Embed Size (px)
Citation preview
How to Survive an AuditHow to Survive an Audit(Without Really Trying)(Without Really Trying)
University Business OfficersMarch 7, 2006
Step 1Step 1
Make sure you know what is happening!Make sure you know what is happening!
A Broad Overview of A Broad Overview of Internal Audit ServicesInternal Audit Services
It’s not always an AuditIt’s not always an Audit
Four Basic Types of ActivitiesFour Basic Types of Activities
Audits – big projects scheduled in advance, selected for Audits – big projects scheduled in advance, selected for their value to senior management and the Board of their value to senior management and the Board of TrusteesTrustees
Fiscal Accountability Reviews – limited projects Fiscal Accountability Reviews – limited projects designed to provide Deans, Directors, and Department designed to provide Deans, Directors, and Department Chairs a quick check on policy compliance, and Chairs a quick check on policy compliance, and utilization of sound business practicesutilization of sound business practices
Analyst Projects – decision support for managementAnalyst Projects – decision support for management
Investigations - a collaborative effort to protect the Investigations - a collaborative effort to protect the university’s reputation and resourcesuniversity’s reputation and resources
Types of “Audits”Types of “Audits”
Financial – testing of underlying records to verify the reliability Financial – testing of underlying records to verify the reliability and integrity of official financial recordsand integrity of official financial records
Compliance – evaluates if you are following existing rules, Compliance – evaluates if you are following existing rules, regulations, laws and internal policy and procedureregulations, laws and internal policy and procedure
Operational Audits – looks at efficiency, effectiveness, and Operational Audits – looks at efficiency, effectiveness, and evaluates if are goals being metevaluates if are goals being met
EDP/IT Auditing – evaluates computer systems and applicationsEDP/IT Auditing – evaluates computer systems and applications
Audit Results are reported to the President, Board of Trustees, and Audit Results are reported to the President, Board of Trustees, and line management. We do a formal follow-up review later.line management. We do a formal follow-up review later.
What To ExpectWhat To Expect
Opening Conference – a chance for us to meetOpening Conference – a chance for us to meet
Preliminary Survey – To learn about you and your Preliminary Survey – To learn about you and your processes – Interviews, collecting forms, reports, & processes – Interviews, collecting forms, reports, & internal policyinternal policy
Field work – Interviews, testing internal controls, Field work – Interviews, testing internal controls, analysis of financial and other records analysis of financial and other records
Report – Drafted, reviewed, discussed, revised and Report – Drafted, reviewed, discussed, revised and issued - includes your responsesissued - includes your responses
Follow-up – 5-6 months later we come back to see what Follow-up – 5-6 months later we come back to see what you’ve doneyou’ve done
Fiscal Accountability ReviewFiscal Accountability Review
Developed as an informational tool for the Deans, as Developed as an informational tool for the Deans, as executive officers for the various colleges, and executive officers for the various colleges, and Departmental Chairs who are responsible for their Departmental Chairs who are responsible for their individual departmentsindividual departments
It is intended to aid management in assessing their It is intended to aid management in assessing their strengths and identifying opportunities for strengths and identifying opportunities for administrative improvementadministrative improvement
No in depth test work and no follow-up reviewNo in depth test work and no follow-up review
Reported to the President and Board of TrusteesReported to the President and Board of Trustees
Analyst ProjectsAnalyst Projects
Requested by managementRequested by management
Narrow focus on the topic of the requestNarrow focus on the topic of the request
We may function as consultants, researchers, trainers, We may function as consultants, researchers, trainers, or in various other roles depending on the requestor in various other roles depending on the request
The results are always reported to line management, The results are always reported to line management, and may be reported to senior management and the and may be reported to senior management and the Board of Trustees if they touch on an issue with Board of Trustees if they touch on an issue with Institutional implicationsInstitutional implications
InvestigationsInvestigations
Conducted to determine the facts about an allegation Conducted to determine the facts about an allegation
May start with a “Hot Line” complaint, or as a request May start with a “Hot Line” complaint, or as a request from senior management, the Office of General from senior management, the Office of General Counsel, Risk Management, the Department of Public Counsel, Risk Management, the Department of Public Safety, or the Office of Equal OpportunitySafety, or the Office of Equal Opportunity
We try to protect the university’s assets and public We try to protect the university’s assets and public reputation by confirming the extent of a problem and reputation by confirming the extent of a problem and identifying possible solutionsidentifying possible solutions
In some cases the focus is on identifying and recovering In some cases the focus is on identifying and recovering resources that have been misused or stolenresources that have been misused or stolen
Step 2Step 2
Fix the easy things now, before we get to Fix the easy things now, before we get to your officeyour office
The “Top Ten”The “Top Ten”
The Most Common Issues Identified in AuditsThe Most Common Issues Identified in Audits
TENTEN
University Assets Should Be Safeguarded
FOR INSTANCEFOR INSTANCE
Current Lists of insurable or pilferable assetsCurrent Lists of insurable or pilferable assets
Current Software Records – lists or license filesCurrent Software Records – lists or license files
No slush fundsNo slush funds
Petty Cash and Change funds accounted forPetty Cash and Change funds accounted for
Personal Long Distance Call Reimbursement ProcessPersonal Long Distance Call Reimbursement Process
Records of University tools, equipment, keys, Id Records of University tools, equipment, keys, Id
NINENINE
Payroll Records Should Be Accurate and Payroll Records Should Be Accurate and CompleteComplete
FOR INSTANCEFOR INSTANCE
Faculty Time Must Be Tracked By the DepartmentFaculty Time Must Be Tracked By the Department
Sick Leave, Annual, ConsultingSick Leave, Annual, Consulting
PAR Certification Must Be Accurate and Should Be PAR Certification Must Be Accurate and Should Be Signed By The Actual Employee Signed By The Actual Employee
Employees Should Enter and Approve Time In KronosEmployees Should Enter and Approve Time In Kronos
Supervisors Should Approve Their Employees TimeSupervisors Should Approve Their Employees Time
Payroll Reporters Should Not Change Records Without Payroll Reporters Should Not Change Records Without Employee and Supervisor Written ApprovalEmployee and Supervisor Written Approval
EIGHTEIGHT
Generally Accepted Business Practices Generally Accepted Business Practices Should Be FollowedShould Be Followed
FOR INSTANCEFOR INSTANCE
Revenues Should Be Reconciled to Supporting Revenues Should Be Reconciled to Supporting DocumentationDocumentation
Credit Card systems should be settled daily.Credit Card systems should be settled daily.
Deposits Should Be Made Within 3 DaysDeposits Should Be Made Within 3 Days
Expenditures Should Be Reconciled To Supporting Expenditures Should Be Reconciled To Supporting DocumentationDocumentation
Pre-numbered receipt or cash registersPre-numbered receipt or cash registers
SEVENSEVEN
Expenditures Should Comply With Expenditures Should Comply With University PolicyUniversity Policy
FOR INSTANCEFOR INSTANCE
Original receipts and other documentation is required Original receipts and other documentation is required for all expenditures of university fundsfor all expenditures of university funds
Some expenditures such as travel, entertainment, and Some expenditures such as travel, entertainment, and flowers require specific additional documentationflowers require specific additional documentation
Travel Requires additional approvalsTravel Requires additional approvals
Entertainment typically involves someone who is not a Entertainment typically involves someone who is not a university employeeuniversity employee
Competitive BidsCompetitive Bids
Reimbursements must be approved by higher authorityReimbursements must be approved by higher authority
SIXSIX
Health and Safety Should Be ProtectedHealth and Safety Should Be Protected
FOR INSTANCEFOR INSTANCE
There should be posted evacuation plansThere should be posted evacuation plans
Employees who drive on University business must have Employees who drive on University business must have completed Defensive Drivingcompleted Defensive Driving
Chemicals, Biological and Radioactive substances must Chemicals, Biological and Radioactive substances must be stored and disposed of correctlybe stored and disposed of correctly
Hallways, stairs, doorways must be negotiableHallways, stairs, doorways must be negotiable
FIVEFIVE
Side Systems Should Be Reconciled to Side Systems Should Be Reconciled to PeopleSoftPeopleSoft
FOR INSTANCEFOR INSTANCE
Reconciliation should be completed at least Reconciliation should be completed at least once a monthonce a month Separate Applications such as Accounts Receivable, Separate Applications such as Accounts Receivable,
Point of Sale SystemsPoint of Sale Systems
Excel spreadsheets used to track departmental activityExcel spreadsheets used to track departmental activity
Home grown databases – Access etcHome grown databases – Access etc
FOURFOUR
Duties Should Be SegregatedDuties Should Be Segregated
FOR INSTANCEFOR INSTANCE
Two Pairs of Eyes on Every TransactionTwo Pairs of Eyes on Every Transaction Custody – ReceivingCustody – Receiving
Record KeepingRecord Keeping
ReconciliationReconciliation
Authorization – Ordering, Disposal, AdjustmentsAuthorization – Ordering, Disposal, Adjustments
THREETHREE
Deficits Should Be Quickly Identified and Deficits Should Be Quickly Identified and Resolved Resolved
FOR INSTANCEFOR INSTANCE
On CIS Management Balance Sheet ReportOn CIS Management Balance Sheet Report
Activity – Fund Balance Should Show Negative and Activity – Fund Balance Should Show Negative and Claim on Cash Balance Should Show PositiveClaim on Cash Balance Should Show Positive
Activity – Funds Available Report Should Have a Activity – Funds Available Report Should Have a Smiley FaceSmiley Face
Projects – The Bottom Line on the Summary of Projects – The Bottom Line on the Summary of Rev/Exp Report in the Budget Less Rev/Exp Column Rev/Exp Report in the Budget Less Rev/Exp Column Should Be PositiveShould Be Positive
TWOTWO
Critical or Sensitive Data and Systems Critical or Sensitive Data and Systems Should Be SecureShould Be Secure
FOR INSTANCEFOR INSTANCE Passwords should be unique and not sharedPasswords should be unique and not shared
Virus protection should be active and updatedVirus protection should be active and updated
Backups completed and stored off site with tested restoration Backups completed and stored off site with tested restoration and recovery plans and recovery plans
Critical data should be identifiedCritical data should be identified
Storage of Sensitive data should be reviewed by ISO – generally Storage of Sensitive data should be reviewed by ISO – generally there is no need to have it on PC’sthere is no need to have it on PC’s
Encryption should be considered – especially for laptopsEncryption should be considered – especially for laptops
Equipment should be securedEquipment should be secured
ONEONE
Management Must Assume Responsibility Management Must Assume Responsibility For OversightFor Oversight
BECAUSEBECAUSE
The buck stops thereThe buck stops there
You can delegate work – you can’t You can delegate work – you can’t delegate responsibilitydelegate responsibility
It’s Not the AA’s JobIt’s Not the AA’s Job
FOR INSTANCEFOR INSTANCE
The PI or Account Executive The PI or Account Executive
should understand the Management and Payroll Reportsshould understand the Management and Payroll Reports
should review and approve with signature and date the should review and approve with signature and date the Management and Payroll ReportsManagement and Payroll Reports
Should ensure there are appropriate contracts and agreements to Should ensure there are appropriate contracts and agreements to protect the department and University – employment protect the department and University – employment agreements, vendor contracts, and research grants/contractsagreements, vendor contracts, and research grants/contracts
Should ensure those contracts or agreements are monitoredShould ensure those contracts or agreements are monitored
Step 3Step 3
Uh Oh! Major ProblemUh Oh! Major Problem
Fraud?Fraud?
An Investigation Can’t be AvoidedAn Investigation Can’t be Avoided
Problems grow over timeProblems grow over time
You can be part of the solution by ensuring that the You can be part of the solution by ensuring that the Right People know about the problem as soon as Right People know about the problem as soon as possiblepossible
Do not try to investigate yourself – that can lead to Do not try to investigate yourself – that can lead to other problems – get the ‘experts’ involved.other problems – get the ‘experts’ involved.
While investigations are never easy, the outcome is While investigations are never easy, the outcome is always better for you and the university if the problem always better for you and the university if the problem is resolved while it is still small and manageableis resolved while it is still small and manageable
Things that need to be investigatedThings that need to be investigated
Theft or misuse of university resources, including:Theft or misuse of university resources, including:
Conflicts of interestConflicts of interest
Violations of contract and grant requirementsViolations of contract and grant requirements
Misuse of donated fundsMisuse of donated funds
Violations of university policies and proceduresViolations of university policies and procedures
Waste and abuse of authorityWaste and abuse of authority
Theft – inappropriate use or taking of University assets Theft – inappropriate use or taking of University assets
Involve the Right PeopleInvolve the Right People
When you suspect that someone in your department is doing When you suspect that someone in your department is doing something wrong you should contact the appropriate university something wrong you should contact the appropriate university officers and officials.officers and officials.
Your supervisor and/or on up the line if neededYour supervisor and/or on up the line if needed
The University Hotline – on line at The University Hotline – on line at www.ethicspoint.com or or By phone at (888) 206-6025 By phone at (888) 206-6025 (This is an outside group and you don’t have to identify yourself)(This is an outside group and you don’t have to identify yourself)
The Office of General CounselThe Office of General Counsel
The Department of Public Safety The Department of Public Safety
Human ResourcesHuman Resources
Risk ManagementRisk Management
It Protects You!It Protects You!
Failing to report a crime is also crimeFailing to report a crime is also crime
Whistleblowers are protected under Utah law, and Whistleblowers are protected under Utah law, and University policyUniversity policy
Your department cannot recover lost income and Your department cannot recover lost income and property without an investigationproperty without an investigation
Reporting stops the loss and sends a message that the Reporting stops the loss and sends a message that the behavior is unacceptablebehavior is unacceptable
Why Didn’t I Mention Internal Audit?Why Didn’t I Mention Internal Audit?
Call us by all means. Call us by all means.
Even if you are not sure there is a problem, we can offer advice and Even if you are not sure there is a problem, we can offer advice and help sort out the issueshelp sort out the issues
We are the starting point for determining who will handle hot line We are the starting point for determining who will handle hot line complaints received through Ethics Point and we work closely complaints received through Ethics Point and we work closely
with the other groups on campuswith the other groups on campus
If we aren’t the best group to do the investigation – we will contact If we aren’t the best group to do the investigation – we will contact the right group or let you know who to contactthe right group or let you know who to contact
Chuck Piele – 581-6561Chuck Piele – 581-6561
Pam Mollner – 585-3529Pam Mollner – 585-3529
Margie Goodrich – 587-7732Margie Goodrich – 587-7732
