FAQs

WHAT IS THE FUNCTION OF THE INTERNAL AUDIT DEPARTMENT?

Internal Audit performs a monitoring function and helps to manage risks, including: financial, operating, and other business risks, by evaluating the effectiveness of accounting and administrative controls, as well as the efficiency of systems and processes. Internal Audit reviews can help you determine whether there are appropriate internal controls over your business processes and/or systems, and we can show you ways to improve the efficiency and effectiveness of your administrative processes.
The Internal Audit staff does this by conducting independent and objective reviews of your department's operations and procedures. Internal Audit is therefore a managerial control, and our goal is to assist you in the effective discharge of your responsibilities by furnishing you with analysis, appraisals, recommendations, and pertinent comments concerning the activities that we review. The attainment of this goal involves:

Evaluating the soundness and adequacy of the internal control structure.
Assessing compliance with policies, plans, procedures, laws, and regulations.
Verifying the existence of assets and ensuring that they are properly accounted for and safeguarded from losses of all kinds.
Conducting special examinations and reviews requested by management including investigating reported occurrences of fraud, embezzlement, theft, waste, etc., and recommending controls to prevent or detect such occurrences.
Evaluating the economy and efficiency with which resources are employed, and recommending improvements in operations.
Evaluating the reliability and integrity of management data by reviewing general controls and computer security procedures over data processing.
Determining the extent to which established objectives and goals for operations or programs are being accomplished.

AUTHORITY

The Internal Audit Department staff is authorized by the President to conduct a comprehensive program of internal auditing. The Internal Audit Department is further authorized to have unrestricted access to University functions, records, properties and personnel in order to conduct reviews thoroughly and effectively.

WHAT ARE INTERNAL CONTROLS? AND WHY SHOULD I, AS A MEMBER OF THE QU COMMUNITY, CARE ABOUT CONTROLS?

Controls Are Simply Good Business Practices. Among other things, controls can provide reasonable assurance that:

Management data is reliable;
Assets are accounted for and are safeguarded from losses;
Operating practices are sound and help ensure compliance with policies, laws and regulations;
Resources are used efficiently.

Controls can be informal; for example, backing up important research or financial information on your computer, locking records in a file drawer, or using passwords to limit access to computerized information.

3 TYPES OF CONTROLS - Preventive, Detective, and Corrective

Controls can be designed for various functions. Some controls can be installed to prevent undesirable outcomes before they happen (preventive controls). Others controls can be installed to identify the undesirable outcomes when they do happen (detective controls). Still other controls can be installed to make sure that corrective action is taken to reverse undesirable outcomes or to see that they do not recur (corrective controls). All of these types of controls, in concert, function to ensure that some department/university objective or goal will be met.

Preventive Controls are more cost-effective than detective controls and are designed to discourage errors and irregularities from occurring. When built into a process, preventive controls forestall errors and thereby avoid the cost of correction.

Examples of preventive controls include: trustworthy, competent staff; segregation of duties to prevent intentional wrongdoing; proper authorization to prevent improper use of university resources; adequate documentation and records as well as proper record-keeping procedures to deter improper transactions; and physical control over cash, equipment and other assets to prevent their improper conversion or use.

Detective Controls are usually more expensive than preventive controls, but are also essential, and are designed to find errors or irregularities after they have occurred. Detective controls measure the effectiveness of preventive controls. Also, some errors cannot be effectively controlled through a system of prevention; they must be detected when they occur.

Examples include reviewing procurement card statements and phone charges for appropriateness, allowability, and/or proper allocation. Detective controls also include such control devices as bank reconciliations, independent checks on performance, confirmation of bank balances, cash counts, and systems of review like internal auditing.

Corrective controls come into play when improper outcomes occur and are detected. All the detective controls in the world are valueless if the identified deficiency remains uncorrected or is permitted to recur. Corrective controls such as documentation and reporting systems keep problems under management surveillance until they have been solved or the defect corrected. Corrective controls thus close the loop that starts with prevention and passes through detection to correction.

A SYSTEM OF CONTROLS REDUCES BUSINESS RISK

The University's exposure to loss is limited when policies and procedures are clearly understood, and reporting mechanisms are reliable. Good control systems should include:

Employees with the appropriate education and training for the duties assigned
Individual Accountability
Independent Monitoring
Approval & Authorization
Separation of Duties

These control elements safeguard individual departments, and the university as a whole, from loss. Without a sound system of controls, errors and omissions can occur and go undetected. Also, existing controls can be circumvented by an inappropriate concentration of duties.

MANAGEMENT’S ROLE

It is the responsibility of management to maintain an adequate system of controls within their areas of authority. Changes in conditions can cause the effectiveness of a control to deteriorate, or the degree of compliance to change. In response to changes, management must create additional controls, or alter existing controls, to protect against loss.

SO, WHAT ARE INTERNAL CONTROLS?

Internal Controls are:

An integrated system put in place to keep your department on course to achieve its mission.
An integrated system to promote efficiency, reduce risk of asset loss, and help ensure the reliability of financial data.
An integrated system to promote compliance with laws and regulations.

Control Activities include:

Authorizing transactions * Approving transactions * Verifying
Reconciling statements * Segregating duties * Reviewing operating performances
Securing assets * Monitoring Accounts * Analyzing * Comparing
Reporting * Observing * Communicating

WHO IS RESPONSIBLE FOR INTERNAL CONTROLS?

Everyone in your department is responsible for internal controls. While the President is ultimately responsible for maintaining an adequate system of financial and administrative controls at the University, the department head or manager is responsible for internal controls in the department and should take "ownership" of the internal control system. The department head or manager sets the "tone" for the department by influencing the control consciousness of his/her staff and communicating an administrative philosophy that includes integrity, ethical values and competence. Everybody must understand that internal controls must be taken seriously. Also, since all employees produce information that affects the internal control system, they should all be responsible for communicating upward problems in operations, noncompliance with the University policies, or other policy violations or illegal actions.

WHY WAS MY DEPARTMENT SELECTED TO BE AUDITED?

The Internal Audit Department establishes a comprehensive audit plan based on a multi-year cycle. The decision of what audits to include in the annual audit plan is based in part on this long-range plan and, in part, on input from the University administration, departmental managers, external auditors, and the Internal Audit staff. We also make provision for requests to perform special reviews/investigations.

WHY MIGHT I REQUEST AN AUDIT?

An audit can produce many benefits, and timing can be an important factor. If you have recently assumed new or additional supervisory responsibilities, an audit can review administrative procedures to assess whether internal controls in your unit are adequate. It is also beneficial to assess the system controls and modified office procedures when new computer systems are being installed. A periodic "checkup" to review your department's administrative activity can help insure that your procedures continue to comply with University policies. An audit really is an opportunity to receive an independent appraisal of the effectiveness and efficiency of your department's administrative activities. Anyone within the University can request an audit. We are also available for consultation without having to perform an audit. You may wish to coordinate the request with the head of your department, or dean, or Vice President responsible for your area, or submit a request for consultation or an audit directly to the Internal Audit Department. All requests will remain confidential to the extent policies and the laws permit.

WHAT SHOULD I EXPECT WHEN AN AUDIT IS SCHEDULED FOR MY UNIT?

With a few exceptions, you or the senior management of your area will be notified in writing when your department is selected for an audit. This letter will state the objectives to be accomplished in the audit. Subsequently, a representative of the Internal Audit Department will contact you to schedule a meeting to discuss the scope of the audit and the logistics of conducting the audit. At this initial meeting, you should take the opportunity to discuss any concerns or questions you may have about the audit, and to determine how you can facilitate the review process. A typical audit has several stages, including preliminary research, data collection and analysis, review, report writing and distribution, and follow-up.

Get the full picture

HOW LONG WILL THE AUDIT TAKE?

Audits can last from several days to several weeks. The auditor assigned to your unit will give you a reasonable estimate of the time he or she needs to complete the audit.

HOW WILL THE AUDIT FINDINGS BE REPORTED?

You and your staff will be kept apprised of the auditor's findings throughout the course of the audit. At the conclusion of the audit, you will be able to review a draft of the report before the final version is issued. We make every attempt to maintain the confidentiality of our sources and audit information until the report is issued. The final report is a "public" document. Final audit reports are distributed to the President, to whom Internal Audit reports, the Vice President for Administrative Affairs, the Vice President responsible for your area, the Director of Finance, and to you and your management staff, as appropriate.

ARE THERE DIFFERENT TYPES OF AUDITS?

Yes. There are five general categories of internal audit reviews:
FINANCIAL AUDITS address questions of accounting, recording, and reporting of financial transactions. Reviewing the adequacy of internal controls also falls within the scope of financial audits.
COMPLIANCE AUDITS seek to determine if departments are adhering to Federal, State, and University rules, regulations, policies, and procedures.
OPERATIONAL AUDITS examine the use of department/university resources to evaluate whether those resources are being utilized in the most efficient and effective way to fulfill the department's/university's mission and objectives. An operational audit may include elements of a compliance audit, a financial audit, and an information systems audit.
INVESTIGATIVE AUDITS are performed when appropriate. These audits focus on alleged violations of federal and state laws and of University policies and regulations. This may result in prosecution or disciplinary action. Audits precipitated by internal theft, misuse of University assets, and conflicts of interest are examples of investigative audits.
INFORMATION TECHNOLOGY (IT) AUDITS address the internal control environment of automated information processing systems and how these systems are used. IT audits typically evaluate system input, output and processing controls, backup and recovery plans, and system security, as well as computer facility reviews.

PROFESSIONAL STANDARDS

Internal Audit staff members come from a variety of backgrounds. Some have worked for public accounting firms. Others have experience in higher education and all hold, at least, a bachelor's degree in accounting or business administration. All staff members are also encouraged to obtain professional certification or an advanced degree. Therefore, auditors may be Certified Internal Auditors, Certified Public Accountants, or may have a Master of Business Administration degree.

Internal Audit subscribes to auditing standards promulgated by the Institute of Internal Auditors. In order to maintain our proficiency in the latest auditing techniques and to keep abreast with issues affecting Higher Education, we have developed a program for continuing education. We also maintain membership and participate in professional activities of organizations such as:

Association of College and University Auditors (ACUA)
Institute of Internal Auditors (IIA)
Information Systems Audit and Control Association (ISACA)

WHO SHOULD I CONTACT IF I HAVE QUESTIONS OR ISSUES OF AUDIT CONCERN?

Please direct questions to Ms. Munera Al-Sahli, Manager of Compliance, at 4403-3246 .