Frequently Asked QuestionsClick the arrow for more information
What does the Office of Internal Audit do?
The Office of Internal Audit provides an independent and objective review to the University by examining activities for compliance with applicable policies, regulations, procedures, and laws. The office issues reports to communicate the effectiveness of accounting, financial, security, and other controls.
I've been notified of an upcoming audit. Now what?
Once an audit has been scheduled, the audited unit can prepare by organizing some information pertinent to their unit. Standard information that is requested includes:
- Current organization chart with staff names and positions
- Contact information for the key audit contacts
- Written procedures and other authoritative guidance
- Reports or other resulting documentation from prior reviews
- The results from the unit’s most recent risk assessment.
Will the auditor show up at my department unannounced?
The auditor will contact you during the planning stage of the audit in order to gather your input on risks that are relevant to the audit and schedule fieldwork. The exception to this would be surprise cash counts of petty cash or change funds.
How long do audits take?
The length of each audit will depend on the nature and scope of the review. Small audits might be completed within a month, while more complex reviews can last several months. The auditor will communicate the expected timeline with you during the entrance meeting and periodically throughout the audit and reporting process.
Is the auditor looking for fraud when performing audits?
Internal Auditors have a professional responsibility per Standard 1220 of the International Standards for the Professional Practice of Internal Auditing “to exercise due professional care in performing audit work to the degree that fraud may be present in activities covered in the normal course of audit work.” Internal Audit will watch for potential fraud risks during the course of the audit activities. However, it is management’s responsibility to identify areas of risk and potential fraud opportunities and take proper action.
Will the auditor discuss findings with me before reporting them?
The auditor will hold an exit meeting with the audited unit to discuss issues found during the audit. The auditor will seek the audited unit’s agreement or disagreement with each recommendation and is willing to work with the audited unit on revisions to the recommendations if they are compatible in mitigating the identified risk. The draft report is then issued to the audited unit for their response within 10 days. The response will be included in the final report and should contain a corrective action plan and a time estimate for completion of the action plan for each finding.
Who receives a copy of the final audit report?
The final audit report is distributed to the area audited, the area's Vice President, the Vice President for Finance and Administrative Services, the President, and the Board of Regents Audit and Compliance Committee.
What is the audited unit’s responsibility once the audit report is issued?
The audited united is responsible for implementing the action plans as stated in their formal response to the audit. They are also responsible for cooperating with the auditor during follow-up activities.
Why have I been I contacted for a follow-up audit?
Internal Audit has an obligation to University management and the Board of Regents to report progress on implementation of recommendations. The follow-up is scheduled shortly after the implementation deadline for each action plan provided by management in the formal response to the audit. On occasion, the auditor will need to wait for a longer duration of time to pass so that there is sufficient data or transactions to test.
There are two objectives for a follow-up audit:
- Verify that the action plan was implemented as stated in the formal response.
- Verify that the action plan is operating as intended and is mitigating the identified risk.
How do you select what to audit?
Each year, Internal Audit begins the process by performing an enterprise-wide risk assessment. This assessment includes gathering input from a variety of sources including senior management, prior internal audit results, and emerging industry risks. Internal Audit strives to direct audit resources to the areas and processes determined to be high risk. The goal is to evaluate and recommend improvements to assist senior administration with managing the risk within these areas and processes.
Audits are scheduled according to the annual plan which is reviewed by the President and approved by the Audit and Compliance Committee of the Board of Regents.
The Board of Regents, the President, and senior management can also recommend areas to be reviewed if a need arises throughout the year.
What kinds of audits do you do?
Internal Audit performs a variety of services. Here are the most common:
- Departmental Audits – The auditor examines a broad range of risks and determines how they are being managed.
- Financial Audits – The auditor verifies that there are sufficient controls over cash and the use of resources.
- Compliance Audits – The auditor tests documents for adherence to laws, regulations, policies, and procedures.
- Investigations – The auditor attempts to learn the validity of allegations received.
- Consulting Engagements – The auditor provides advice on a specific problem that management has asked for assistance in solving.
What if I suspect fraud, waste, or abuse, or need to report an allegation of such?
If you suspect fraud, waste, abuse, or unethical activities, you can report the information to any of the following:
- Your direct supervisor
- Anyone in your chain of command
- Murray State Police Department
- Office of General Counsel
- Human Resources
- Office of Internal Audit
Instructions for filing a whistleblower claim are found here.
What about confidentiality?
The Internal Auditor has access to all records and assets of the University and understands that there is an obligation to maintain the confidentiality of that information.
Why do we need effective internal controls?
Good internal controls safeguard or make more efficient and effective use of University assets. They are a good business practice to assist you in achieving your departmental goals and objectives and the University’s mission. Good internal controls are cost effective, timely, and flexible. They are best placed where they are most effective and identify both the problem and the cause. If you do not have a preventive control, evaluate the process to determine if you have a mitigating control such as an after-the-fact review or other detective control that is performed on a regular basis. See the Internal Controls tab on the left for more information.
Who is responsible for internal controls?
Senior management is responsible for developing a system of internal controls that all employees should follow. Internal Audit is responsible for assessing and reporting on the effectiveness of the controls implemented by senior management. See the Internal Controls tab on the left for more information.
Why should I be concerned about risk and internal controls?
Each employee has an important role in risk identification and management of risk. This is a critical concept because risks can either help to achieve or reduce the ability to achieve the University’s goals and objectives. Therefore, all employees should be concerned about maintaining good internal controls because they reduce and mitigate negative risks to an acceptable level.
What are business risks?
Negative business risks are those circumstances, events, or activities that can adversely affect the achievement of the University’s objectives. Some examples include:
- Misappropriation or unauthorized use of funds or assets
- Receipt of substandard or excess supplies
- Purchases made from suppliers related to buyers
- System-wide IT disruptions
- Negative publicity from confidentiality breaches
Positive business risks are similar, but they have a favorable effect on the achievement of the University’s objectives. Some examples include:
- A higher increase in student enrollment than expected
- Receipt of a grant that requires a change to administrative infrastructure
- Implementation of a new software system
How do I ensure that duties are properly segregated for a small department?
It can often be difficult for small departments to properly segregate specific functions that they perform. For example, if a department has one employee to perform cash receiving and accounts receivable process, it can be a challenge to endure that proper controls exist over these procedures. In situations such as these, management oversight becomes even more important.
Managerial oversight is a strong control in any system. However, in small departments, management will be required to provide more intense, direct oversight than in the larger, well-segregated departments. Management should review all payroll records, receipts, and thoroughly review monthly financial reports and reconciliations. It is also recommended that management indicate their review with a dated signature. See the Internal Controls tab on the left for more information.
Are there any other auditors that I might encounter at the University?
Yes. The University engages an external auditor, currently RubinBrown, LLP, to perform the annual financial statement audit and the federally mandated A-133 audit. On occasion, auditors from federal or state agencies may be on campus reviewing sponsored programs or research activities.
Any auditor working on campus should be able to appropriately identify themselves. If in doubt of an auditor, do not provide any documentation, records, or access to assets until the individual provides proper identification. No auditor should be offended by such a request.
Does anyone audit the auditor?
The President evaluates the performance of Internal Audit. Additionally, the Audit and Compliance Committee of the Board of Regents receives reports on the progress and results of the audit plan. Every five years, the Office of Internal Audit completes a self-assessment that is followed by an external validation, similar to a peer review, where the office is reviewed against the standards promulgated by the Institute of Internal Auditors International Professional Practices Framework (IIA IPPF). These results are reported to the Audit and Compliance Committee. This is commonly referred to as a Quality Assurance Review and is a major component of the Quality Assurance and Improvement Plan.