UNF Internal Auditing

After identifying objectives and risks that could impede the achievement of objectives, management must next decide how to deal with the risks. Management may decide to control, transfer or accept the risk. Not all risks are created equal. Some are more likely to occur than others while some have a greater impact. Therefore, management must consider the likelihood of occurrence and the potential impact for all risks identified. These factors will ultimately drive the decision on how to handle the risk.

Each department at UNF faces its own unique set of risks and must assess its risks in order to achieve departmental objectives. Effective and reliable internal controls can mitigate risks. The Office of Internal Auditing provides assistance to management in developing a Risk Methodology which can lead to strong internal controls.

The Office of Internal Auditing may monitor performance statistics for certain University functions (i.e. revenue trends for auxiliaries, attrition, expense trends). These trends, along with the risk assessment, may further define what areas are to be audited for a given year.

A solid set of policies and procedures provide an excellent beginning for developing effective and reliable internal controls. Additionally, they keep employees aware of departmental expectations. Auditors may occasionally request a copy of policies and procedures, especially during the planning phase, to gain a better understanding of departmental functions.

The Office of Internal Auditing typically schedules planning meetings for areas that have been selected for audit. These meetings are different than information gathering meetings in the fact that the objective is to discuss the upcoming audit engagement. Items discussed typically include department performance, management concerns, timing of the engagement, engagement scope, etc.

The Office of Internal Auditing may request information from a department prior to, during and/or after a planning meeting. The acquired information will provide the auditors with a better understanding of departmental functions. Any information requested is kept strictly confidential. The nature of the auditing profession lends itself to viewing sensitive information on a regular basis. Therefore, you can rest assured that your department’s information will not be used in a manner that is detrimental to the University.

The Office of Internal Auditing sets the initial scope for audit services based on the information obtained in the planning phase. This scope is always a best effort to identify the audit objectives, however, it is always subject to change. Changes in scope may be due to a variety of reasons and are mostly dependent upon the actual activities of the department and how much they deviate from activities noted during the planning phase. The Office of Internal Auditing will make every effort to keep management up to date with regard to changes in scope.

Typically there is an “entrance meeting” prior to the beginning of every audit. This is simply a kick-off meeting to discuss the scope and objectives, timing, availability of personnel, space allocation, etc. A majority of the items may have been discussed previously during the planning phase, however, this is an opportunity to revisit any open items and discuss new ones.

During the audit, it may be necessary for auditors to speak with personnel who perform certain functions. This is an essential part of any audit. The most effective method of understanding and evaluating a process is through direct interaction with personnel performing the function. These interviews provide reasonable assurance that staff members are performing their duties in a manner consistent with the policies and procedures that management provided to them. If not, the interviews provide an excellent opportunity to gain an understanding as to why the duties are not consistent with management's policies and expectations.

In addition to and/or instead of personnel interviews, it is oftentimes advantageous to directly observe processes. This typically involves sitting with personnel and observing them as they perform certain processes. The purpose of this is to ensure a complete understanding of the processes and procedures in place. Additionally, this helps to further define the scope and the nature of items that will be selected for detailed testing.

Auditors may request documentation during any phase of the audit, however, it is very plausible to have many requests occur after the process observation. At this point, the auditor will most likely document his/her understanding of the process utilizing the documentation obtained from real world examples.

Audit testing is mostly performed on a sample basis. For example, it may not be feasible for an auditor to examine all records in a process that contained 1,000 records. However, it may be more feasible to examine a percentage of items. The percentage examined must represent an adequate portion of the population as whole (i.e. significant number of items, a majority of the high dollar items, etc). A sample can be sliced many ways, but the overall objective is to ensure that the sample adequately represents the total population.

Audit testing is mostly performed on a sample basis. For example, it may not be feasible for an auditor to examine all records in a process that contained 1,000 records. However, it may be more feasible to examine a percentage of items. The percentage examined must represent an adequate portion of the population as whole (i.e. significant number of items, a majority of the high dollar items, etc). A sample can be sliced many ways, but the overall objective is to ensure that the sample adequately represents the total population.

No process is perfect. Each audit test performed will most likely yield exception items. However, as is the case with risks, exceptions are not created equal. With the help of management, auditors must determine the significance of exception items. For example, an error rate of 2 out of 200 items tested most likely does not pose a significant departmental risk. However, an error rate of 100 out of 200 (50%) may signify a breakdown in internal controls surrounding the specific process. Each exception item must be evaluated separately as well as in combination with other items noted during the audit. The goal is to determine if the department’s objectives are at risk and the extent to which they may be at risk, not necessarily to tally every exception item.

Audit issues are typically the results of tracking, categorizing and analyzing exception items. Issues are items that will be included in a formal audit report. When included in a report, issues are accompanied by recommendations to reduce/mitigate the risk posed by the issue. Additionally, management is responsible for formulating an action plan to address the issues and recommendations. There are usually several options available. Management can always implement an action, not necessarily the recommendations from audit; or management can do nothing and effectively accept the level of risk posed by the issue. In either case, management is required to document the decision. Additionally, if an action is to be implemented, a targeted completion date must be included.

A draft report will be distributed to relevant management personnel involved in the audit shortly after audit conclusion. Distributing the draft to management first in this manner provides the opportunity for both parties to discuss any issues and concerns prior to full distribution. Oftentimes there may be some loose ends that require further clarification and discussion.

The purpose of the exit meeting is to discuss the draft report and any other open items that could possibly hinder the closeout of the audit engagement. Shortly after the exit meeting, the Office of Internal Auditing will forward the updated (if necessary) report to management for response.

The final report is distributed to relevant parties once business unit management has responded to the issues presented. Relevant parties include but are not limited to:

• The President
• The Chief of Staff
• The CEO
• The VP in charge of the unit audited
• The Director of the unit audited

It is the Office Of Internal Auditing’s goal to provide the best service possible to our clients. Therefore, we solicit feedback after each audit engagement. Our audits are performed in an objective manner and we would appreciate objective feedback. We are constantly trying to improve what we do and how we do it.

The Office Of Internal Auditing tracks all open items and performs follow up on issues and recommendations based on the management-determined target completion date. Follow up is performed not only for internal audit issues, but for issues arising from audits performed by other groups. The purpose of the follow up is to determine what action has been taken in regard to the issues presented. In some instances, the issues are resolved with new processes, procedures, etc. In other instances, an extension may be required to implement an action. And occasionally, a department’s function may have change to a point where the initial item is no longer an issue.