Internal Audit “Partnering with

Management”

PACFAM Meeting

November 15, 2012

Updated February 2015

Internal Audit Charter

• Included in the University of Oklahoma Board of

Regents’ Policy Manual.

• Required by State Law

• Internal Audit is authorized by the Board of Regents and the President to have full, free, and unrestricted access to all university functions, records, property and personnel.

What is Internal Auditing?

Internal auditing is an independent, objective

assurance and consulting activity designed to add

value and improve an organization’s operations.

It helps an organization accomplish its objectives

by bringing a systematic, disciplined approach to

evaluate and improve the effectiveness of risk

management, control, and governance processes.

Source: The Institute of Internal Auditors

What do we do?

Internal Audit Assesses:

• Adequacy of policy, procedures and internal controls.

• Compliance with laws, rules, regulations and

organizational guidelines.

• Organizational efficiency.

• Accuracy and reliability of accounting records.

• OU Norman Campus

• OU Health Sciences Center Campus

• OU Tulsa Campus

• Cameron University (Lawton)

• Rogers State University (Claremore)

• Any off-site location or function of

the above entities

Internal Audit Responsibility

Student Interns

Chandriga Suppiah

Amanda Dicken Robin Irvin, CIAAudit Manager Audit Manager

Jeremy Lynch Catherine McDaniel

Chief Audit Executive

OU INTERNAL AUDIT

University of OklahomaBoard of Regents David L. Boren

OU President

Clive Mander, FCA

Organizational Chart - 2015

Suzie Brewer

OU HSC OU Norman Quality AssuranceIT - all campuses

OU Tulsa Rogers State University Improvement ProgramOU Norman

Cameron University

Administrative Asst.

Special Investigations and

Carolyn Clink, CIA CFEAudit Director

Cindy Hall

IT Audit DirectorTim Marley, CPA CISA

Senior Auditor

Robert Green

Auditor

Ke'Yonna Wynn

Auditor

Kale ThaxtonAuditor

Bennett Pickar

Auditor

Samuel Perez Sarah PetrocchiErin Carroll

Kayli WarmkerJackson StoneHannah LeConte

Auditor

Senior Auditor

Alexandra Gerea

David Skrdla, CISA

IT Audit Manager

Auditor

IT AuditorAndy Thung, CISA

IT Auditor

Sandra AshfordAudit Manager

Code of Ethics

The Principles/Rules of Conduct We Adhere to:

• Integrity

• Objectivity

• Confidentiality

• Competency

Source: The Institute of Internal Auditors

Institute of Internal Auditors Standard

IIA Standard 1220.A1 states, “Internal auditors must exercise due

professional care by considering the:

•Extent of work needed to achieve the engagement's objectives;

•Relative complexity, materiality, or significance of matters to which

assurance procedures are applied;

•Adequacy and effectiveness of governance, risk management, and

control processes;

•Probability of significant errors, fraud, or noncompliance; and

•Cost of assurance in relation to potential benefits.”

The Institute of Internal Auditors requires risk analysis rather than a rotational schedule for annual audit plans.

• The Internal Audit Department lists all auditable entities and functions and compiles them into an ‘audit universe.’

• A risk analysis is used to determine which audits to perform on an annual basis.

The Audit Selection Process

Risk Analysis vs. Rotational Schedule

• Prior audit findings

• Perceived sensitivity

• Control environment

• Confidence in operating management

• Changes in people or systems

• Complexity

• Time since last audit

Risk Analysis Criteria

Types of Audits Performed

College and Departments, Clinics, Functional Units, Athletics,

Information Technology/Systems, Special Reviews, Special Investigations,

Centers and Institutes, Sponsored Programs

Financial Operational Compliance

Audit Process, Step-by-Step

1. Engagement letter

2. Preliminary

request for

information

3. Risk analysis and

audit program

development

4. Entrance

conference

Planning Fieldwork Reporting Post Audit

Review

1. Exit conference

2. Draft audit report

3. Final audit report, with

management responses

and scheduled completion

dates

Internal Audit Help Line

As part of our service to the

University, we encourage any

employee to contact us with

questions relating to internal

controls or to discuss any issue

relating to risks and exposures in

their area of responsibility.

Call (405) 325-3411

(Ask for an Audit Manager)

or

Email us at:

InternalAudit@ou.edu

Further Information

• Visit our website at www.ou.edu/audit

• Main Office Norman Campus

1816 West Lindsey Street Phone number: 405-325-3411

• Satellite Office OUHSC Campus

Service Center Building Room 239

Phone number: 405-271-2532

Disbursements:

University Accounts:

• Personal reimbursements and travel claims not

approved by someone of institutional authority

• Not aware of change in mobile phone/device

policy

Foundation:

• Personal reimbursements and travel claims not

approved by someone of institutional authority

• Retention of departmental records to support

Foundation activity

DISBURSEMENTS

• Does the account sponsor approve your disbursements and travel

claims? Does an individual with greater institutional authority approve

the department head’s travel?

• Are disbursements business-related and in compliance with University

policy?

• Are invoices paid within 45 days as required by state legislation?

• Are purchases over $5,000 processed through a PO? Do you process all

contractual products or services through the Purchasing Department? If

not, do you have an authority to contract?

• Are accounting duties of ordering, receiving, and reconciling properly

segregated to ensure that no one individual controls the process from

beginning to end?

Resources:

State Travel Reimbursement Act (STRA), 74 O.S., Section 500.1, et seq.

• University Travel Procedures:

http://www.ou.edu/controller/fss/procedures/travel.html

• OU Purchasing Department

http://www.ou.edu/purchasing/policies/index.html

• OU Regents’ Policy Manual

http://www.ou.edu/regents/official_agenda/2004PolicyManual.pdf

Pcard:

• Allowing Pcard to be used by someone other than

the card holder, including access to the Pcard

number for online purchases

• Purchasing items not permissible per the Pcard

Policy

• Approval by account sponsor not evident

PCARD

• Did Pcard holders and Pcard administrators attend training?

• Is use of the Pcard limited to the card holder?

• Are students, including graduate students, prohibited from using the

Pcard?

• Do you retain your Pcard receipts?

• Does the account sponsor review the purchase receipts when approving

the transactions?

Resources:

• Pcard Policy

http://www.ou.edu/purchasing/home/pcard/pcard_policy.htm

• General Records Disposition Schedule for State Universities and

Colleges

http://www.odl.state.ok.us/oar/docs/ucgrds-schedule.pdf

Payroll:

Hourly Employees:

• Overtime hours incorrectly moved to other pay

periods • Timesheets not approved by employee and/or

supervisor • Payroll documentation not available (missing

Time Sheets

Monthly Employees:

• Leave certifications not approved by employee

and/or supervisor • Leave certifications not available

PAYROLL

• Hourly: Do employees sign their timecards/time sheets? Do their

supervisors sign the timecards/time sheets?

• Monthly: Do monthly personnel track their paid leave? Does the employee

sign documentation stating the amount of paid leave taken on a monthly

basis? Do their supervisors approve and sign the documentation?

• Supplemental Pay: Does the department maintain supplemental pay

records? Does the account sponsor approve the supplemental pay?

• Are HR PeopleSoft account passwords kept confidential?

• Is all access to computer systems cancelled for employees that transfer

from your department or for employees that no longer work for the

University?

Resources:

• Human Resources Guide to Services:

http://hr.ou.edu/payandrecords/

Supplemental Pay:

• Insufficient support for supplemental pay

• Approval by appropriate supervisor with

institutional authority not evident

Supplemental Pay:

• Does the department maintain supplemental pay records?

• Does the account sponsor approve the supplemental pay?

• Approval by appropriate supervisor with institutional authority?

Resources:

• Human Resources Guide to Services:

http://hr.ou.edu/payandrecords/

Records Retention/Proper

Documentation:

• Records have not been retained in compliance with

the General Records Disposition Schedules for

State Universities and Colleges

• Documentation is not available for review during

the audit

RECORDS RETENTION

• Are you retaining all records in compliance with the University

Records Retention Policy?

• Do you receive proper authorization from the Records Retention

Coordinator prior to disposing of records?

Resources:

• General Records Disposition Schedule for State Universities and

Colleges

http://www.odl.state.ok.us/oar/docs/ucgrds-schedule.pdf

• Records Retention Quick Reference

http://www.ou.edu/content/dam/AdminFinance/documents/Quick_

Reference_to_Common_University_Records_December_2010.pdf

• Records Retention Policy for University of Oklahoma, Norman

Campus

http://www.ou.edu/content/dam/AdminFinance/documents/Record

s_Retention_Policy_intro_Dec_2010.pdf

07/06/12 e-mail from Byron Burr Millsap, CPA MBA

Associate Vice President, Administration & Finance (Purchasing):

“…Here is the actual guidance from the document, “Financial Statement Reconciliation Training

Materials,” which can be found at http://www.ou.edu/controller/fss/psnews.htm :

– Statements should be reconciled on a monthly basis. Reconciliation involves the review

of the individual transactions appearing on the statement to determine that all

transactions are valid and appropriate.

– Identified discrepancies between the departmental information and the information

shown on reports should be resolved. Resolution involves contacting the originating

department regarding needed corrections, as well as following up to ensure that

corrections are completed.

– The statement reconciliation must be formalized with the signature of the preparer and

the reviewer, with the corresponding dates.

The type and manner of evidence used to prove compliance with the policy is determined by the

department. The evidence may be in hard-copy form, in image form, or in any form that

adequately demonstrates this proof.

Terri Pinkston and Burr Millsap of the implementation team met with Internal Audit on June 29.

Clive Mander, Director of Internal Audit, confirmed that it is not Internal Audit’s charge or place

to make policy but rather to audit against it. Accordingly, when performing its work, Internal

Audit seeks to understand the departmental process and observe the related evidence in

whatever form it may be to satisfy itself that the department is complying with policy.”

Data Security/Other:

Credit Card Data - PCI Compliance

Social Security Numbers

Student Information – FERPA

EIT Multimedia Accessibility Policy

House Bill 1086

Independent Contractors

Contracts: • Authority to Sign Contractual Documents

granted by the President of the University not evident at time binding agreement fully executed

• Documents include, but are not limited to: Purchase orders, Grants, Contracts, Sub-contracts,

Licenses, Leases, Funding documents, Applications,

Extensions and renewals,

letters and/or memoranda of understanding,

Sales orders, Assurances, Work orders, and the like

• Contracts not fully executed

Contracts:

• Have the agreements been fully executed by someone of proper

authority?

• Has the department established a system to ensure compliance

with the terms of the agreement?

• For revenue agreements, does the department receive proper

documentation to monitor compliance with the terms of the

agreement?

Resources:

• Regents Policy, 4.10 - Authority to Sign Contractual Documents

http://www.ou.edu/regents/official_agenda/CurrentPolicyManual.

pdf

Cash Receipts: • Cash handling not properly segregated

• Cash receipts not logged as received

• Checks not endorsed immediately upon receipt

• Custody of funds not documented

• Cash receipts not secure prior to deposit

• Spending funds prior to deposit

• Cash receipt documentation not available

Cash Receipts:

• Are the duties of receiving and depositing segregated from account

reconciliations?

• Are cash receipts logged when received?

• Are checks endorsed upon receipt?

• Who has custody of or access to the cash?

• Are cash/checks deposited timely and intact?

• Is reconciliation performed to the original documentation?

Resources:

• University Policy for Deposits and Cash Handling (Bursar) https://www.ou.edu/content/bursar/services/departments/university_policies

.html

• Oklahoma State Statute, Title 62, O.S. Supp. 986, 7.1 & 7.2 http://www.ou.edu/content/bursar/services/departments/statuatory_referenc

e.html

Change Funds: • Surprise counts not performed

• Surprise counts performed but not

documented

• Discrepancies not reported to

supervisory personnel

Change Funds:

• Are change funds kept secure with limited access?

• Are change funds reconciled to sales and deposits?

• Are discrepancies documented and reported to supervisory

personnel?

• Are monthly unannounced surprise counts performed by a

supervisor?

Resources:

• University Policy for Change Funds (Financial Services):

http://www.ou.edu/controller/fss/policies/cash.pdf

Accounts Receivable: • Proper segregation of duties between

deposit processing, accounts receivable processing and record maintenance has not been established

• Aged accounts receivable not generated and monitored

• Procedures not in place for follow-up and collection of delinquent accounts

• Account adjustments not properly authorized and approved

Accounts Receivable:

• Who maintains accounts receivable records? Are they involved in

any cash receipts functions?

• Who is responsible for reconciling the accounts receivable?

• Are aged accounts reviewed periodically? If so, who reviews

them and how often are they reviewed?

• Are there adequate procedures for follow-up and collection of

delinquent accounts?

• Are account adjustments properly authorized and approved?

Resources:

• University Policy, Responsibilities of an Account Sponsor,

Separation of Duties (Financial Services):

http://www.ou.edu/controller/fss/policies/depts.pdf

Account Reconciliations: • Not performed on all accounts

• Not performed on a monthly basis

• Account reconciliation not

documented

• Reconciliation approval not

documented

Account Reconciliations:

• Who is responsible for reconciling the statement of account? Is

there a proper segregation of duties between disbursements

and/or cash handling and account reconciliations?

• Does the preparer sign and date the reconciliation?

• Are reconciliations performed in a timely, consistent and complete

manner?

• Does the account sponsor review, sign and date the monthly

reconciliation?

Resources:

• University Policy, Responsibilities of an Account Sponsor, Account

Reconciliation (Financial Services):

http://www.ou.edu/controller/fss/policies/depts.pdf

• Financial Statement Reconciliation Training Materials (FS)

http://www.ou.edu/controller/fss/psnews.htm

Thank you

Q & A