auditing 101 bill harrison chief internal auditor october 10, 2012
TRANSCRIPT
![Page 1: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/1.jpg)
Auditing 101Bill Harrison
Chief Internal AuditorOctober 10, 2012
![Page 2: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/2.jpg)
Learning Outcomes Understand the internal and external audit environment
Key players Purpose and structure of the Office of Audit Services Audit process
Understand internal control concepts and standards
Understand practices/procedures to ensure a “clean” audit
![Page 3: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/3.jpg)
Definition of Auditing An unbiased examination and evaluation of financial information,
operational processes, or compliance with laws and regulations in an organization. It can be done internally (by employees of the organization) or externally (by an outside firm).
An IRS examination of a taxpayer's return or other transactions.
Work performed in accordance with standards.
Source: Investopedia.com
![Page 4: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/4.jpg)
What do Auditors Do? For the most part, audits are conducted by independent public
accounting firms, federal, state, and local government auditors, or internal auditors. In addition to financial statement audits, the professional literature describes other types of audits such as attestation engagements and performance audits
When complete, auditors generally issue a written report with a conclusion that confirms or denies management’s adherence to an existing set of criteria such as generally accepted accounting principles, government laws and regulations, or internal policies and procedures.
![Page 5: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/5.jpg)
Audit Findings
Criteria Condition
Effect
Cause
Recommendation(s)
![Page 6: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/6.jpg)
Audit OrganizationsGovernment Accountability Office – GAO
Offices of Inspector General – OIG
Vermont State Auditor
Internal Auditors – Office of Audit Services
Financial Statement/A-133 Auditors
Other Independent Auditors
![Page 7: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/7.jpg)
Government Accountability Office
![Page 8: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/8.jpg)
Offices of Inspector General
![Page 9: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/9.jpg)
Tip #1Understand the environment:
Visit agency and OIG web sitesRead OIG semiannual reports/audit reports at
those agencies dealing with colleges and universities:NSF, HHS, DoED, DoD, NASA, USDA
Join a professional societyAttend UVM Audit Committee meetings
Read meeting minutes
![Page 10: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/10.jpg)
Tip #2Read and understand UVM’s Government Reviews
Protocol, an official University Operating Procedure.
Always remember: there are a number of departments on campus to help you deal with external requests for information including Sponsored Project Administration, Audit Services, Compliance Services, and General Counsel.
![Page 11: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/11.jpg)
Office of Audit ServicesOrganizational Structure
Audit Charter
Audit standards
Audit Selection, Planning, Reporting and Follow-up Processes
![Page 12: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/12.jpg)
UVM Organization Chart
![Page 13: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/13.jpg)
OrganizationChief Internal
Auditor
Deputy Internal Auditor
Senior Auditor
Senior Auditor
Senior Auditor
Office/Program Support Senior
![Page 14: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/14.jpg)
Audit Services Home
![Page 15: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/15.jpg)
Audit CharterThe Office of Audit Services is an independent and objective assurance and consulting activity within the University of Vermont (UVM) that provides the
Board of Trustees and management with observations, recommendations and advice
designed to add value and improve the effectiveness of the University's risk management,
control, and governance processes.
![Page 16: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/16.jpg)
Audit Charter, cont…Provide a comprehensive audit program
Access to all university employees and records
Allocate resources, set frequencies, select subjects, determine scopes of all internal audits
Obtain assistance from UVM personnel
![Page 17: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/17.jpg)
Audit Charter, cont…Can’t perform any operational duties for UVM
Initiate or approve any accounting transactions outside of the Office of Audit Services
Direct activities of any UVM employees
![Page 18: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/18.jpg)
Audit Standards
The IIA Red Book provides standards for independence and ethical conduct, planning, reporting, and closing audit projects.
![Page 19: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/19.jpg)
How are Audits Selected?Required audits
Annual risk-based audit plan
Management requests
EthicsPoint Investigations
![Page 20: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/20.jpg)
The Audit ProcessPlanning and Risk Assessment
Fieldwork
Reporting
Follow-up
![Page 21: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/21.jpg)
The Audit ProcessPlanning
Communication with managementInitial data requestPlanning
A detailed understanding of the organization is developed by reviewing relevant policies, procedures, and records and interviewing or surveying University employees
Follow-up Data Request
![Page 22: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/22.jpg)
The Audit ProcessRisk Assessment
We can’t look at everything!Determines the scope of the audit
![Page 23: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/23.jpg)
The Audit ProcessFieldwork
After finalizing the audit plan and risk assessment, the auditor begins the fieldwork phase. Fieldwork typically consists of testing transactions for conformity with applicable university policies and procedures, and assessing the adequacy of internal controls.
![Page 24: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/24.jpg)
The Audit ProcessReporting
After the fieldwork is completed, the auditor prepares a report. The report generally consists of several sections and includes: the distribution list, background information, summary of results, detailed presentation of results and recommendations, management response, and the objectives, scope, and methodology followed.
Discussion Draft, Final Draft, Final Report
![Page 25: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/25.jpg)
The Audit ProcessAudit Follow-up
The purpose of the follow-up is to verify that any agreed-upon corrective actions have been completed. The auditor will interview staff, reperform tests, or review new procedures to perform the verification.
![Page 26: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/26.jpg)
How to Ensure a “Clean” Audit Opinion
COSO Internal Control Framework
Control Activities
![Page 27: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/27.jpg)
COSO Internal Control Framework
Adopted by UVM Board of Trustees
Five Essential ElementsControl EnvironmentRisk AssessmentControl ActivitiesInformation and CommunicationMonitoring
![Page 28: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/28.jpg)
Control EnvironmentThe control environment sets the tone of an organization. It is the foundation for all other components of internal control. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
Source: Wikipedia
![Page 29: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/29.jpg)
Risk AssessmentEvery entity faces a variety of risks from external and internal sources that must be assessed. Risk assessment is a prerequisite for determining how the risks should be managed.
The starting point is business objectives.
Source: Wikipedia
![Page 30: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/30.jpg)
Risk Assessment-ExampleOccurrence — the transactions actually took placeCompleteness — all transactions that should have
been recorded have been recordedAccuracy — the transactions were recorded at the
appropriate amountsCutoff — the transactions have been recorded in
the correct accounting periodClassification — the transactions have been
recorded in the proper accounts
![Page 31: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/31.jpg)
Control ActivitiesControl activities are the policies and procedures that help ensure management directives are carried out.
They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
Source: Wikipedia
![Page 32: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/32.jpg)
Information and Communication
Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business.
In a broader sense, effective communication must ensure information flows down, across and up the organization.
Source: Wikipedia
![Page 33: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/33.jpg)
MonitoringInternal control systems need to be monitored. This means that there is a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations.
Source: Wikipedia
![Page 34: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/34.jpg)
Control Activities for a “Clean” Audit
Authorization
Preparation
Review and Approval
Segregation of Duties
Delegation of Authority
Recordkeeping
Training
Periodic Monitoring
![Page 35: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/35.jpg)
Authorization
Prior to initiation, transactions should be authorized by a person with budget approval authority, knowledge of institutional policies and procedures, and a clear understanding of the business purpose of the proposed transaction.
![Page 36: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/36.jpg)
PreparationAssistance in using systems or preparing forms should be provided by business or administrative professionals; however, all payment requests should be signed and dated by the individual who incurred the expense or received the service. All requests should include a detailed description of the business purpose underlying the transaction when it is not readily discernible from the supporting documentation.
![Page 37: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/37.jpg)
Review and ApprovalRequests for reimbursement or payment should be reviewed and approved by the requestor’s supervisor. Review and approval of transactions by the supervisor generally provides for adequate segregation of incompatible activities and reinforces employee awareness of a sound control environment.
![Page 38: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/38.jpg)
Separation of DutiesDuties (roles) are assigned to individuals in a manner so that no one individual can control a process from start to finish. Separation of duties provides a system of checks and balances by other individuals. It allows an opportunity for someone to catch an error before a transaction is fully executed and/or before a decision is made based on potentially erroneous data.
In addition, having adequate separation of duties reduces the ‘opportunity’ factor that might encourage an employee to commit fraud or to embezzle.
![Page 39: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/39.jpg)
Delegation of AuthorityAuthority to approve expense transactions should only be delegated to those who have sufficient authority and responsibility over the initiator of the transactions. The specific delegation of authority should be documented.
![Page 40: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/40.jpg)
RecordkeepingSufficient and appropriate records should be created and retained for each transaction to provide evidence of authorization and/or approval, business purpose, adherence to university policy and procedures, and external requirements.
Business purpose should be stated such that someone with no prior knowledge of the transaction could reasonably determine the benefit to the University.
![Page 41: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/41.jpg)
Tip #3Read and understand our Record Retention
policySufficient, appropriate records as required by
University policy and external requirements.For the period required.
![Page 42: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/42.jpg)
COSO Summary
Monitoring
Information and Communication
Control Activities
Risk Assessment
Control Environment
•Authorization•Preparation•Review and Approval•Separation of Duties•Delegation•Recordkeeping
![Page 43: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/43.jpg)
Tip #4UVM promotes ethical values – Our Common
Ground, Statement of Commitment and Expectation in the Workplace, Code of Business Conduct.
There is no perfect system
Report questions or issues that may involve violations of our code of business conduct or other policy standards or legal requirements
![Page 44: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/44.jpg)
The Bottom LineReally just common sense
Become familiar with University policies and any external requirements in your area of responsibility
If you think business practices may be too informal, talk with your unit management or contact us
Report incidents or situations that may involve violations of the University's Code of Business Conduct or other policy standards or legal requirements
If you’re contacted by an external auditor, follow the procedures described in our Government Reviews Protocol
![Page 45: Auditing 101 Bill Harrison Chief Internal Auditor October 10, 2012](https://reader035.vdocuments.mx/reader035/viewer/2022081422/5516335e550346c6758b4e72/html5/thumbnails/45.jpg)
ContactsOffice of Audit Services 6-3086
Bill Harrison 6-0568
John Copoulos 6-3318
Jennifer Sheridan 6-0005
Kyle Sowles 6-2617
Tom Leene 6-3415
Amy Vile 6-3086