Internal Audit Partnering with Management PACFAM PACFAM Meeting - - PowerPoint PPT Presentation

Internal Audit

“Partnering with Management”

PACFAM PACFAM Meeting Meeting November November 15, 15, 2012 2012 Updated February 2015

Int nter erna nal l Aud udit it Cha hart rter er

• Included in the University of Oklahoma Board of

Regents’ Policy Manual.

• Required by State Law
• Internal Audit is authorized by the Board of

Regents and the President to have full, free, and unrestricted access to all university functions, records, property and personnel.

Wha hat is is Int nter erna nal l Aud udit itin ing? g?

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Source: The Institute of Internal Auditors

Wha hat do we do? Internal Audit Assesses:

• Adequacy of policy, procedures and internal controls.
• Compliance with laws, rules, regulations and
• rganizational guidelines.
• Organizational efficiency.
• Accuracy and reliability of accounting records.

• OU Norman Campus
• OU Health Sciences Center Campus
• OU Tulsa Campus
• Cameron University (Lawton)
• Rogers State University (Claremore)
• Any off-site location or function of

the above entities

Int nter erna nal Audi

dit t Respons sponsibi ibilit lity

OU INTERNAL AUDIT

University of Oklahoma Board of Regents David L. Boren OU President

Organizational Chart - 2015

Code e of Ethi hics cs The Principles/Rules of Conduct We Adhere to:

• Integrity
• Objectivity
• Confidentiality
• Competency

Source: The Institute of Internal Auditors

Ins nsti titute tute of Int nter erna nal l Aud udit itor

• rs

s Stan andar ard

II IIA St Standar dard 1220 1220.A1 stat tates, “Internal aud audito itors rs mu must exercis rcise due due professio ional nal care by by consid idering ring the:

• Extent of work needed to achieve the engagement's objectives;
• Relative complexity, materiality, or significance of matters to which

assurance procedures are applied;

• Adequacy and effectiveness of governance, risk management, and

control processes;

• Probability of significant errors, fraud, or noncompliance; and
• Cost of assurance in relation to potential benefits.”

The Institute of Internal Auditors requires risk analysis rather than a rotational schedule for annual audit plans.

• The Internal Audit Department lists all auditable entities and

functions and compiles them into an ‘audit universe.’

• A risk analysis is used to determine which audits to perform on

an annual basis.

Th The Aud udit it Sele lection ction Pr Proce cess

Risk Analy lysis is vs. Rotati tional

• nal Schedule

edule

• Prior audit findings
• Perceived sensitivity
• Control environment
• Confidence in operating management
• Changes in people or systems
• Complexity
• Time since last audit

Ris isk Ana naly lysis is Cri riteri ria

Types of Aud udit its Pe Perf rforme rmed

Colleg lege e and Depart artments ments, , Clinic nics, , Func ncti tional

• nal Units,

its, Athlet letics, ics, Information

• rmation Technol

hnolog

• gy/Systems,

tems, Specia ial l Reviews, iews, Specia ial l Inves esti tigat ations, ions, Centers ters and Instit itutes utes, , Spons nsored

• red Prog
• grams

rams

Financial Operational Compliance

Aud udit it Pr Proce cess, , Step ep-by by-Step Step

1. Engagement letter 2. Preliminary request for information 3. Risk analysis and audit program development 4. Entrance conference

Planning Fieldwork Reporting Post Audit Review

1. Exit conference 2. Draft audit report 3. Final audit report, with management responses and scheduled completion dates

Int nter erna nal l Aud udit it Help lp Li Line ne

As part of our service to the University, we encourage any employee to contact us with questions relating to internal controls or to discuss any issue relating to risks and exposures in their area of responsibility. Call (405) 325-3411 (Ask for an Audit Manager)

• r

Email us at: InternalAudit@ou.edu

Fu Furt rthe her r Inf nfor

• rmatio

ation

• Visit our website at www.ou.edu/audit
• Main

n Offic ice e Norma man n Campus us 1816 West Lindsey Street Phone number: 405-325-3411

• Satell

llit ite e Offic ice e OUHSC Campus us Service Center Building Room 239 Phone number: 405-271-2532

Di Disb sburse urseme ment nts: s:

University Accounts:

• Personal reimbursements and travel claims not

approved by someone of institutional authority

• Not aware of change in mobile phone/device

policy Foundation:

• Personal reimbursements and travel claims not

approved by someone of institutional authority

• Retention of departmental records to support

Foundation activity

DISBU

BURSEME EMENTS NTS

• Does the account sponsor approve your disbursements and travel

claims? Does an individual with greater institutional authority approve the department head’s travel?

• Are disbursements business-related and in compliance with University

policy?

• Are invoices paid within 45 days as required by state legislation?
• Are purchases over $5,000 processed through a PO? Do you process all

contractual products or services through the Purchasing Department? If not, do you have an authority to contract?

• Are accounting duties of ordering, receiving, and reconciling properly

segregated to ensure that no one individual controls the process from beginning to end? Resources urces: State Travel Reimbursement Act (STRA), 74 O.S., Section 500.1, et seq.

• University Travel Procedures:

http://www.ou.edu/controller/fss/procedures/travel.html

• OU Purchasing Department

http://www.ou.edu/purchasing/policies/index.html

• OU Regents’ Policy Manual

http://www.ou.edu/regents/official_agenda/2004PolicyManual.pdf

Pcard: Pcard:

• Allowing Pcard to be used by someone other than

the card holder, including access to the Pcard number for online purchases

• Purchasing items not permissible per the Pcard

Policy

• Approval by account sponsor not evident

PCARD

ARD

• Did Pcard holders and Pcard administrators attend training?
• Is use of the Pcard limited to the card holder?
• Are students, including graduate students, prohibited from using the

Pcard?

• Do you retain your Pcard receipts?
• Does the account sponsor review the purchase receipts when approving

the transactions? Resources urces:

• Pcard Policy

http://www.ou.edu/purchasing/home/pcard/pcard_policy.htm

• General Records Disposition Schedule for State Universities and

Colleges http://www.odl.state.ok.us/oar/docs/ucgrds-schedule.pdf

Pa Payroll

• ll:

Hourly Employees:

• Overtime hours incorrectly moved to other pay

periods

• Timesheets not approved by employee and/or

supervisor

• Payroll documentation not available (missing

Time Sheets Monthly Employees:

• Leave certifications not approved by employee

and/or supervisor

• Leave certifications not available

PAYRO

ROLL LL

• Hourly: Do employees sign their timecards/time sheets? Do their

supervisors sign the timecards/time sheets?

• Monthly: Do monthly personnel track their paid leave? Does the employee

sign documentation stating the amount of paid leave taken on a monthly basis? Do their supervisors approve and sign the documentation?

• Supplemental Pay: Does the department maintain supplemental pay

records? Does the account sponsor approve the supplemental pay?

• Are HR PeopleSoft account passwords kept confidential?
• Is all access to computer systems cancelled for employees that transfer

from your department or for employees that no longer work for the University? Resources urces:

• Human Resources Guide to Services:

http://hr.ou.edu/payandrecords/

Sup uppl plement mental al Pa Pay:

• Insufficient support for supplemental pay
• Approval by appropriate supervisor with

institutional authority not evident

Supple plement mental al Pay:

• Does the department maintain supplemental pay records?
• Does the account sponsor approve the supplemental pay?
• Approval by appropriate supervisor with institutional authority?

Resourc sources: s:

• Human Resources Guide to Services:

http://hr.ou.edu/payandrecords/

Re Records

• rds Re

Retentio ntion/Pro n/Proper per Do Docum umen entat tation ion:

• Records have not been retained in compliance with

the General Records Disposition Schedules for State Universities and Colleges

• Documentation is not available for review during

the audit

RECORDS RETENTION

NTION

• Are you retaining all records in compliance with the University

Records Retention Policy?

• Do you receive proper authorization from the Records Retention

Coordinator prior to disposing of records? Resourc sources: s:

• General Records Disposition Schedule for State Universities and

Colleges http://www.odl.state.ok.us/oar/docs/ucgrds-schedule.pdf

• Records Retention Quick Reference

http://www.ou.edu/content/dam/AdminFinance/documents/Quick_ Reference_to_Common_University_Records_December_2010.pdf

• Records Retention Policy for University of Oklahoma, Norman

Campus http://www.ou.edu/content/dam/AdminFinance/documents/Record s_Retention_Policy_intro_Dec_2010.pdf

07/06/12 06/12 e-mai mail from rom Byron ron Burr r Mill illsap, sap, CPA MBA MBA Associ sociate ate Vice ice Presi esident, ent, Admini minist strati ration

• n & Finance

ance (Purcha rchasing sing):

“…Here is the actual guidance from the document, “Financial Statement Reconciliation Training Materials,” which can be found at http://www.ou.edu/controller/fss/psnews.htm : – Statements should be reconciled on a monthly basis. Reconciliation involves the review

• f the individual transactions appearing on the statement to determine that all

transactions are valid and appropriate. – Identified discrepancies between the departmental information and the information shown on reports should be resolved. Resolution involves contacting the originating department regarding needed corrections, as well as following up to ensure that corrections are completed. – The statement reconciliation must be formalized with the signature of the preparer and the reviewer, with the corresponding dates. The type and manner of evidence used to prove compliance with the policy is determined by the

• department. The evidence may be in hard-copy form, in image form, or in any form that

adequately demonstrates this proof. Terri Pinkston and Burr Millsap of the implementation team met with Internal Audit on June 29. Clive Mander, Director of Internal Audit, confirmed that it is not Internal Audit’s charge or place to make policy but rather to audit against it. Accordingly, when performing its work, Internal Audit seeks to understand the departmental process and observe the related evidence in whatever form it may be to satisfy itself that the department is complying with policy.”

Da Data a Securit urity/Oth y/Other: er:

Credit Card Data - PCI Compliance Social Security Numbers Student Information – FERPA EIT Multimedia Accessibility Policy House Bill 1086 Independent Contractors

Co Cont ntracts: acts:

• Authority to Sign Contractual Documents

granted by the President of the University not evident at time binding agreement fully executed

• Documents include, but are not limited to:
• Purchase orders, Grants, Contracts, Sub-contracts,
• Licenses, Leases, Funding documents,

Applications,

• Extensions and renewals,
• letters and/or memoranda of understanding,
• Sales orders, Assurances, Work orders, and the like
• Contracts not fully executed

Contra ntracts: cts:

• Have the agreements been fully executed by someone of proper

authority?

• Has the department established a system to ensure compliance

with the terms of the agreement?

• For revenue agreements, does the department receive proper

documentation to monitor compliance with the terms of the agreement? Resource sources: s:

• Regents Policy, 4.10 - Authority to Sign Contractual Documents

http://www.ou.edu/regents/official_agenda/CurrentPolicyManual. pdf

Ca Cash sh Re Receipts: ceipts:

• Cash handling not properly segregated
• Cash receipts not logged as received
• Checks not endorsed immediately upon

receipt

• Custody of funds not documented
• Cash receipts not secure prior to deposit
• Spending funds prior to deposit
• Cash receipt documentation not

available

Cash h Rece ceipts: pts:

• Are the duties of receiving and depositing segregated from account

reconciliations?

• Are cash receipts logged when received?
• Are checks endorsed upon receipt?
• Who has custody of or access to the cash?
• Are cash/checks deposited timely and intact?
• Is reconciliation performed to the original documentation?

Resourc sources: s:

• University Policy for Deposits and Cash Handling (Bursar)

https://www.ou.edu/content/bursar/services/departments/university_policies .html

• Oklahoma State Statute, Title 62, O.S. Supp. 986, 7.1 & 7.2

http://www.ou.edu/content/bursar/services/departments/statuatory_referenc e.html

Ch Change ange Funds: unds:

• Surprise counts not performed
• Surprise counts performed but not

documented

• Discrepancies not reported to

supervisory personnel

Chang nge e Funds: s:

• Are change funds kept secure with limited access?
• Are change funds reconciled to sales and deposits?
• Are discrepancies documented and reported to supervisory

personnel?

• Are monthly unannounced surprise counts performed by a

supervisor? Resource sources: s:

• University Policy for Change Funds (Financial Services):

http://www.ou.edu/controller/fss/policies/cash.pdf

Ac Accounts counts Re Receivable: ceivable:

• Proper segregation of duties between

deposit processing, accounts receivable processing and record maintenance has not been established

• Aged accounts receivable not generated

and monitored

• Procedures not in place for follow-up and

collection of delinquent accounts

• Account adjustments not properly

authorized and approved

Accounts counts Rece ceivabl vable:

• Who maintains accounts receivable records? Are they involved in

any cash receipts functions?

• Who is responsible for reconciling the accounts receivable?
• Are aged accounts reviewed periodically? If so, who reviews

them and how often are they reviewed?

• Are there adequate procedures for follow-up and collection of

delinquent accounts?

• Are account adjustments properly authorized and approved?

Resource sources: s:

• University Policy, Responsibilities of an Account Sponsor,

Separation of Duties (Financial Services): http://www.ou.edu/controller/fss/policies/depts.pdf

Ac Account count Re Reconci conciliations: liations:

• Not performed on all accounts
• Not performed on a monthly basis
• Account reconciliation not

documented

• Reconciliation approval not

documented

Account count Reco conci nciliatio ations ns:

• Who is responsible for reconciling the statement of account? Is

there a proper segregation of duties between disbursements and/or cash handling and account reconciliations?

• Does the preparer sign and date the reconciliation?
• Are reconciliations performed in a timely, consistent and complete

manner?

• Does the account sponsor review, sign and date the monthly

reconciliation? Resourc sources: s:

• University Policy, Responsibilities of an Account Sponsor, Account

Reconciliation (Financial Services): http://www.ou.edu/controller/fss/policies/depts.pdf

• Financial Statement Reconciliation Training Materials (FS)

http://www.ou.edu/controller/fss/psnews.htm

Tha hank nk yo you Q & Q & A