Indiana University Internal Audit

Policy and Procedure Manual

Revised: March 31, 2000

Department Function - Overview

• General Rational
• Charter
• Mission Statement(s)/Objectives/Values
• Standards for the Professional Practice of Internal Auditing (IIA)
• Code of Ethics (ACUA/IIA)
• Independence/Objectivity/Confidentiality/Conduct
• Organization Chart

Audit Process

• Planning - General, Rationale
• Planning - Research, Scheduling, and Audits
• Types of Audits

Audit Assignment

• Definition of Terms on the Assignment Sheet
• Scope and Objectives
• Duties/Responsibilities
• Audit Administration
• Audit Manager
• Assigned Auditor(s)
• Quality Assurance Reviewer
• Project Consultant
• Report Reviewer     NEW
• Announcement Letter

Preliminary Review -General, Rationale

• Initial Research (Familiarization)
• Identification of Potential Problem Areas
• Review and Evaluation of Internal Control Environment
• Flowcharting
• General Flow Charting Guidelines
• Internal Control Questionnaires
• Planning the Detailed Audit
• Statement of Risk and Exposure

Permanent/Continuing Audit Files

Audit Program

• Objectives
• Audit Steps
• Time Budget

Fieldwork

• Evidential Matter
• Audit Sampling
• Testing and Working Paper Documentation
• Qualities of Good Working Papers
• Working Paper Techniques
• Types of Working Papers
• Stating Findings/Conclusions

Audit (Project) Quality Assurance

• General Standards for Working Papers
• General Standards - Report(s)

Reporting and Follow-up

• Audit Report, Transmittal Letter, and Management Letter
• Confidentiality - REPORTS
• Exit Conference
• Closing of the Audit
• Input in Board of Trustee Report
• Audit Feedback Questionnaire
• Follow-up Review

Personnel

Job Descriptions

• Director
• Associate Director
• Information Systems Audit Manager      NEW
• Audit Manager - Northwest, South Bend, and Kokomo Campuses      NEW
• Audit Manager
• Information Systems Auditor     NEW
• Auditor

Performance Evaluation

• Performance Evaluation Rationale, Policy, and Process

Training and Professional Development

• Certification Programs
• Request for Funds for Continuing Education      NEW

Department Administration Procedures

Management of Audit Hour Resources

• Audit Resource Reporting Policies

Standard Electronic Tools

• Department (FOCUS) Queries
• Electronic Working Papers     NEW

Miscellaneous Policies

• Purging Working Papers
• Flexible Work Hours
• Paid Time Off     NEW
• Computer Software
• Housekeeping
• Outlook©     NEW

To Return to Indiana University Home Page

Page maintained by:
Indiana University Internal Audit teradke@indiana.edu
Last update: March 31, 2000

General Rationale

Internal Audit is a central administrative unit of the University with offices located on the Bloomington and Indianapolis campuses. Internal Audit reports operationally to the Vice President for Administration with dotted line representation to the Indiana University Board of Trustees. Internal Audit's coverage and service extends to all IU campuses (except IPFW at Fort Wayne, which is administered by Purdue). Internal Audit is also a control which functions by examining and evaluating the adequacy and effectiveness of other controls throughout the University for administrators, the Board of Trustees, and external auditors. Finally, Internal Audit provides assistance to the University's external auditors in their performance of the annual audits of the University financial statements and A133-Federal Awards, as well as, to assist other state, federal, and public auditors.

Charter

INTRODUCTION

Indiana University supports Internal Audit as an independent appraisal function to examine and evaluate University activities as a service to management and the Board of Trustees. The mission of Internal Audit is to support members of the University in the effective discharge of their responsibilities. To this end, Internal Audit will furnish them with analyses, recommendations, counsel, and information concerning the activities examined.

ORGANIZATION AND BOARD REPORTING

The Internal Audit Director will report to the Vice President for Administration with dotted line reporting to the Finance and Audit Committee of the Board of Trustees. The committee will have final approval of the hiring, firing, and salary changes for the Director.

Annually, the Director will submit to the Board a written report on the internal audit activity during the preceding fiscal year. The Director shall also make an oral report to the Finance and Audit Committee. Immediately following the oral report, the Director shall confer with the committee, outside the presence of University officials, on any subject germane to Internal Audit's area of responsibility.

The Internal Audit Director will make a written report to the Chair of the Finance and Audit Committee whenever there is evidence of defalcations or other problems exceeding $25,000. In addition, if the circumstances ever warrant such action, the Internal Audit Director may circumvent normal University reporting lines and communicate directly with the Chair of the Finance and Audit Committee.

AUTHORIZATION AND RESPONSIBILITIES

Internal Audit has the authority to audit all parts of the University and shall have full and complete access to any of the organization's records, physical properties, and personnel relevant to the performance of an audit. Documents and information given to internal auditors during a periodic review will be handled in the same prudent manner as by those employees normally accountable for them.

Internal Audit will have no direct responsibility or authority for any of the activities or operations they review. They should not develop and install procedures, prepare records, or engage in activities that would normally be reviewed by internal auditors. Furthermore, an internal audit does not in any way relieve other persons in the University of the responsibilities assigned to them.

REPORTING RESPONSIBILITIES

A written report will be prepared and issued by the Internal Audit Director following the conclusion of each audit. Copies of the report will be distributed as appropriate. The manager of the activity or department receiving the report will respond within thirty days and forward a copy of the response to those included on the distribution list. The response will indicate what actions were taken regarding specific report findings and recommendations.

The manager receiving the report is responsible for ensuring that progress is made toward correcting any unsatisfactory conditions. Internal Audit is responsible for determining whether the action taken is adequate to resolve audit findings. If the action is not adequate, Internal Audit will inform University management of the potential risk and exposure in allowing the unsatisfactory conditions to continue.

MISSION OBJECTIVE

Internal Audit's objectives in accomplishing its mission will include the following:

• Determine the accuracy and propriety of financial transactions
• Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies, systems, processes, and procedures
• Verify the existence of University assets and ensure that proper safeguards are maintained to protect them from loss
• Determine the level of compliance with University policies and procedures, and state and federal laws and regulations
• Evaluate the accuracy, effectiveness, and efficiency of the University's electronic information and processing systems
• Determine the effectiveness and efficiency of organizations in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements
• Coordinate audit efforts with, and provide assistance to, the Indiana State Board of Accounts and other external auditors
• Investigate fiscal misconduct

STANDARDS AND ETHICS

In all of its activities, Internal Audit will adhere to the Standards for the Professional Practice of Internal Auditing and the Code of Ethics adopted by the Institute of Internal Auditors.

Mission Statement(s)/Objectives/Values

MISSION STATEMENT

(short form)

To provide the University
with an independent appraisal
of it's financial, operational,
and control activities.

MISSION STATEMENT

(long form)

Internal Audit exists to support administration and the Board of Trustees in the effective discharge of their responsibilities. Using our knowledge and professional judgement, we will provide an independent appraisal of the University's financial, operational, and control activities. We will report on the adequacy of internal controls, the accuracy and propriety of transactions, the extent to which assets are accounted for and safeguarded, and the level of compliance with institutional policies and government laws and regulations. Additionally, we will provide analyses, recommendations, counsel, and information concerning the activities reviewed.

OUR OBJECTIVES IN ACCOMPLISHING OUR MISSION INCLUDE THE FOLLOWING:

• Determine the accuracy and propriety of financial transactions
• Evaluate financial and operational procedures for adequacy of internal controls and provide advice and guidance on control aspects of new policies, systems, processes, and procedures
• Verify the existence of University assets and ensure that proper safeguards are maintained to protect them from loss
• Determine the level of compliance with University policies and procedures, state and federal laws and government regulations
• Evaluate the accuracy, effectiveness, and efficiency of the University's electronic information and processing systems
• Determine the effectiveness and efficiency of organizations in accomplishing their mission and identify operational opportunities for cost savings and revenue enhancements
• Provide assistance and a coordinated audit effort with the Indiana State Board of Accounts and other external auditors
• Investigate fiscal misconduct

VALUES

In carrying out our mission, we share certain beliefs and values.

• Our primary focus is to provide excellent service to the University. Our examinations will be performed in accordance with applicable standards established by the American Institute of Certified Public Accountants (AICPA), Institute of Internal Auditors (IIA), Government Accounting Office (GAO), etc.
• We are committed to the highest degree of fairness, integrity, and ethical conduct in the performance of our mission. We will adhere to the Code of Ethics as established by the Association of College and University Auditors (ACUA). Furthermore, we will not issue a report without first allowing the recipient the opportunity to review, challenge, question, and respond to our findings and conclusions.
• Our relationships with the University community will be characterized by respect, helpfulness, sharing, patience, and openness.
• We are committed to maintaining our professionalism as internal auditors through continuance of our education and training.
• Although we are a part of the University we are committed to maintaining our independence in defining the scope and objectives of our examinations.

Standards for the Professional Practice of Internal Auditing (IIA)

100 INDEPENDENCE

Internal auditors should be independent of the activities they audit.

• .01 Internal auditors are independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. It is achieved through organizational status and objectivity.

110 ORGANIZATIONAL STATUS

The organizational status of the internal auditing department should be sufficient to permit the accomplishment of its audit responsibilities.

• .01 Internal auditors should have the support of management and of the board of directors so that they can gain the cooperation of auditees and perform their work free from interference.

1. The director of the internal auditing department should be responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations.
2. The director should have direct communication with the board. Regular communication with the board helps assure independence and provides a means for the board and the director to keep each other informed on matters of mutual interest.
3. Independence is enhanced when the board concurs in the appointment or removal of the director of the internal auditing department.
4. The purpose, authority, and responsibility of the internal auditing department should be defined in a formal written document (charter). The director should seek approval of the charter by management as well as acceptance by the board. The charter should (a) establish the department's position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of audits; and (c) define the scope of internal auditing activities.
5. The director of internal auditing should submit annually to management for approval and to the board for its information a summary of the department's audit work schedule, staffing plan, and financial budget. The director should also submit all significant interim changes for approval and information. Audit work schedules, staffing plans, and financial budgets should inform management and the board of the scope of internal auditing work and of any limitations placed on that scope.
6. The director of internal auditing should submit activity reports to management and to the board annually or more frequently as necessary. Activity reports should highlight significant audit findings and recommendations and should inform management and the board of any significant deviations from approved audit work schedules, staffing plans, and financial budgets, and the reasons for them.

120 OBJECTIVITY

Internal auditors should be objective in performing audit.

• .01 Objectivity is an independent mental attitude which internal auditors should maintain in performing audits. Internal auditors are not to subordinate their judgment on audit matters to that of others.
• .02 Objectivity requires internal auditors to perform audits in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Internal auditors are not to be placed in situations in which they feel unable to make objective professional judgments.

1. Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided. The director should periodically obtain from the audit staff information concerning potential conflicts of interest and bias.
2. Internal auditors should report to the director any situations in which a conflict of interest or bias is present or may reasonably be inferred. The director should then reassign such auditors.
3. Staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so.
4. Internal auditors should not assume operating responsibilities. But if on occasion management directs internal auditors to perform nonaudit work, it should be understood that they are not functioning as internal auditors. Moreover, objectivity is presumed to be impaired when internal auditors audit any activity for which they had authority or responsibility. This impairment should be considered when reporting audit results.
5. Persons transferred to or temporarily engaged by the internal auditing department should not be assigned to audit those activities they previously performed until a reasonable period of time has elapsed. Such assignments are presumed to impair objectivity and should be considered when supervising the audit work and reporting audit results.
6. The results of internal auditing work should be reviewed before the related audit report is released to provide reasonable assurance that the work was performed objectively.

• .03 The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, and operating systems are not audit functions. Also, the drafting of procedures for systems is not an audit function. Performing such activities is presumed to impair audit objectivity.

200 PROFESSIONAL PROFICIENCY

Internal audits should be performed with proficiency and due professional care.

• .01 Professional proficiency is the responsibility of the internal auditing department and each internal auditor. The department should assign to each audit those persons who collectively possess the necessary knowledge, skills, and disciplines to conduct the audit properly.

210 STAFFING

The internal auditing department should provide assurance that the technical proficiency and educational background of internal auditors are appropriate for the audits to be performed.

• .01 The director of internal auditing should establish suitable criteria of education and experience for filling internal auditing positions, giving due consideration to scope of work and level of responsibility.
• .02 Reasonable assurance should be obtained as to each prospective auditor's qualifications and proficiency.

220 KNOWLEDGE, SKILLS, AND DISCIPLINES

The internal auditing department should possess or should obtain the knowledge, skills, and disciplines needed to carry out its audit responsibilities.

• .01 The internal auditing staff should collectively possess the knowledge and skills essential to the practice of the profession within the organization. These attributes include proficiency in applying internal auditing standards, procedures, and techniques.
• .02 The internal auditing department should have employees or use consultants who are qualified in such disciplines as accounting, economics, finance, statistics, electronic data processing, engineering, taxation, and law as needed to meet audit responsibilities. Each member of the department, however, need not be qualified in all of these disciplines.

230 SUPERVISION

The internal auditing department should provide assurance that internal audits are properly supervised.

• .01 The director of internal auditing is responsible for providing appropriate audit supervision. Supervision is a continuing process, beginning with planning and ending with the conclusion of the audit assignment.
• .02 Supervision includes:

1. Providing suitable instructions to subordinates at the outset of the audit and approving the audit program.
2. Seeing that the approved audit program is carried out unless deviations are both justified and authorized.
3. Determining that audit working papers adequately support the audit findings, conclusions, and reports.
4. Making sure that audit reports are accurate, objective, clear, concise, constructive, and timely.
5. Determining that audit objectives are being met.

• .03 Appropriate evidence of supervision should be documented and retained.
• .04 The extent of supervision required will depend on the proficiency of the internal auditors and the difficulty of the audit assignment.
• .05 All internal auditing assignments, whether performed by or for the internal auditing department, remain the responsibility of its director.

240 COMPLIANCE WITH STANDARDS OF CONDUCT

Internal auditors should comply with professional standards of conduct.

• .01 The Code of Ethics of The Institute of Internal Auditors sets forth standards of conduct and provides a basis for enforcement among its members. The Code calls for high standards of honesty, objectivity, diligence, and loyalty to which internal auditors should conform.

250 KNOWLEDGE, SKILLS, AND DISCIPLINES

Internal auditors should possess the knowledge, skills, and disciplines essential to the performance of internal audits.

• .01 Each internal auditor should possess certain knowledge and skills as follows:

1. Proficiency in applying internal auditing standards, procedures, and techniques is required in performing internal audits. Proficiency means the ability to apply knowledge to situations likely to be encountered and to deal with them without extensive recourse to technical research and assistance.
2. Proficiency in accounting principles and techniques is required of auditors who work extensively with financial records and reports.
3. An understanding of management principles is required to recognize and evaluate the materiality and significance of deviations from good business practice. An understanding means the ability to apply broad knowledge to situations likely to be encountered, to recognize significant deviations, and to be able to carry out the research necessary to arrive at reasonable solutions.
4. An appreciation is required of the fundamentals of such subjects as accounting, economics, commercial law, taxation, finance, quantitative methods, and computerized information systems. An appreciation means the ability to recognize the existence of problems or potential problems and to determine the further research to be undertaken or the assistance to be obtained.

260 HUMAN RELATIONS AND COMMUNICATIONS

Internal auditors should be skilled in dealing with people and in communicating effectively.

• .01 Internal auditors should understand human relations and maintain satisfactory relationships with auditees.
• .02 Internal auditors should be skilled in oral and written communications so that they can clearly and effectively convey such matters as audit objectives, evaluations, conclusions, and recommendations.

270 CONTINUING EDUCATION

Internal auditors should maintain their technical competence through continuing education.

• .01 Internal auditors are responsible for continuing their education in order to maintain their proficiency. They should keep informed about improvements and current developments in internal auditing standards, procedures, and techniques. Continuing education may be obtained through membership and participation in professional societies; attendance at conferences, seminars, college courses, and in-house training programs; and participation in research projects.

280 DUE PROFESSIONAL CARE

Internal Auditors should exercise due professional care in performing internal audits.

• .01 Due professional care calls for the application of the care and skill expected of a reasonably prudent and competent internal auditor in the same or similar circumstances. Professional care should, therefore, be appropriate to the complexities of the audit being performed. In exercising due professional care, internal auditors should be alert to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. They should also be alert to those conditions and activities where irregularities are most likely to occur. In addition, they should identify inadequate controls and recommend improvements to promote compliance with acceptable procedures and practices.
• .02 Due care implies reasonable care and competence, not infallibility or extraordinary performance. Due care requires the auditor to conduct examinations and verifications to a reasonable extent, but does not require detailed audits of all transactions. Accordingly, the internal auditor cannot give absolute assurance that noncompliance or irregularities do not exit. Nevertheless, the possibility of material irregularities or noncompliance should be considered whenever the internal auditor undertakes an internal auditing assignment.
• .03 When an internal auditor suspects wrongdoing, the appropriate authorities within the organization should be informed. The internal auditor may recommend whatever investigation is considered necessary in the circumstances. Thereafter, the auditor should follow up to see that the internal auditing department's responsibilities have been met.
• .04 Exercising due professional care means using reasonable audit skill and judgment in performing the audit. To this end, the internal auditor should consider:

1. The extent of audit work needed to achieve audit objectives
2. The relative materiality or significance of matters to which audit procedures are applied
3. The adequacy and effectiveness of internal controls
4. The cost of auditing in relation to potential benefits
5. Due professional care includes evaluating established operating standards and determining whether those standards are acceptable and are being met. When such standards are vague, authoritative interpretations should be sought. If internal auditors are required to interpret or select operating standards, they should seek agreement with auditees as to the standards needed to measure operating performance.

300 SCOPE OF WORK

The scope of the internal audit should encompass the examination and evaluation of the adequacy and effectiveness of the organization's system of internal control and the quality of performance in carrying out assigned responsibilities.

• .01 The scope of internal auditing work, as specified in this standard, encompasses what audit work should be performed. It is recognized, however, that management and the board of directors provide general direction as to the scope of work and the activities to be audited.
• .02 The purpose of the review for adequacy of the system of internal control is to ascertain whether the system established provides reasonable assurance that the organization's objectives and goals will be met efficiently and economically.
• .03 The purpose of the review for effectiveness of the system of internal control is to ascertain whether the system is functioning as intended.
• .04 The purpose of the review for quality of performance is to ascertain whether the organization's objectives and goals have been achieved.
• .05 The primary objectives of internal control are to ensure:

1. The reliability and integrity of information.
2. Compliance with policies, plans, procedures, laws, and regulations.
3. The safeguarding of assets.
4. The economical and efficient use of resources.
5. The accomplishment of established objectives and goals for operations or programs.

310 RELIABILITY AND INTEGRITY OF INFORMATION

Internal auditors should review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.

• .01 Information systems provide data for decision making, control, and compliance with external requirements. Therefore, internal auditors should examine information systems and, as appropriate, ascertain whether:

1. Financial and operating records and reports contain accurate, reliable, timely, complete, and useful information.
2. Controls over record keeping and reporting are adequate and effective.

320 COMPLIANCE WITH POLICIES, PLANS, PROCEDURES, LAWS, AND REGULATIONS

Internal auditors should review the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on operations and reports, and should determine whether the organization is in compliance.

• .01 Management is responsible for establishing the systems designed to ensure compliance with such requirements as policies, plans, procedures, and applicable laws and regulations. Internal auditors are responsible for determining whether the systems are adequate and effective and whether the activities audited are complying with the appropriate requirements.

330 SAFEGUARDING OF ASSETS

Internal auditors should review the means of safeguarding assets and, as appropriate, verify the existence of such assets.

• .01 Internal auditors should review the means used to safeguard assets from various types of losses such as those resulting from theft, fire, improper or illegal activities, and exposure to the elements.
• .02 Internal auditors, when verifying the existence of assets, should use appropriate audit procedures.

340 ECONOMICAL AND EFFICIENT USE OF RESOURCES

Internal auditors should appraise the economy and efficiency with which resources are employed.

• .01 Management is responsible for setting operating standards to measure an activity's economical and efficient use of resources. Internal auditors are responsible for determining whether:

1. Operating standards have been established for measuring economy and efficiency.
2. Established operating standards are understood and are being met.
3. Deviations from operating standards are identified, analyzed, and communicated to those responsible for corrective action.
4. Corrective action has been taken.

• .02 Audits related to the economical and efficient use of resources should identify such conditions as:

1. Underutilized facilities.
2. Nonproductive work.
3. Procedures which are not cost justified.
4. Overstaffing or understaffing.

350 ACCOMPLISHMENT OF ESTABLISHED OBJECTIVES AND GOALS FOR OPERATIONS OR PROGRAMS

Internal auditors should review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.

• .01 Management is responsible for establishing operating or program objectives and goals, developing and implementing control procedures, and accomplishing desired operating or program results. Internal auditors should ascertain whether such objectives and goals conform with those of the organization and whether they are being met.
• .02 Internal auditors can provide assistance to managers who are developing objectives, goals, and systems by determining whether the underlying assumptions are appropriate; whether accurate, current, and relevant information is being used; and whether suitable controls have been incorporated into the operations or programs.

400 PERFORMANCE OF AUDIT WORK

Audit work should include planning the audit, examining and evaluating information, communicating results and following up.

• .01 The internal auditor is responsible for planning and conducting the audit assignment, subject to supervisory review and approval.

410 PLANNING THE AUDIT

Internal auditors should plan each audit.

• .01 Planning should be documented and should include:

1. Establishing audit objectives and scope of work.
2. Obtaining background information about the activities to be audited.
3. Determining the resources necessary to perform the audit.
4. Communicating with all who need to know about the audit.
5. Performing, as appropriate, an on-site survey to become familiar with the activities and controls to be audited, to identify areas for audit emphasis, and to invite auditee comments and suggestions.
6. Writing the audit program.
7. Determining how, when, and to whom audit results will be communicated.
8. Obtaining approval of the audit work plan.

420 EXAMINING AND EVALUATING INFORMATION

Internal auditors should collect, analyze, interpret, and document information to support audit results.

• .01 The process of examining and evaluating information is as follows:

1. Information should be collected on all matters related to the audit objectives and scope of work.
2. Information should be sufficient, competent, relevant, and useful to provide a sound basis for audit findings and recommendations. Sufficient information is factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Competent information is reliable and the best attainable through the use of appropriate audit techniques. Relevant information supports audit findings and recommendations and is consistent with the objectives for the audit. Useful information helps the organization meet its goals.
3. Audit procedures, including the testing and sampling techniques employed, should be selected in advance, where practicable, and expanded or altered if circumstances warrant.
4. The process of collecting, analyzing, interpreting, and documenting information should be supervised to provide reasonable assurance that the auditor's objectivity is maintained and that audit goals are met.
5. Working papers that document the audit should be prepared by the auditor and reviewed by management of the internal auditing department. These papers should record the information obtained and the analyses made and should support the bases for the findings and recommendations to be reported.

430 COMMUNICATING RESULTS

Internal auditors should report the results of their audit work.

• .1 A signed, written report should be issued after the audit examination is completed. Interim reports may be written or oral and may be transmitted formally or informally.
• .2 The internal auditor should discuss conclusions and recommendations at appropriate levels of management before issuing final written reports.
• .3 Reports should be objective, clear, concise, constructive, and timely.
• .4 Reports should present the purpose, scope, and results of the audit; and, where appropriate, reports should contain an expression of the auditor's opinion.
• .5 Reports may include recommendations for potential improvements and acknowledge satisfactory performance and corrective action.
• .6 The auditee's views about audit conclusions or recommendations may be included in the audit report.
• .7 The director of internal auditing or designee should review and approve the final audit report before issuance and should decide to whom the report will be distributed.

440 FOLLOWING UP

Internal auditors should follow up to ascertain that appropriate action is taken on reported audit findings.

• .01 Internal auditing should determine that corrective action was taken and is achieving the desired results, or that management or the board has assumed the risk of not taking corrective action on reported findings.

500 MANAGEMENT OF THE INTERNAL AUDITING DEPARTMENT

The director of internal auditing should properly manage the internal auditing department.

• .01 The director of internal auditing is responsible for properly managing the department so that:

1. Audit work fulfills the general purposes and responsibilities approved by management and accepted by the board.
2. Resources of the internal auditing department are efficiently and effectively employed.
3. Audit work conforms to the Standards for the Professional Practice of Internal Auditing.

510 PURPOSE, AUTHORITY, AND RESPONSIBILITY

The director of internal auditing should have a statement of purpose, authority, and responsibility for the internal auditing department.

• .01 The director if internal auditing is responsible for seeking the approval of management and the acceptance by the board of a formal written document (charter) for the internal auditing department.

520 PLANNING

The director of internal auditing should establish plans to carry out the responsibilities of the internal auditing department.

• .01 These plans should be consistent with the internal auditing department's charter and with the goals of the organization.
• .02 The planning process involves establishing:

1. Goals.
2. Audit work schedules.
3. Staffing plans and financial budgets.
4. Activity reports.

• .03 The goals of the internal auditing department should be capable of being accomplished within specified operating plans and budgets and, to the extent possible, should be measurable. They should be accompanied by measurement criteria and targeted dates of accomplishment.
• .04 Audit work schedules should include (a) what activities are to be audited; (b) when they will be audited; and (c) the estimated time required, taking into account the scope of the audit work planned and the nature and extent of audit work performed by others. Matters to be considered in establishing audit work schedule priorities should include (a) the date and results of the last audit; (b) financial exposure; (c) potential loss and risk; (d) requests by management; (e) major changes in operations, programs, systems, and controls; (f) opportunities to achieve operating benefits; and (g) changes to and capabilities of the audit staff. The work schedules should be sufficiently flexible to cover unanticipated demands on the internal auditing department.
• .05 Staffing plans and financial budgets, including the number of auditors and the knowledge, skills, and disciplines required to perform their work, should be determined from audit work schedules, administrative activities, education and training requirements, and audit research and development efforts.
• .06 Activity reports should be submitted periodically to management and to the board. These reports should compare (a) performance with the department's goals and audit work schedules and (b) expenditures with financial budgets. They should explain the reasons for major variances and indicate any action taken or needed.

530 POLICIES AND PROCEDURES

The director of internal auditing should provide written policies and procedures to guide the audit staff.

• .01 The form and content of written policies and procedures should be appropriate to the size and structure of the internal auditing department and the complexity of its work. Formal administrative and technical audit manuals may not be needed by all internal auditing departments. A small internal auditing department may be managed informally. Its audit staff may be directed and controlled through daily, close supervision and written memoranda. In a large internal auditing department, more formal and comprehensive policies and procedures are essential to guide the audit staff in the consistent compliance with the department's standards of performance.

540 PERSONNEL MANAGEMENT AND DEVELOPMENT

The director of internal auditing should establish a program for selecting and developing the human resources of the internal auditing department.

• .01 The program should provide for:

1. Developing written job descriptions for each level of the audit staff.
2. Selecting qualified and competent individuals.
3. Training and providing continuing educational opportunities for each internal auditor.
4. Appraising each internal auditor's performance at least annually.
5. Providing counsel to internal auditors on their performance and professional development.

550 EXTERNAL AUDITORS

The director of internal auditing should coordinate internal and external audit efforts.

• .01 The internal and external audit work should be coordinated to ensure adequate audit coverage and to minimize duplicate efforts.
• .02 Coordination of audit efforts involves:

1. Periodic meetings to discuss matters of mutual interest.
2. Access to each other's audit programs and working papers.
3. Exchange of audit reports and management letters.
4. Common understanding of audit techniques, methods, and terminology.

560 QUALITY ASSURANCE

The director of internal auditing should establish and maintain a quality assurance program to evaluate the operations of the internal auditing department.

• .01 The purpose of this program is to provide reasonable assurance that audit work conforms with these Standards, the internal auditing department's charter, and other applicable standards. A quality assurance program should include the following elements:

1. Supervision.
2. Internal reviews.
3. External reviews.

• .02 Supervision of the work of the internal auditors should be carried out continually to assure conformance with internal auditing standards, departmental policies, and audit programs.
• .03 Internal reviews should be performed periodically by members of the internal auditing staff to appraise the quality of the audit work performed. These reviews should be performed in the same manner as any other internal audit.
• .04 External reviews of the internal auditing department should be performed to appraise the quality of the department's operations. These reviews should be performed by qualified persons who are independent of the organization and who do not have either a real or an apparent conflict of interest. Such reviews should be conducted at least once every three years. On completion of the review, a formal, written report should be issued. The report should express an opinion as to the department's compliance with the Standards for the Professional Practice of Internal Auditing and, as appropriate, should include recommendations for improvement.

Code of Ethics (ACUA/IIA)

STANDARDS OF CONDUCT

1. Members and CIAs shall exercise honesty, objectivity, and diligence in the performance of their duties and responsibilities.
2. Members and CIAs shall exhibit loyalty in all matters pertaining to the affairs of their organization or to whomever they may be rendering a service. However, Members and CIAs shall not knowingly be a party to any illegal or improper activity.
3. Members and CIAs shall not knowingly engage in acts or activities which are discreditable to the profession of internal auditing or to their organization.
4. Members and CIAs shall refrain from entering into any activity which may be in conflict with the interest of their organization or which would prejudice their ability to carry out objectively their duties and responsibilities.
5. Members and CIAs shall not accept anything of value from an employee, client, customer, supplier, or business associate of their organization which would impair or be presumed to impair their professional judgment.
6. Members and CIAs shall undertake only those services which they can reasonably expect to complete with professional competence.
7. Members and CIAs shall adopt suitable means to comply with the Standards for the Professional Practice of Internal Auditing.
8. Members and CIAs shall be prudent in the use of information acquired in the course of their duties. They shall not use confidential information for any personal gain nor in any manner which would be contrary to law or detrimental to the welfare of their organization.
9. Members and CIAs, when reporting on the results of their work, shall reveal all material facts known to them which, if not revealed, could either distort reports of operations under review or conceal unlawful practices.
10. Members and CIAs shall continually strive for improvement in their proficiency, and in the effectiveness and quality of their service.
11. Members and CIAs, in the practice of their profession, shall be ever mindful of their obligation to maintain the high standards of competence, morality and dignity promulgated by The Institute. Members shall abide by the Bylaws and uphold the objectives of The Institute.

Independence/Objectivity/Confidentiality/Conduct

INDEPENDENCE/OBJECTIVITY

To be effective in performing audits the audit staff must be independent and objective both in actuality and perception. We maintain our independence by our organizational position (including reporting line to the Board) and our Board approved AUTHORIZATION AND RESPONSIBILITIES (see CHARTER).

In order to maintain objectivity, auditors will immediately inform the audit administration of any factors that may be perceived as impairing their objectivity on an assigned audit. Also, auditors will take great care to prevent even a perception of partiality by maintaining a professional distance from the staff of a department while performing an audit. Questions concerning any relationships with auditees or potential auditees (i. e., preparing tax returns, attending parties, etc.) should be brought to the attention of the audit administration. Finally, auditors will not accept anything of value from an employee, supplier, or business associate of the University which would impair or be perceived to impair their professional judgement or objectivity. Any gifts accepted will be immediately reported to audit administration.

CONFIDENTIALITY

Much of the information available to internal auditors is of a sensitive or confidential nature. Auditors should be prudent in their use of information acquired in the course of their duties or information which is available to them. They will not discuss any matters pertaining to the audits performed by the departments in other then an official manner.

Auditors shall not use confidential information for any personal gain or in a manner which would be detrimental to the University or any employee or student of the University. (See the Institute of Internal Auditor's Code of Ethics).

Auditors will take adequate measures to prevent the unauthorized release of confidential materials or information in any medium including paper copies, microfiche, or computer files. Such materials should be adequately secured from theft, reproduction, or casual observation.

Confidential materials include any information (except public information) associated with student or employee names, social security numbers, or identification numbers. Examples of confidential information include, but are not limited to the following:

1. Student or employee medical or psychological records.
2. Course enrollment or grades.
3. Financial aid records.
4. Student or parent financial status records.
5. Employee personnel, benefit, or payroll information.
6. Any information which could cause the University embarrassment or liability.

CONDUCT

The following guidelines are established regarding personal conduct and the confidentiality of audit or business information acquired through audit assignments.

• As a member of the Internal Audit staff, you are representing the highest level of management. Conduct yourself in a manner that reflects favorably upon yourself and those you represent. You are expected to exercise professional skill, integrity, maturity of behavior, and tact in your relations with others. In general, you are encouraged to be friendly with all University employees without affecting your objectivity. You should guard against any conduct or mannerisms which permit an impression that you consider yourself an "expert" sent to check on employees. As far as possible, take the position of an independent/objective analyst and advisor. Avoid the image of policing.
• In the course of your assignments, you will be in contact with personnel at all levels of authority and position. At all times, an independence in mental attitude is to be maintained. Reports resulting from your efforts should always contain full and unbiased disclosure of all but minor audit findings. Although you report to the Internal Audit department, you have responsibilities to both management and the personnel being audited.
• Much of your work is confidential; therefore, be discreet on and off the job in discussing current or past audits or your personal assessments of audit customers. Judgment should be exercised in the security of audit work papers, programs, records, and information at all times.
• Never indiscreetly discuss any information you obtain during audits.
• Avoid extremes of dress or personal grooming.

Audit Process

PLANNING - GENERAL, RATIONALE

The assessment of audit risk is an integral part of our planning process. The audit planning process encompasses all activities related to the development of the internal audit plan and schedule and the determination of the audit scope and objectives, timing, design of detailed procedures, and audit recourse planning for the individual auditable entities. The primary objective of the audit planning process is to design our audit approach to ensure that audits are performed in the most effective and efficient manner. In undertaking this process we attempted the following:

• Define the potential audit universe at the University
• Define factors to be used in assessing risk
• Quantify the potential risk associated with each of the defined audit areas
• Schedule audits and allocate Internal Audit resources according to the priorities established and the current level and expertise of staff auditors

PLANNING - RESEARCH, SCHEDULING, AND AUDITS

Internal Audit's scheduling process begins with requests for audit services (requests, or suggestions, come from several sources). One obvious source is our own Internal Audit staff. Our in-depth knowledge of the University gives us a unique perspective on the types of projects in which we can reduce the University's risk. Hence, some of our projects originate in our own group or as a result of the annual audit of the University as a whole, which is conducted by the State Board of Accounts.

Several factors influence the selection and scheduling of projects: the degree of risk or exposure to loss; type of audit; current and planned work in other major audit projects requiring substantial time commitments of Internal Audit staff; the availability of staff in client units selected for review; and the availability of Internal Audit staff with the appropriate skills.

An analysis will be performed annually in order to quantify risk and schedule audits. This analysis will combine factual information and Internal Audit administration's judgment in the selection, ranking, and weighing of the various audit risk factors. It should be emphasized that the final determination as to which areas should be included in the audit plan cannot be based solely on the results of this audit risk assessment. Rather, the performance of the assessment is a tool for use by Internal Audit administration.

TYPES OF AUDITS

1. AUDIT

• Operational - refers to a comprehensive examination of an operating unit or a complete organization to evaluate its performance, as measured by management's objectives. An operational audit focuses on the efficiency, effectiveness, and economy of operations.
• Financial - Determine the accuracy and propriety of financial transactions.
• Compliance - The objective of these audits is to determine whether, and to what degree, an organization conforms to certain specific requirements of policy, procedures, standards, or laws and governmental regulations. The auditor must know precisely what policies, procedures, standards, etc. are required. Usually, compliance audits require little preliminary survey work or review of internal controls, except to outline precisely what requirements are being audited. The audit focuses almost exclusively upon detailed testing of conditions.
• Asset Verification - An independent appraisal of University operations is provided through the verification of accountability, physical safeguards, and valid use of distributed University assets. This is often performed in conjunction with an audit.

2. LOSS

• Loss/fraud investigations - conducted to determine existing control weaknesses, assist University Risk Management in determining the amount of the loss/fraud, and assist the unit by recommending corrective measures to prevent subsequent recurrences. Investigation of allegations may also be conducted.

3. INFORMATION SYSTEMS AUDIT

• The primary mission of the Information Systems audit function of Internal Audit is to support the internal audit function in the evaluation of the accuracy, effectiveness, and efficiency of the University's electronic and information processing systems which are in production or under development.

4. MISCELLANEOUS

• Consultant Services - Information, encouragement, and review will be provided on issues concerning University policies, procedures, and internal controls. With the addition of an information systems audit function consultation services are expanded to include:

1. Assistance on evaluation of backup procedures and contingency planning
2. Assistance on whether a defined architecture has proper controls
3. Information on computer controls
4. Assistance on implementation of internal financial system

• Computer System Design and Enhancement - Internal Audit actively participates in the development of new systems or enhancements to current systems to promote the design of adequate internal controls prior to implementation and reduce the need for corrective measures at a later date.
• Other Departmental Duties - Such as organizing the annual retreat, preparing the annual Trustee's report, etc., as assigned by the Director.

5. DEPARTMENT ADMINISTRATIVE REVIEWS

• Pre-approved programs are used to audit accuracy and propriety of expenditures and payroll transactions. Income will be audited if the amount is material. These reviews may also include asset confirmations. Internal controls for income may also be reviewed if dollar amount is material.

6. FOLLOW-UP REVIEW

• Follow-up reviews are performed to appraise management of post audit actions and provide assurance that implemented changes adequately resolved audit findings. These reviews also ensure that upper management has been properly notified of the University exposure related to unresolved audit findings.

7. CASH COUNT

• A cash count is performed to determine custodial fund accountability which may include one or more of the following types of funds: petty cash fund, change fund, or revolving fund. A pre-approved cash count audit program is utilized for this type of audit.

Audit Assignment

All audits/tasks will be authorized by the Audit administration using an audit assignment sheet. The objective of this process is to assure that work is performed on only authorized activity. This form will provide sufficient information on the audit/task scope, objectives, and resource restrictions (allocated hours, expected completion date) so the assigned auditor(s) will have a clear understanding of Audit administration's expectations for their particular assignment.

DEFINITION OF TERMS ON THE ASSIGNMENT SHEET

• Task Number: A five digit number used to identify the project
• Type: The type of project indicated on the assignment form:
• A=audit;
• L=loss;
• C=cash count;
• F=follow-up;
• M=miscellaneous;
• T=continuing education-no trackable hours;