Internal Audit OUHSC New Manager’s Training

Updated February, 2015

2

• To Describe the Role of Internal Audit at the

University of Oklahoma.

• To Define Fraud and to Inform Employees of their

Responsibility to Report Fraud to Internal Audit.

• To Explain the Audit Process and How to Work

Effectively with Internal Audit.

• To Convey the Concept of Internal Controls.

Presentation Objectives

Internal Audit

Department

Overview

3

4

Internal Audit Charter

• Included in the University of Oklahoma Board of

Regents’ Policy Manual.

• Required by State Law

• We are Authorized by the Board of Regents and the

President to have full, free, and unrestricted access to

all University functions, records, property and

personnel.

5

What is Internal Auditing?

Internal auditing is an independent, objective

assurance and consulting activity designed to add

value and improve an organization’s operations.

It helps an organization accomplish its objectives

by bringing a systematic, disciplined approach to

evaluate and improve the effectiveness of risk

management, control, and governance processes.

Source: The Institute of Internal Auditors

6

What do we do?

Internal Audit Assesses:

• Adequacy of policy, procedures and internal controls.

• Compliance with laws, rules, regulations and

organizational guidelines.

• Organizational efficiency.

• Accuracy and reliability of accounting records.

7

• OU Norman Campus

• OU Health Sciences Center Campus

• OU Tulsa Campus

• Cameron University (Lawton)

• Rogers State University (Claremore)

• Any off-site location or function of

the above entities

Internal Audit Responsibility

Student Interns

Chandriga Suppiah

Amanda Dicken Robin Irvin, CIAAudit Manager Audit Manager

Jeremy Lynch Catherine McDaniel

Chief Audit Executive

OU INTERNAL AUDIT

University of OklahomaBoard of Regents David L. Boren

OU President

Clive Mander, FCA

Organizational Chart - 2015

Suzie Brewer

OU HSC OU Norman Quality AssuranceIT - all campuses

OU Tulsa Rogers State University Improvement ProgramOU Norman

Cameron University

Administrative Asst.

Special Investigations and

Carolyn Clink, CIA CFEAudit Director

Cindy Hall

IT Audit DirectorTim Marley, CPA CISA

Senior Auditor

Robert Green

Auditor

Ke'Yonna Wynn

Auditor

Kale ThaxtonAuditor

Bennett Pickar

Auditor

Samuel Perez Sarah PetrocchiErin Carroll

Kayli WarmkerJackson StoneHannah LeConte

Auditor

Senior Auditor

Alexandra Gerea

David Skrdla, CISA

IT Audit Manager

Auditor

IT AuditorAndy Thung, CISA

IT Auditor

Sandra AshfordAudit Manager

OU Internal Audit Profile

9

Professional Certifications Held Within the Department

Accounting/Auditing

•Fellow Chartered Accountant

•Chartered Tax Advisor

•Certified Public Accountants

•Certified Internal Auditors

Information Systems/Information Technology

•Certified Information Systems Auditors

•Certified Information Systems Security Professional

•Certified Information Security Manager

•GIAC Systems and Network Auditor

•Certified Information Privacy Professional

•Payment Card Industry (PCI) Security Standards Council Internal Security Assessor

OU Internal Audit Profile - Continued

10

Professional Memberships/Affiliations

•Association of College and University Auditors

•Institute of Internal Auditors

•Association of Healthcare Internal Auditors

•Oklahoma Society of Certified Public Accountants

•Information Systems Audit and Control Association

Professional Experience

•Public Accounting (Various Clients/Public and Private)

•Private Business/Industry

•Government

•Healthcare

•Retail

11

Code of Ethics

The Principles/Rules of Conduct We Adhere to:

• Integrity

• Objectivity

• Confidentiality

• Competency

Source: The Institute of Internal Auditors

Fraud

Awareness

12

13

Institute of Internal Auditors Standard

IIA Standard 1220.A1 states, “Internal auditors must exercise due

professional care by considering the:

•Extent of work needed to achieve the engagement's objectives;

•Relative complexity, materiality, or significance of matters to which

assurance procedures are applied;

•Adequacy and effectiveness of governance, risk management, and

control processes;

•Probability of significant errors, fraud, or noncompliance; and

•Cost of assurance in relation to potential benefits.”

•Fraud is the intentional misrepresentation or

concealment of a material fact that results in financial or

other damages to another party.

14

What is fraud?

15

Fraud or Error?

Intent

Unintentional Intentional

Fraud is Deliberate.

Fraud is Not an Accident.

16

Reporting Fraud

•As stated in the Regents’ Policy Manual,

all University employees have a duty to

report instances of suspected fraud to

Internal Audit.

•If you become aware of issues of potential

fraud or related misconduct, please contact

Internal Audit and speak directly with the

Director of Internal Audit.

Important Number/Email

405-325-3411

mander@ou.edu

17

Reporting Fraud- Your Importance

Source: The Association of Fraud Examiners, Inc. 2010 Report to the Nations

Conclusion: You can make a difference!

18

Characteristics of Fraud Perpetrators

Source: The Association of Fraud Examiners, Inc. 2010 Report to the Nations

Internal Control

Fundamentals

19

What is an Internal Control?

20

COSO defines internal control as, “a

process, effected by an entity’s board of

directors, management and other personnel. This process is designed to provide reasonable assurance regarding

the achievement of objectives in

effectiveness and efficiency of operations,

reliability of financial reporting, and

compliance with applicable laws and

regulations.”

Source: The Committee of Sponsoring Organizations of the Treadway Commission

(COSO)

What is an Internal Control?

21

• An internal control is a process. It is a means to an end, not an

end in itself.

• An internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.

• An internal control can provide only reasonable assurance, not

absolute assurance, to an entity’s management and board.

• An internal control is geared to the achievement of objectives in

one or more separate but overlapping categories.

Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Internal Controls - Roles and Responsibilities

22

Everybody in the organization has responsibility for internal

controls.

– Board of Regents

– President

– Vice-Presidents

– Deans

– Department Chairs

– Business Administrators

– Clinic Managers

– Accountants

– Administrative Personnel

– Other Personnel/Staff

Internal Controls - Roles and Responsibilities

23

Internal controls

are not Internal Audit’s responsibility.

• We do not make policy.

• We do not implement procedures.

• We are not responsible for the design, implementation,

and, reliability of internal controls.

• Internal Audit evaluates internal controls and the

related components.

• Internal Audit provides an objective assessment of

internal controls to determine if the controls in place

are functioning in an appropriate manner and to

determine if internal controls provide a reasonable

assurance regarding the effectiveness and efficiency of

operations, reliability of financial reporting, and

compliance with laws and regulations.

Internal Controls - Roles and Responsibilities

24

Internal controls cannot ensure success alone. The following can

still create problems:

– Poor Decisions

– Management Oversight

– Unethical Behavior

– Fraud

– Errors

– Undisclosed Conflicts of Interest

– Omissions

– Collusion

– Override of Controls

– Not Following Established Policies and Procedures

– Lack of Internal Policies and Procedures

– Unclear Roles and Responsibilities

25

Internal Control Elements – The COSO Model

Source: COSO

• Monitoring

• Control Activities

• Risk Assessment

• Information and Communication

• Control Environment

26

Control Environment

• Have clearly defined roles and responsibility.

• Competence of personnel.

• Delegate responsibility for tasks but do not

delegate accountability.

• Management philosophy and operating style.

• Avoid a “by any means” necessary approach.

27

Segregation of Duties

Authorization

Custody Recording

One person should not control and entire process from beginning to end.

Cash Receipts

28

• Are cash receipts logged when received?

• Are checks endorsed upon receipt?

• Who has custody of or access to the cash?

• Is all of the cash/checks received properly deposited?

• Is the cash deposited timely?

• Change or petty cash fund? periodic surprise cash counts?

• Are the duties of receiving and depositing segregated from

accounts’ reconciliations?

• Is the person reconciling using all documents?

Disbursements

29

• Who prepares and who authorizes the voucher?

• Who signs the invoices for payment?

• What is the business purpose?

• Are bills pre-paid or paid after-the-fact?

• Are bills paid within 45 days?

• Are goods properly maintained after they are received (are they

periodically inventoried, etc.)?

• Are payments to employees approved by someone higher in

institutional authority?

• Have purchases over $5,000 been approved by purchasing?

Procurement Card

30

• Is the cardholder the only user of the card?

• Are receipts properly maintained?

• Is a proper supervisor approving the purchases?

• Business purpose?

• Does the department have any approved exceptions to

the PCard policy?

• Reconciliation?

Payroll

31

• Do all hourly employees complete a time card?

• Do all monthly employees complete a paid leave form?

• Are time cards and paid leave forms signed by both the employees and their

supervisors?

• Do the time cards and paid leave forms agree to the data in the payroll

system?

• Who enters and approves the payroll system data?

• Do you verify paid leave balances?

• Overtime?

• Compensatory time?

• Payroll reconciliations?

• Termination Checklist?

Record Retention

32

• Do you know the record retention policies and

procedures?

• Do you request the authorization from the Record

Retention Officer prior to destroy any document?

Reconciliations

33

• Segregation of duties?

• Is the person performing the reconciliations signing

and dating?

• Is the account sponsor signing and dating the recs?

• Do you use all the supporting documentation?

• Is the account sponsor seeing all the originals?

The Audit

Process and How

to Work with

Internal Audit 34

35

The Institute of Internal Auditors requires risk analysis

rather than a rotational schedule for annual audit plans.

• The Internal Audit Department lists all auditable entities and functions and compiles them into an ‘audit universe.’

• A risk analysis is used to determine which audits to perform on an annual basis.

The Audit Selection Process Risk Analysis vs. Rotational Schedule

36

• Prior audit findings

• Perceived sensitivity

• Control environment

• Confidence in operating management

• Changes in people or systems

• Complexity

• Time since last audit

Risk Analysis Criteria

Types of Audits Performed

37

College and Departments, Clinics, Functional Units, Athletics, Information

Technology/Systems, Special Reviews, Special Investigations, Centers

and Institutes, Sponsored Programs.

Financial Operational Compliance

Audit Process, Step-by-Step

38

1. Engagement letter

2. Preliminary

request for

information

3. Audit planning

and audit program

development

4. Entrance

conference

Planning Fieldwork Reporting Post Audit

Review

1. Exit conference

2. Draft audit report

3. Final audit report, with

management responses and

scheduled completion dates

Phase 1 – Audit Planning

39

Challenges

• Inefficiency and Disruption to Operations

• Miscommunication

• Incomplete Information

• Confusion about the Audit’s Purpose

Suggested Actions

• Designate an Audit Liaison

• Educate the Auditors and Yourself

• Disclose Known Issues and Concerns Ahead of Time

• Ask Questions

Phase 2 – Fieldwork Assess Design of Internal Controls

40

Challenges

• Misunderstanding Your

Processes and Controls

• Important Details Omitted

Suggested Actions

• Illustrate/Process Flow Charts

• Describe Actual Activities

• Written policies and procedures

• Include Front Line Personnel

Phase 2 – Fieldwork - Continued Test Transactions and Analyze Results

41

Challenges

• Inadequate Documentation

• Unexecuted Documentation

• Missing Documentation

Suggested Actions

• Organize and Schedule Regular

Check-ins

• Explore Alternatives

Phase 3 – Reporting

42

Challenges

• Surprise Findings

• Unrealistic Recommendations

Suggested Actions

• Open Communication

• Informal Fieldwork Closing Meeting/Debriefing

• Review the Draft Report and React Timely

• Urge Practicality

Phase 4 – Post Audit Review

43

Challenges

• Follow-up Timeline not Realistic

• Changes in Personnel

• Recommendations not

Understood

Suggested Actions

• Develop a Plan of Action to

Address Concerns

• Assign

Responsibility/Accountability

• Perform a Self-Review

44

How to Work with Internal Audit

•We do not audit people we audit processes.

•Your proactive attention and engagement

can go a long way toward making an audit

more useful for you and your department.

45

Internal Audit Help Line

As part of our service to the

University, we encourage any

employee to contact us with

questions relating to internal

controls or to discuss any issue

relating to risks and exposures in

their area of responsibility.

Call (405) 325-3411 or

(405) 271-2532 (Ask for an audit

manager)

or

Email us at:

InternalAudit@ou.edu

Further Information

46

• Visit our website at www.ou.edu/audit

• Main Office Norman Campus

1816 West Lindsey StreetPhone number: 405-325-3411

•

Satellite Office OUHSC Campus

Service Center Building Room 239

Phone number: 405-271-2532