contract and grant awards. Since both the local and federal governments fund a significant portion of the University's activities, they have a responsibility to make sure we use their money as they intended.
Independent public accounting firms review and render an opinion on the University's financial statements to ensure the information presented accurately portrays the University's financial condition. Government agencies, the Board of Trustees, and bond rating agencies rely on the independent auditor's opinion of the audited financial statements.
In contrast to external auditors who primarily conduct audits and provide information to parties external to the University, internal auditors conduct reviews to add value and improve University operations, programs, policies, and procedures. As such, the Office of Internal Audit conducts detailed reviews of University transactions, conducts investigations to corroborate or refute allegations of wrongdoing, serves as the liaison to external auditors, and provides advisory services, as requested, to ensure that the University's systems of internal controls operate efficiently and effectively and allow the University to achieve its mission and its goals.
How are University programs, departments, contracts, grants, and other areas selected for review? The Office of Internal Audit identifies "auditable" units, conducts a risk assessment of the auditable units by rating and ranking each auditable unit against a set of risk factors, and brings forward suggested areas for review to the Audit Committee. Together, the internal auditor and the Audit Committee select areas for review, which are detailed in an annual Work Plan. Depending on available resources, the Office of Internal Audit conducts about 3-4 reviews each year. In addition to the scheduled reviews contained in the Work plan, the Office of Internal Audit also conducts special reviews, primarily as a result of a concern or an allegation of wrongdoing that is brought to the attention of the Internal Auditor. Accordingly, special reviews are unplanned assignments and are conducted to either corroborate or refute an allegation.
What happens during an audit? Common elements of a planned internal review include the following:
- Engagement Memo - With few exceptions, audit clients are notified in writing when their area is selected for review. The engagement memo is sent to the responsible component and department head of the area being reviewed. The engagement memo contains the date, time, and place of the entrance conference, the objectives to be accomplished during the review, and documents and records that may be required to conduct the review.
- Entrance Conference - An entrance conference is scheduled with the component and/or department head to discuss the purpose and scope of the review. The internal auditor encourages clients to discuss any concerns or questions they may have about the review and to bring forward suggested topical areas to be reviewed during the conduct of the work.
- Fieldwork - The internal auditor reviews applicable written policies and procedures, conducts interviews and follow up questions with department employees, gains an understanding of the internal controls, and tests transactions to ensure that internal controls are functioning as intended. In order to minimize disruption of daily operations, the internal auditor tries to schedule meetings in advance to avoid potential scheduling conflicts. As fieldwork is conducted and as opportunities for improvement are identified, the internal auditor collaboratively discusses these matters with the department head and impacted employees.
- Exit Conference - An exit conference is held to discuss a working draft copy of the report. Attendees generally include the internal auditor, component and/or department head responsible for oversight and operation of the area under review, and key personnel who have direct involvement in resolving any concerns identified during the review. The exit conference provides managers and staff with an opportunity to raise and resolve questions or concerns pertaining to the draft report, prior to the formal draft report being released.
- Draft Report - Subsequent to the exit conference, the internal auditor issues a formal draft report and provides the component and/or department head with an opportunity to formally respond, in writing, to the draft report.
- Final Report - The final report includes the internal auditor's report and suggestions for improvement, along with management's response. Copies of the report are generally distributed to the members of the Audit Committee, President, and component and department heads. Summaries which contain a listing of the internal auditor's identified opportunities for improvement and the status of those improvements are also included in reports provided to the Board of Trustees. In addition, final reports will be available for any member of the Board of Trustees, at his/her discretion.
- Follow-up Reviews - Professional standards require that the internal auditor follow-up and report on previously identified opportunities for improvement in order to determine if corrective action was taken and concerns were resolved.
Can a department request an audit? Yes! The internal auditor encourages employees and managers to make suggestions for areas to be considered for review. Your suggestions will be incorporated into the risk assessment process.
Who audits the Office of Internal Audit? Excellent question! An external assessment of the University's Office of Internal Audit must be conducted at least once every 5 years by a qualified independent reviewer or review team from outside the University. This external assessment is one of many mandatory requirements contained in the International Standards for the Professional Practice of Internal Auditing as promulgated by the Institute of Internal Auditors in order to stand up a valid, reputable audit function.
If I call or stop by the Office of Internal Audit with information about a possible irregularity, will my identity be kept confidential? You have a responsibility to report suspected fraud, waste, and abuse and behavior that does not align with the President's 7 management values. In this regard, the Office of Internal Audit encourages employees to bring forward good-faith concerns, without fear of retaliation. In so doing, the Office of Internal Audit honors confidentiality, to the extent permitted by law.
UVI Audit Hotline: (340) 693-1576 • E-mail: email@example.com