Indiana University Internal Audit

Policy and Procedure Manual

Revised: March 31, 2000

Department Function - Overview

Audit Process

Audit Assignment

Preliminary Review -General, Rationale

Permanent/Continuing Audit Files

Audit Program

Fieldwork

Audit (Project) Quality Assurance

Reporting and Follow-up

Personnel

Job Descriptions

Performance Evaluation

Training and Professional Development

Department Administration Procedures

Management of Audit Hour Resources

Standard Electronic Tools

Miscellaneous Policies

To Return to Indiana University Home Page

Page maintained by:
Indiana University Internal Audit teradke@indiana.edu
Last update: March 31, 2000

General Rationale

Internal Audit is a central administrative unit of the University with offices located on the Bloomington and Indianapolis campuses. Internal Audit reports operationally to the Vice President for Administration with dotted line representation to the Indiana University Board of Trustees. Internal Audit's coverage and service extends to all IU campuses (except IPFW at Fort Wayne, which is administered by Purdue). Internal Audit is also a control which functions by examining and evaluating the adequacy and effectiveness of other controls throughout the University for administrators, the Board of Trustees, and external auditors. Finally, Internal Audit provides assistance to the University's external auditors in their performance of the annual audits of the University financial statements and A133-Federal Awards, as well as, to assist other state, federal, and public auditors.

Charter

INTRODUCTION

Indiana University supports Internal Audit as an independent appraisal function to examine and evaluate University activities as a service to management and the Board of Trustees. The mission of Internal Audit is to support members of the University in the effective discharge of their responsibilities. To this end, Internal Audit will furnish them with analyses, recommendations, counsel, and information concerning the activities examined.

ORGANIZATION AND BOARD REPORTING

The Internal Audit Director will report to the Vice President for Administration with dotted line reporting to the Finance and Audit Committee of the Board of Trustees. The committee will have final approval of the hiring, firing, and salary changes for the Director.

Annually, the Director will submit to the Board a written report on the internal audit activity during the preceding fiscal year. The Director shall also make an oral report to the Finance and Audit Committee. Immediately following the oral report, the Director shall confer with the committee, outside the presence of University officials, on any subject germane to Internal Audit's area of responsibility.

The Internal Audit Director will make a written report to the Chair of the Finance and Audit Committee whenever there is evidence of defalcations or other problems exceeding $25,000. In addition, if the circumstances ever warrant such action, the Internal Audit Director may circumvent normal University reporting lines and communicate directly with the Chair of the Finance and Audit Committee.

AUTHORIZATION AND RESPONSIBILITIES

Internal Audit has the authority to audit all parts of the University and shall have full and complete access to any of the organization's records, physical properties, and personnel relevant to the performance of an audit. Documents and information given to internal auditors during a periodic review will be handled in the same prudent manner as by those employees normally accountable for them.

Internal Audit will have no direct responsibility or authority for any of the activities or operations they review. They should not develop and install procedures, prepare records, or engage in activities that would normally be reviewed by internal auditors. Furthermore, an internal audit does not in any way relieve other persons in the University of the responsibilities assigned to them.

REPORTING RESPONSIBILITIES

A written report will be prepared and issued by the Internal Audit Director following the conclusion of each audit. Copies of the report will be distributed as appropriate. The manager of the activity or department receiving the report will respond within thirty days and forward a copy of the response to those included on the distribution list. The response will indicate what actions were taken regarding specific report findings and recommendations.

The manager receiving the report is responsible for ensuring that progress is made toward correcting any unsatisfactory conditions. Internal Audit is responsible for determining whether the action taken is adequate to resolve audit findings. If the action is not adequate, Internal Audit will inform University management of the potential risk and exposure in allowing the unsatisfactory conditions to continue.

MISSION OBJECTIVE

Internal Audit's objectives in accomplishing its mission will include the following:

 

Back to the top
STANDARDS AND ETHICS

In all of its activities, Internal Audit will adhere to the Standards for the Professional Practice of Internal Auditing and the Code of Ethics adopted by the Institute of Internal Auditors.

Mission Statement(s)/Objectives/Values

MISSION STATEMENT

(short form)

To provide the University
with an independent appraisal
of it's financial, operational,
and control activities.

MISSION STATEMENT

(long form)

Internal Audit exists to support administration and the Board of Trustees in the effective discharge of their responsibilities. Using our knowledge and professional judgement, we will provide an independent appraisal of the University's financial, operational, and control activities. We will report on the adequacy of internal controls, the accuracy and propriety of transactions, the extent to which assets are accounted for and safeguarded, and the level of compliance with institutional policies and government laws and regulations. Additionally, we will provide analyses, recommendations, counsel, and information concerning the activities reviewed.

OUR OBJECTIVES IN ACCOMPLISHING OUR MISSION INCLUDE THE FOLLOWING:
VALUES

In carrying out our mission, we share certain beliefs and values.

Standards for the Professional Practice of Internal Auditing (IIA)

100 INDEPENDENCE

Internal auditors should be independent of the activities they audit.

110 ORGANIZATIONAL STATUS

The organizational status of the internal auditing department should be sufficient to permit the accomplishment of its audit responsibilities.

    1. The director of the internal auditing department should be responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations.
    2. The director should have direct communication with the board. Regular communication with the board helps assure independence and provides a means for the board and the director to keep each other informed on matters of mutual interest.
    3. Independence is enhanced when the board concurs in the appointment or removal of the director of the internal auditing department.
    4. The purpose, authority, and responsibility of the internal auditing department should be defined in a formal written document (charter). The director should seek approval of the charter by management as well as acceptance by the board. The charter should (a) establish the department's position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of audits; and (c) define the scope of internal auditing activities.
    5. The director of internal auditing should submit annually to management for approval and to the board for its information a summary of the department's audit work schedule, staffing plan, and financial budget. The director should also submit all significant interim changes for approval and information. Audit work schedules, staffing plans, and financial budgets should inform management and the board of the scope of internal auditing work and of any limitations placed on that scope.
    6. The director of internal auditing should submit activity reports to management and to the board annually or more frequently as necessary. Activity reports should highlight significant audit findings and recommendations and should inform management and the board of any significant deviations from approved audit work schedules, staffing plans, and financial budgets, and the reasons for them.
120 OBJECTIVITY

Internal auditors should be objective in performing audit.

    1. Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided. The director should periodically obtain from the audit staff information concerning potential conflicts of interest and bias.
    2. Internal auditors should report to the director any situations in which a conflict of interest or bias is present or may reasonably be inferred. The director should then reassign such auditors.
    3. Staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so.
    4. Internal auditors should not assume operating responsibilities. But if on occasion management directs internal auditors to perform nonaudit work, it should be understood that they are not functioning as internal auditors. Moreover, objectivity is presumed to be impaired when internal auditors audit any activity for which they had authority or responsibility. This impairment should be considered when reporting audit results.
    5. Persons transferred to or temporarily engaged by the internal auditing department should not be assigned to audit those activities they previously performed until a reasonable period of time has elapsed. Such assignments are presumed to impair objectivity and should be considered when supervising the audit work and reporting audit results.
    6. The results of internal auditing work should be reviewed before the related audit report is released to provide reasonable assurance that the work was performed objectively.
200 PROFESSIONAL PROFICIENCY

Internal audits should be performed with proficiency and due professional care.

210 STAFFING

The internal auditing department should provide assurance that the technical proficiency and educational background of internal auditors are appropriate for the audits to be performed.

220 KNOWLEDGE, SKILLS, AND DISCIPLINES

The internal auditing department should possess or should obtain the knowledge, skills, and disciplines needed to carry out its audit responsibilities.

230 SUPERVISION

The internal auditing department should provide assurance that internal audits are properly supervised.

    1. Providing suitable instructions to subordinates at the outset of the audit and approving the audit program.
    2. Seeing that the approved audit program is carried out unless deviations are both justified and authorized.
    3. Determining that audit working papers adequately support the audit findings, conclusions, and reports.
    4. Making sure that audit reports are accurate, objective, clear, concise, constructive, and timely.
    5. Determining that audit objectives are being met.
240 COMPLIANCE WITH STANDARDS OF CONDUCT

Internal auditors should comply with professional standards of conduct.

250 KNOWLEDGE, SKILLS, AND DISCIPLINES

Internal auditors should possess the knowledge, skills, and disciplines essential to the performance of internal audits.

    1. Proficiency in applying internal auditing standards, procedures, and techniques is required in performing internal audits. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance.
    2. Proficiency in accounting principles and techniques is required of auditors who work extensively with financial records and reports.
    3. An understanding of management principles is required to recognize and evaluate the materiality and significance of deviations from good business practice. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions.
    4. An appreciation is required of the fundamentals of such subjects as accounting, economics, commercial law, taxation, finance, quantitative methods, and computerized information systems. An appreciation means the ability to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained.
260 HUMAN RELATIONS AND COMMUNICATIONS

Internal auditors should be skilled in dealing with people and in communicating effectively.

270 CONTINUING EDUCATION

Internal auditors should maintain their technical competence through continuing education.

280 DUE PROFESSIONAL CARE

Internal Auditors should exercise due professional care in performing internal audits.

    1. The extent of audit work needed to achieve audit objectives
    2. The relative materiality or significance of matters to which audit procedures are applied
    3. The adequacy and effectiveness of internal controls
    4. The cost of auditing in relation to potential benefits
    5. Due professional care includes evaluating established operating standards and determining whether those standards are acceptable and are being met. When such standards are vague, authoritative interpretations should be sought. If internal auditors are required to interpret or select operating standards, they should seek agreement with auditees as to the standards needed to measure operating performance.
300 SCOPE OF WORK

The scope of the internal audit should encompass the examination and evaluation of the adequacy and effectiveness of the organization's system of internal control and the quality of performance in carrying out assigned responsibilities.

    1. The reliability and integrity of information.
    2. Compliance with policies, plans, procedures, laws, and regulations.
    3. The safeguarding of assets.
    4. The economical and efficient use of resources.
    5. The accomplishment of established objectives and goals for operations or programs.
310 RELIABILITY AND INTEGRITY OF INFORMATION

Internal auditors should review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.

    1. Financial and operating records and reports contain accurate, reliable, timely, complete, and useful information.
    2. Controls over record keeping and reporting are adequate and effective.
320 COMPLIANCE WITH POLICIES, PLANS, PROCEDURES, LAWS, AND REGULATIONS

Internal auditors should review the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on operations and reports, and should determine whether the organization is in compliance.

330 SAFEGUARDING OF ASSETS

Internal auditors should review the means of safeguarding assets and, as appropriate, verify the existence of such assets.

340 ECONOMICAL AND EFFICIENT USE OF RESOURCES

Internal auditors should appraise the economy and efficiency with which resources are employed.

    1. Operating standards have been established for measuring economy and efficiency.
    2. Established operating standards are understood and are being met.
    3. Deviations from operating standards are identified, analyzed, and communicated to those responsible for corrective action.
    4. Corrective action has been taken.
    1. Underutilized facilities.
    2. Nonproductive work.
    3. Procedures which are not cost justified.
    4. Overstaffing or understaffing.
350 ACCOMPLISHMENT OF ESTABLISHED OBJECTIVES AND GOALS FOR OPERATIONS OR PROGRAMS

Internal auditors should review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

400 PERFORMANCE OF AUDIT WORK

Audit work should include planning the audit, examining and evaluating information, communicating results and following up.

410 PLANNING THE AUDIT

Internal auditors should plan each audit.

    1. Establishing audit objectives and scope of work.
    2. Obtaining background information about the activities to be audited.
    3. Determining the resources necessary to perform the audit.
    4. Communicating with all who need to know about the audit.
    5. Performing, as appropriate, an on-site survey to become familiar with the activities and controls to be audited, to identify areas for audit emphasis, and to invite auditee comments and suggestions.
    6. Writing the audit program.
    7. Determining how, when, and to whom audit results will be communicated.
    8. Obtaining approval of the audit work plan.
420 EXAMINING AND EVALUATING INFORMATION

Internal auditors should collect, analyze, interpret, and document information to support audit results.

    1. Information should be collected on all matters related to the audit objectives and scope of work.
    2. Information should be sufficient, competent, relevant, and useful to provide a sound basis for audit findings and recommendations. Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Competent information is reliable and the best attainable through the use of appropriate audit techniques. Relevant information supports audit findings and recommendations and is consistent with the objectives for the audit. Useful information helps the organization meet its goals.
    3. Audit procedures, including the testing and sampling techniques employed, should be selected in advance, where practicable, and expanded or altered if circumstances warrant.
    4. The process of collecting, analyzing, interpreting, and documenting information should be supervised to provide reasonable assurance that the auditor's objectivity is maintained and that audit goals are met.
    5. Working papers that document the audit should be prepared by the auditor and reviewed by management of the internal auditing department. These papers should record the information obtained and the analyses made and should support the bases for the findings and recommendations to be reported.
430 COMMUNICATING RESULTS

Internal auditors should report the results of their audit work.

440 FOLLOWING UP

Internal auditors should follow up to ascertain that appropriate action is taken on reported audit findings.

500 MANAGEMENT OF THE INTERNAL AUDITING DEPARTMENT

The director of internal auditing should properly manage the internal auditing department.

    1. Audit work fulfills the general purposes and responsibilities approved by management and accepted by the board.
    2. Resources of the internal auditing department are efficiently and effectively employed.
    3. Audit work conforms to the Standards for the Professional Practice of Internal Auditing.
510 PURPOSE, AUTHORITY, AND RESPONSIBILITY

The director of internal auditing should have a statement of purpose, authority, and responsibility for the internal auditing department.

520 PLANNING

The director of internal auditing should establish plans to carry out the responsibilities of the internal auditing department.

    1. Goals.
    2. Audit work schedules.
    3. Staffing plans and financial budgets.
    4. Activity reports.
530 POLICIES AND PROCEDURES

The director of internal auditing should provide written policies and procedures to guide the audit staff.

540 PERSONNEL MANAGEMENT AND DEVELOPMENT

The director of internal auditing should establish a program for selecting and developing the human resources of the internal auditing department.

    1. Developing written job descriptions for each level of the audit staff.
    2. Selecting qualified and competent individuals.
    3. Training and providing continuing educational opportunities for each internal auditor.
    4. Appraising each internal auditor's performance at least annually.
    5. Providing counsel to internal auditors on their performance and professional development.
550 EXTERNAL AUDITORS

The director of internal auditing should coordinate internal and external audit efforts.

    1. Periodic meetings to discuss matters of mutual interest.
    2. Access to each other's audit programs and working papers.
    3. Exchange of audit reports and management letters.
    4. Common understanding of audit techniques, methods, and terminology.
560 QUALITY ASSURANCE

The director of internal auditing should establish and maintain a quality assurance program to evaluate the operations of the internal auditing department.

    1. Supervision.
    2. Internal reviews.
    3. External reviews.

Code of Ethics (ACUA/IIA)

STANDARDS OF CONDUCT
  1. Members and CIAs shall exercise honesty, objectivity, and diligence in the performance of their duties and responsibilities.
  2. Members and CIAs shall exhibit loyalty in all matters pertaining to the affairs of their organization or to whomever they may be rendering a service. However, Members and CIAs shall not knowingly be a party to any illegal or improper activity.
  3. Members and CIAs shall not knowingly engage in acts or activities which are discreditable to the profession of internal auditing or to their organization.
  4. Members and CIAs shall refrain from entering into any activity which may be in conflict with the interest of their organization or which would prejudice their ability to carry out objectively their duties and responsibilities.
  5. Members and CIAs shall not accept anything of value from an employee, client, customer, supplier, or business associate of their organization which would impair or be presumed to impair their professional judgment.
  6. Members and CIAs shall undertake only those services which they can reasonably expect to complete with professional competence.
  7. Members and CIAs shall adopt suitable means to comply with the Standards for the Professional Practice of Internal Auditing.
  8. Members and CIAs shall be prudent in the use of information acquired in the course of their duties. They shall not use confidential information for any personal gain nor in any manner which would be contrary to law or detrimental to the welfare of their organization.
  9. Members and CIAs, when reporting on the results of their work, shall reveal all material facts known to them which, if not revealed, could either distort reports of operations under review or conceal unlawful practices.
  10. Members and CIAs shall continually strive for improvement in their proficiency, and in the effectiveness and quality of their service.
  11. Members and CIAs, in the practice of their profession, shall be ever mindful of their obligation to maintain the high standards of competence, morality and dignity promulgated by The Institute. Members shall abide by the Bylaws and uphold the objectives of The Institute.

Independence/Objectivity/Confidentiality/Conduct

INDEPENDENCE/OBJECTIVITY

To be effective in performing audits the audit staff must be independent and objective both in actuality and perception. We maintain our independence by our organizational position (including reporting line to the Board) and our Board approved AUTHORIZATION AND RESPONSIBILITIES (see CHARTER).

In order to maintain objectivity, auditors will immediately inform the audit administration of any factors that may be perceived as impairing their objectivity on an assigned audit. Also, auditors will take great care to prevent even a perception of partiality by maintaining a professional distance from the staff of a department while performing an audit. Questions concerning any relationships with auditees or potential auditees (i. e., preparing tax returns, attending parties, etc.) should be brought to the attention of the audit administration. Finally, auditors will not accept anything of value from an employee, supplier, or business associate of the University which would impair or be perceived to impair their professional judgement or objectivity. Any gifts accepted will be immediately reported to audit administration.

CONFIDENTIALITY

Much of the information available to internal auditors is of a sensitive or confidential nature. Auditors should be prudent in their use of information acquired in the course of their duties or information which is available to them. They will not discuss any matters pertaining to the audits performed by the departments in other then an official manner.

Auditors shall not use confidential information for any personal gain or in a manner which would be detrimental to the University or any employee or student of the University. (See the Institute of Internal Auditor's Code of Ethics).

Auditors will take adequate measures to prevent the unauthorized release of confidential materials or information in any medium including paper copies, microfiche, or computer files. Such materials should be adequately secured from theft, reproduction, or casual observation.

Confidential materials include any information (except public information) associated with student or employee names, social security numbers, or identification numbers. Examples of confidential information include, but are not limited to the following:

  1. Student or employee medical or psychological records.
  2. Course enrollment or grades.
  3. Financial aid records.
  4. Student or parent financial status records.
  5. Employee personnel, benefit, or payroll information.
  6. Any information which could cause the University embarrassment or liability.
CONDUCT

The following guidelines are established regarding personal conduct and the confidentiality of audit or business information acquired through audit assignments.

Audit Process

PLANNING - GENERAL, RATIONALE

The assessment of audit risk is an integral part of our planning process. The audit planning process encompasses all activities related to the development of the internal audit plan and schedule and the determination of the audit scope and objectives, timing, design of detailed procedures, and audit recourse planning for the individual auditable entities. The primary objective of the audit planning process is to design our audit approach to ensure that audits are performed in the most effective and efficient manner. In undertaking this process we attempted the following:

PLANNING - RESEARCH, SCHEDULING, AND AUDITS

Internal Audit's scheduling process begins with requests for audit services (requests, or suggestions, come from several sources). One obvious source is our own Internal Audit staff. Our in-depth knowledge of the University gives us a unique perspective on the types of projects in which we can reduce the University's risk. Hence, some of our projects originate in our own group or as a result of the annual audit of the University as a whole, which is conducted by the State Board of Accounts.

Several factors influence the selection and scheduling of projects: the degree of risk or exposure to loss; type of audit; current and planned work in other major audit projects requiring substantial time commitments of Internal Audit staff; the availability of staff in client units selected for review; and the availability of Internal Audit staff with the appropriate skills.

An analysis will be performed annually in order to quantify risk and schedule audits. This analysis will combine factual information and Internal Audit administration's judgment in the selection, ranking, and weighing of the various audit risk factors. It should be emphasized that the final determination as to which areas should be included in the audit plan cannot be based solely on the results of this audit risk assessment. Rather, the performance of the assessment is a tool for use by Internal Audit administration.

TYPES OF AUDITS

1. AUDIT

2. LOSS

3. INFORMATION SYSTEMS AUDIT

4. MISCELLANEOUS

    1. Assistance on evaluation of backup procedures and contingency planning
    2. Assistance on whether a defined architecture has proper controls
    3. Information on computer controls
    4. Assistance on implementation of internal financial system

5. DEPARTMENT ADMINISTRATIVE REVIEWS

6. FOLLOW-UP REVIEW

7. CASH COUNT

Audit Assignment

All audits/tasks will be authorized by the Audit administration using an audit assignment sheet. The objective of this process is to assure that work is performed on only authorized activity. This form will provide sufficient information on the audit/task scope, objectives, and resource restrictions (allocated hours, expected completion date) so the assigned auditor(s) will have a clear understanding of Audit administration's expectations for their particular assignment.

DEFINITION OF TERMS ON THE ASSIGNMENT SHEET
SCOPE AND OBJECTIVES
    1. Determine the accuracy and propriety of financial transactions
    2. Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies, systems, processes, and procedures
    3. Verify the existence of University assets and ensure that proper safeguards are maintained to protect them from loss
    4. Determine the level of compliance with University policies and procedures, state and federal laws and government regulations
    5. Evaluate the accuracy, effectiveness, and efficiency of the University's electronic information and processing systems
    6. Determine the effectiveness and efficiency of organizations in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements
    7. Provide assistance and a coordinated audit effort with the Indiana State Board of Accounts and other external auditors
    8. Determine if a loss occurred, if so the amount of the loss and circumstances (control weaknesses) that contributed to it.
DUTIES/RESPONSIBILITIES
      1. Attend entrance and exit interviews
      2. Discuss, direct, advise, etc., the assigned auditors during the course of the assignment including writing the report
      3. Will be responsible for assuring the audit program steps will accomplish the objectives, address major risk and exposures, and will reasonably assure the completion of the assignment within allocated resources. Final approval of the audit program will be done by Audit Administration
      4. Review, edit, and approve the draft report
      5. Assure the audit is performed according to department standards, staying within the scope and resource allocation limits (hours and dates), and meet stated assigned objectives.
      1. Perform the preliminary review, including the internal control evaluation, with guidance from the Audit Manager
      2. After discussions with the Audit Manager, prepare an audit program and time estimate for each program section
      3. Perform all assigned activities in conformance with department standards, staying within the scope and resource allocation limits of the assigned activity or program section
      4. Write the draft audit report
      1. Determine working paper's compliance to general department working paper standards
      2. Review from audit program steps to the referenced working papers ensuring cross-referencing is proper, the working papers support the steps performed, and all steps have been completed
      3. Review working paper's from the report(s) to the Digest of Significant Findings to the working paper summaries to the detailed working papers to ensure that all findings are stated adequately and documented and support the opinions, findings, and recommendations stated in the report
      4. Ensure that working papers "stand alone" in that they are clearly stated what work was performed, how and from where samples were selected, the purpose of the working paper, what findings were made, etc.
      5. Document review comments on review notes form
      6. After all audit review notes have been resolved, sign off on working paper section of final working paper/report approval form
      7. Determine report(s) compliance with general department report standards
      8. Sign off on report(s) section of final working paper/report approval form
      9. Determine Permanent/Continuing Audit File's compliance with department standards

      1. Print revised draft copies for Directors approval
      2. Print final report copy for auditors and director signature
      3. Mail final report copy
      4. Filing of electronic copy on LAN
      5. Update ARMS: mark complete, recommendation categories, mark complete, create follow-up when necessary, etc.
      6. Mailing feedback questionnaire
      7. Updating feedback spreadsheet when feedback received
      8. Adding response to electronic copy of report and filing paper copy with final report
      9. Creating follow-up working papers, trustee report, electronic copy of report on LAN, etc.
      10. Updating Trustee report
ANNOUNCEMENT LETTER

Preliminary Review -General, Rationale

    1. Familiarization
    2. Identification of potential problem areas
    3. Evaluation of internal controls
    4. Planning the detailed audit
INITIAL RESEARCH (FAMILIARIZATION)
IDENTIFICATION OF POTENTIAL PROBLEM AREAS
REVIEW AND EVALUATION OF INTERNAL CONTROL ENVIRONMENT

FLOWCHARTING

GENERAL FLOW CHARTING GUIDELINES

    1. Clarity and simplicity in presentation are essential. Mistaken use of extreme detail may tend to conceal rather than expose key points. Complexities such as exception controls can be better explained in attached memoranda. However, narrative explanations should be kept brief. In most cases, the combination of the flow chart and a narrative description tends to be far superior to either document alone.
    2. Only transactions/documents with control significance should be shown (i.e., control over authorization, recording, safeguarding, reconciliation, and valuation). This can generally be accomplished by including only those activities within an application where data is initialized, changed, or transferred to other departments. For a process to be flow charted, it must be broken down into its component parts, namely actions and decisions. Also, the name(s) and position(s) of the people performing the transactions should be indicated for each action. The names of each document should also be included within the document symbols.
    3. The auditor usually obtains information necessary for preparing or updating flow charts by interviewing personnel at each site about procedures followed, and by reviewing procedure manuals, existing flow charts and other system documentation. Sample documents are collected and each department involved is questioned about its specific duties. Inquiries can be made concurrently with the performance of transaction reviews, particularly when flow charts are being updated. If possible, the auditor should observe the process.

INTERNAL CONTROL QUESTIONNAIRES

PLANNING THE DETAILED AUDIT

STATEMENT OF RISK AND EXPOSURE

Permanent/Continuing Audit Files

A permanent file should give the auditor general knowledge about the unit. The information in the file is not expected to change significantly from year-to-year, but it is pertinent to the current year's audit. Prior year's financial would aid the auditor in gathering general knowledge about the unit. It might also be useful in comparing the current year to the prior year or performing analyses. A permanent file should only be prepared for audits that we continually do or if the area audited is a system such as payroll, accounts payable, etc. Before a permanent file is established, consult with the Audit Manager and audit administration. If a permanent file is not prepared, useful information can be filed in section D of the working papers.

Audit Program

OBJECTIVES

The audit program should contain a statement of the objectives of the area being reviewed. The statement of objectives in the audit program should correspond with the audit objectives stated in the assignment sheet. These objectives should be achieved through the detailed audit program steps.

AUDIT STEPS

A well-constructed audit program provides specific, detailed steps (procedures) for achieving the audit objectives. Standardized audit programs with specific audit steps for achieving objectives are available and should be used or modified.

TIME BUDGET

Fieldwork

EVIDENTIAL MATTER

Evidential matter obtained during the course of the audit provides the documented basis for the auditor's opinions, findings, and recommendations as expressed in the audit report. As internal auditors, we are obligated by our professional standards to act objectively, exercise due professional care, and collect sufficient, competent, relevant, and useful information to provide a sound basis for audit findings and recommendation (see examining and evaluating information).

AUDIT SAMPLING
TESTING AND WORKING PAPER DOCUMENTATION
QUALITIES OF GOOD WORKING PAPERS
WORKING PAPER TECHNIQUES
TYPES OF WORKING PAPERS

1. Schedules and Analyses

o        Schedules and analyses are useful for identifying statistical trends, verifying the accuracy of data, developing projections or estimations, and determining if tasks or records have been properly completed. Each record review, data schedule, or analyses should include the following items:

§         An explanation of its purpose (reference audit step)

§         The methodology used to select the sample, make the calculation, etc.

§         The criteria used to evaluate the data

§         The source of data and time frame considered

§         A summary of the results of the analyses

§         The auditor's conclusion

2. Documents

o        Copies or actual samples of various documents can be used as examples, for clarification, and as physical evidence to support a conclusion or prove the existence of a problem. These documents can be memos, reports, computer printouts, procedures, forms, invoices, flow charts, contracts, or any of numerous other items. Any copied document should serve a useful audit purpose.

o        The following suggestions are offered for preparation of working papers using documents rather than the auditor's notes:

§         Indicate both the person and/or file that the document came from (source).

§         Copy and insert only that portion of the report, memo, procedure, etc., which is needed for purposes of explanation or as documentation of a potential finding. Do not include the entire document in the working papers unless absolutely necessary.

§         Fully explain the terms and notations found on the document, as well as its use. This is especially true when including maps, engineering drawings, or flow charts in the papers. These explanations may be made on an attached preceding page or on the face of the document itself.

§         Each document should be cross-referenced either to the page or separate analysis where it was discussed.

§         No document should be included in the working papers without an explanation of why it was included.

§         Documents larger than 8-1/2" x 11" should be reduced when practicable.

3. Process Write-ups and Flow charts

o        In many audits, it is necessary to describe systems or processes followed by the audit customer. Describe such procedures or processes through the use of write-ups or flow charts or some combination of the two. The choice of which method to use will depend on the relative efficiency of the method in relation to the complexities of the system being described.

o        Write-ups are often easier to use, and should be used, if the system or process can be described clearly and concisely. However, when write-ups would be lengthy, and description of related control points are difficult to integrate in the narrative, flow-charting (or a combination of write-ups and flow-charting) is an appropriate alternative. Flow charts conveniently describe complex relationships because they reduce narrative explanations to a picture of the system. They are concise and may be easier to analyze than written descriptions.

4. Interviews

o        Most verbal information is obtained through formal interviews conducted either in person or by telephone. Formal interviews are most desirable because the interviewers know they are providing input to the audit; however, impromptu interviews, or even casual discussions can often provide important information. Any verbal information which is likely to support a conclusion in the audit working papers should be documented. Interviews are useful in identifying problem areas, obtaining general knowledge of the audit subject, collecting data not in a documented form, and documenting the audit customer's opinions, assessments, or rationale for actions. Interview notes should contain only the facts presented by the person interviewed, and not include any of the auditor's opinions.

o        In preparing interviews for working papers, consider the following suggestions:

§         Be sure to include the name and position title of all persons from whom information was obtained. This includes data gathered during casual conversations.

§         Indicate when and where the meeting occurred.

§         Organize notes by topic wherever possible.

§         Identify sources of information quoted by interviewee.

5. Observations

o        What the auditor observes can serve the same purposes as interviews. If observations can be used to support any conclusions, then they should be documented. They are especially useful for physical verifications.

o        Observations used as supporting documentation should generally include the following items:

§         Time and date of the observation

§         Where the observation was made

§         Who accompanied the auditor during the observation

§         What was observed (when testing is involved, the working papers should include the sample selections and the basis of the sample)

6. Findings

o        All audit findings must be documented in a SECTION SUMMARY (see next section) schedule in the working papers. Unfavorable findings will be summarized on a Digest of Significant Findings working paper whether or not they are to be included in the audit report. All findings should be documented immediately by the auditor discovering the situation.

STATING FINDINGS/CONCLUSIONS
    1. Statement of Condition (What is!)
    2. Criteria (What should be!)
    3. Effect (So what?)
    4. Cause (Why did it happen?)
    5. Recommendation (What should be done?)

1. STATEMENT OF CONDITION

o        The condition identifies the nature and extent of the find or unsatisfactory condition. It often answers the question: "What was wrong?" Normally, a clear and accurate statement of condition evolves from the auditor's comparison or results with appropriate evaluation criteria.

2. CRITERIA

o        This attribute establishes the legitimacy of the finding by identifying the evaluation criteria and answers the question: "By what standards was it judged?" In financial and compliance audits, criteria could be accuracy, materiality, consistency, or compliance with applicable accounting principles and legal or regulatory requirements. In audits of efficiency, economy, and program results (effectiveness), criteria might be defined in mission, operation, or function statements; performance, production, and cost standards; contractual agreements; program objectives; policies, procedures, and other command media; or other external sources of authoritative criteria.

3. EFFECT

o        This attribute identifies the real or potential impact of the condition and answers the question: "What effect did it have?"

o        The significance of a condition is usually judged by its effect. In operational audits, reduction in efficiency and economy, or not attaining program objectives (effectiveness), are appropriate measures of effect. These are frequently expressed in quantitative terms; e.g., dollars, number of personnel, units of production, quantities of material, number of transactions, or elapsed time. If the real effect cannot be determined, potential or intangible effects can sometimes be useful in showing the significance of the condition.

4. CAUSE

o        The fourth attribute identifies the underlying reasons for unsatisfactory conditions or findings, and answers the question: "Why did it happen?"

o        If the condition has persisted for a long period of time or is intensifying, the contributing causes for these characteristics of the condition should also be described.

o        Identification of the cause of an unsatisfactory condition or finding is a prerequisite to making meaningful recommendations for corrective action. The cause may be quite obvious or may be identified by deductive reasoning if the audit recommendation points out a specific and practical way to correct the condition. However, failure to identify the cause in a finding may also mean the cause was not determined because of limitation or defects in audit work, or was omitted to avoid direct confrontation with responsible officials.

5. RECOMMENDATIONS

o        This final attribute identifies suggested remedial action and answers the question: "What should be one?"

o        The relationship between the audit recommendation and the underlying cause of the condition should be clear and logical. If a relationship exists, the recommended action will most likely be feasible and appropriately directed.

o        Recommendations in the audit report should state precisely what needs to be changed or fixed. How the change will be made is the client's responsibility. More generalized recommendations (e.g., greater attention be given, controls be re-emphasized, a study made, or consideration be given) should not be used in the audit report, but they are sometimes appropriate in summary reports to direct top management's attention to compliance-type findings disclosed in several areas.

o        Unless benefits of taking the recommended action are obvious, they should be stated. The cost of implementing and maintaining recommendations should always be compared to risk.

o        Recommendations should be directed to an individual capable of taking action.

6. POLICY/PROCESS

o        Audit findings will include: the nature of the findings, the criteria used to determine the existence of the condition; the cause of the condition; the significance of its impact; and what the auditors think should be done to correct the situation.

Audit (Project) Quality Assurance Rationale, etc.

NOTE: Auditors are encouraged to perform an "informal" self-review of their working papers. However, this review would be for their own benefit only and therefore this document WILL NOT be a part of the working papers.

NOTE: The working papers and report will be factors used in the Performance Evaluation process.

GENERAL STANDARDS FOR WORKING PAPERS

1. Functions of Working Papers

    1. procedures applied
    2. test performed
    3. information obtained
    4. pertinent conclusions reached

2. Completeness of Working Papers

    1. no significant questions within the scope or related to the objective of the audit should go unanswered
    2. working papers must "stand alone," in that it is clearly stated what work was performed, how and from where samples were selected, the purpose of the working papers, what findings were made, etc.
    1. a descriptive heading
    2. identification of source if not obvious
    3. the date of preparation and auditor's initials
    4. index number of the work paper
      1. consistent, neat, not crowded
      2. only essential items included
      3. arranged in a uniform style
      1. adequate planning and supervision
      2. adequate review of internal control
      3. sufficient competent evidential matter

3. Examples of Working Papers

    1. audit programs, summaries, schedules, computations, or analysis prepared or obtained
    2. memoranda, interviews, letters of confirmation or representation
    3. data stored on tapes, films, disk, or other media
    1. Working Papers Index
    2. Assignment Form
    3. Draft Report
    4. Digest of Significant Findings
    5. Quality Assurance Review
    6. Audit Program
    7. Section Summaries for each audit program section
    8. Worksheet or Lead Schedules
    9. Final Report
    1. Permanent/Continuing Audit File
    2. Summary of Audit Objectives and Time Control
    3. Announcement Letter
    4. Contact List
    5. Auditee Financial Statements
    6. Interim Memorandums and Meetings
    7. Exit Conference Record

4. Cross-Referencing of Working Papers

5. Indexing of Working Papers

GENERAL STANDARDS - REPORT(S)

Reporting and Follow-up

AUDIT REPORT, TRANSMITTAL LETTER, AND MANAGEMENT LETTER
CONFIDENTIALITY - REPORTS
      1. Report discloses a weakness (potentially resulting in a loss) which has not been corrected at the time of distribution
      2. Report discloses sensitive information which could prove an embarrassment to the University (if made public)
      3. Report discloses information classified as "restricted data"
      4. At the discretion of the Director of Internal Audit
EXIT CONFERENCE
CLOSING OF THE AUDIT
INPUT IN BOARD OF TRUSTEE REPORT
AUDIT FEEDBACK QUESTIONNAIRE
FOLLOW-UP REVIEW

Personnel

Job Descriptions

DIRECTOR
ASSOCIATE DIRECTOR

INFORMATION SYSTEMS AUDIT MANAGER
      1. Ensure that adequate controls are established and installed to meet management objectives,
      2. Verify that users and computer operation's staff have been trained in the system functions and controls
      3. Determine whether level of security is appropriate
      4. Verify that backup and recovery procedures are complete
      1. Based on a review and evaluation of current internal controls, assess potential risk, and exposure to the University, and prepare detailed audit program describing tests to be performed.
      2. Obtain sufficient competent and relevant evidential matter, analyze and summarize data to support an objective informed opinion on the adequacy and effectiveness of internal controls, the accuracy of institutional data, and the level of compliance with University policies.
      3. Draft written reports expressing opinions on the adequacy and effectiveness of system controls, the accuracy of institutional data, and the level of compliance with relevant policies, procedures, and government statutes. Recommend changes in policies and procedures to enhance controls or correct deficiencies.
Audit Manager - Northwest, South Bend, and Kokomo Campuses
AUDIT MANAGER
INFORMATION SYSTEMS AUDITOR
AUDITOR

Performance Evaluation

PERFORMANCE EVALUATION RATIONALE, POLICY AND PROCESS
      1. Total Chargeable Hours at department standard
      2. Audit Completed Timely
      3. Audit Within Budget hours
      4. Workpapers Technically Correct (Dept Standards)
      5. Audits Performed according to standards
      6. Hours at Auditee Location
      1. Competent in required job skills and knowledge
      2. Exhibits ability to learn and apply new skills
      3. Exhibits sound and accurate judgment
      4. Requires minimal supervision
      5. Displays understanding of how job relates to others
      1. Keeps current on University Policies and Processes
      2. Keeps current on University systems
      3. Participates in available Continuing Education
      4. Certified as CIA, CPA, CISA, CFE
      5. Keeps current with Accounting and Auditing trends
      1. Balances team and individual responsibilities
      2. Exhibits objectivity and openness to others' views
      3. Gives and welcomes feedback
      4. Contributes to building a positive team spirit
      5. Puts success of team above own interests
      1. Writes clearly, precisely and informatively
      2. Edits work for spelling, grammar, and format
      3. Varies writing style to meet needs
      4. Follows standards for presenting elements of findings
      5. Scope, Objective and Opinion consistent w/ work done
      6. Selects and uses appropriate communication methods
      1. Speaks clearly and persuasively
      2. Listens and gets clarification
      3. Responds well to questions
      4. Demonstrates group presentation skills
      5. Participates in meetings
      6. Keeps others adequately informed
      1. Displays original thinking and creativity
      2. Meets challenges with resourcefulness
      3. Generates suggestions for improving work
      4. Develops innovative approaches and ideas
      1. Adapts to changes in the work environment
      2. Manages competing demands
      3. Accepts criticism and feedback
      4. Changes approach or method to best fit the situation
      1. Synthesizes complex or diverse information
      2. Collects and researches data
      3. Uses intuition and experience to complement data
      4. Identifies data relationships and dependencies
      5. Designs work flows and procedures
      1. Schedules time off in advance
      2. Begins working on time
      3. Keeps absences within guidelines
      4. Ensures work responsibilities are covered when absent
      5. Arrives at meetings and appointments on time
      1. Establishes and maintains effective relations
      2. Exhibits tact and consideration
      3. Displays positive outlook and pleasant manner
      4. Offers assistance and support to co-workers
      5. Works cooperatively in group situations
      6. Works actively to resolve conflicts
      1. Works within approved budget
      2. Conserves organizational resources
      3. Develops and implements cost saving measures
      4. Contributes to profits and revenue
      1. Displays courtesy and sensitivity
      2. Manages difficult or emotional customer situations
      3. Meets commitments
      4. Responds promptly to customer needs
      5. Solicits customer feedback to improve service
      1. Responds to requests for service and assistance
      2. Follows instructions
      3. Responds to management direction
      4. Takes responsibility for own actions
      5. Commits to doing the best job possible
      6. Keeps commitments
      7. Meets attendance and punctuality guidelines
      1. Volunteers readily
      2. Undertakes self-development activities
      3. Seeks increased responsibilities
      4. Takes independent actions and calculated risks
      5. Looks for and takes advantage of opportunities
      6. Asks for help when needed
      1. Displays willingness to make decisions
      2. Includes appropriate people in decision making process
      3. Makes timely decisions
      1. Exhibits confidence in self and others
      2. Inspires respect and trust
      3. Reacts well under pressure
      4. Shows courage to take action
      5. Motivates others to perform well
      1. Provides direction and gains compliance
      2. Includes subordinates in planning
      3. Takes responsibility for subordinates' activities
      4. Makes self available to subordinates
      5. Provides regular performance feedback
      6. Develops subordinates' skills and encourages growth
      1. Follows policies and procedures
      2. Completes administrative tasks correctly and on time
      3. Supports organization's goals and values
      4. Benefits organization through outside activities
      5. Supports affirmative action and respects diversity
      1. Dresses appropriately for position
      2. Keeps self well-groomed
      1. Priorities and plans work activities
      2. Uses time efficiently
      3. Plans for additional resources
      4. Integrates changes smoothly
      5. Sets goals and objectives
      6. Works in an organized manner
      1. Identifies problems in a timely manner
      2. Gathers and analyzes information skillfully
      3. Develops alternative solutions
      4. Resolves problems in early stages
      5. Works well in group problem solving situations
      1. Develops project plans
      2. Coordinates projects
      3. Communicates changes and progress
      4. Completes projects on time and budget
      5. Manages project team activities
      1. Demonstrates accuracy and thoroughness
      2. Displays commitment to excellence
      3. Looks for ways to improve and promote quality
      4. Applies feedback to improve performance
      5. Monitors own work to ensure quality
      1. Meets productivity standards
      2. Completes work in timely manner
      3. Strives to increase productivity
      4. Works quickly
      5. Achieves established goals
      1. Observes safety and security procedures
      2. Determines appropriate action beyond guidelines
      3. Uses equipment and materials properly
      4. Reports potentially unsafe conditions
      1. Achieves sales goals
      2. Overcomes objections with persuasion and persistence
      3. Initiates new contacts
      4. Maintains customer satisfaction
      5. Maintains records and promptly submits information
        1. 500 Management of the Internal Auditing Department. The Director of Internal Auditing should properly manage the Internal Auditing Department.
        2. 540 Personnel Management and Development. The Director of Internal Auditing should establish a program for selecting and developing the human resources of the Internal Auditing Department.

Training and Professional Development

CERTIFICATION PROGRAMS
REQUEST FOR FUNDS FOR CONTINUING EDUCATION

Department Administrative Procedures

Management of Audit Hour Resources

AUDIT RESOURCE REPORTING POLICIES

Standard Electronic Tools

DEPARTMENT (FOCUS) QUERIES
    1. The library will be controlled by the department FOCUS LIBRARIAN who will be responsible for updating the library and informing staff of the current library's contents.
    2. Queries will be written by staff members who have developed an appropriate understanding of the structure and the data in the accessed files.
    3. Queries will be written according to standards established by the department.
    4. Queries will be thoroughly reviewed and tested before being placed in the library by the librarian.
    5. Whenever practical these queries will be used to extract data from FOCUS defined files for use in audit testing.
ELECTRONIC WORKING PAPERS

Miscellaneous Policies

PURGING WORKING PAPERS
FLEXIBLE WORK HOURS
PAID TIME OFF
COMPUTER SOFTWARE
HOUSEKEEPING
OUTLOOK©