INTERNAL AUDIT MANUAL

INTRODUCTION

The purpose of this manual is to outline the authority and scope of the internal audit function within the Mahatma Gandhi Institute (MGI) and to provide standards and guidelines and procedures for the Internal Audit Department. These guidelines aim to provide for consistency, stability, continuity, standards of acceptable performance, and a means of effectively coordinating the efforts of the staff members comprising the Internal Audit Department. The overall objective of the internal audit activity is to provide all levels of MGI management and the MGI & RTI Council (Council) with an independent assessment of the quality of the Institute’s internal controls and administrative processes, and provide recommendations and suggestions for continuous improvement.

The objectives of this manual are to document office standards, guidelines, and procedures to assist members of the Office of Institute Audits in:

Providing all levels of Institute management and the Council of Trustees with an independent assessment of the quality of the Institute’s internal control, risk assessment, and governance processes, including recommendations and suggestions for continuous improvement.

The auditor's judgment will be required in applying these objectives to specific audit assignments. This manual provides guidance, but it should not inhibit imagination, practicality, and innovative auditing. Suggestions for changes to these guidelines and procedures should be proposed to audit management. Suggestions will be evaluated and adopted based on their applicability to the audit environment on all campuses. ]

INTERNAL AUDIT – AUDIT MANUALTABLE OF CONTENTS

Description Page No.Purpose, Authority and ResponsibilityPurpose 5Internal Audit Charter 6Organizational Chart 9Audit Committee Charter 10

Independence and Objectivity Organizational Independence 17Management Control Policy 19Objectivity 20Example Conflict of Interest Certification 21

Proficiency and Due Professional CareProficiency 22Fraud 22Council Policy on Illegal Acts 24Revised Statute 24:523 25Director of Internal Audit, Job Description 26Internal Staff Auditor, Job Description 29Due Professional Care 30Continuing Professional Education 30Certification 31

Quality Assurance and Improvement ProgramQuality Program Assessments 32Internal Assessments 32External Assessments 33Reporting 33Example Auditee Survey 34

Managing the Internal Audit ActivityAudit Plan 35Communication and Approval 35

Resource Management 36Example Annual Audit Plan 37Policies and Procedures 40Coordination 40Reporting to Management 40

Nature of WorkNature of Work 41Risk Management 42Internal Control 43Governance 43Legal Considerations 44Information Security 44Environmental Risks 45Privacy Risks 45Risk Management Processes 45Business Continuity 45Scope of Work 45Reliability and Integrity of Information 46Compliance With Laws and Regulations 46Safeguarding of Assets 47Economical Use of Resources 47Accomplishment of Objectives 48

Engagement PlanningPlanning the Engagement 49Objectives and Scope of Work 49Entrance Conference 49Preliminary Survey 50Staffing 51Engagement Work Program 51Personal Information 51

Performing the EngagementExamining and Evaluating Information 52Working Papers (Audit Evidence) 52

Permanent Files 53Indexing and Referencing 54

Engagement Supervision 55Communicating ResultsCommunicating Engagement Results 56Fact Finding Form 57Example Fact Finding Form 58Description of Reportable Conditions 59Monitoring ProgressMonitoring Progress 60Resolution of Management’s Acceptance of Risks

61

Purpose

The internal audit activity was established in accordance with an Act of the Louisiana Legislature which requires any State agency with an appropriation level of thirty million dollars or more to have an internal auditor. The purpose, authority, and responsibility of the internal auditing function are defined in formal written charters. The Institute’s charter was approved by the Institute President and the Council chairman. The system charter was approved by the Council. The charters (1) establish internal audit’s position within the system and Institute; (2) authorize access to records, personnel, and physical properties relevant to the performance of audits; and (3) define the scope of internal auditing activities. As provided in the audit charters, the Internal Audit Department has full, free, and unrestricted access to all activities, records, property, and personnel of the Institute.

MAHATMA GANDHI INSTITUTE

INTERNAL AUDIT CHARTER

Contents

1 INTRODUCTION

2 MISSION STATEMENTS

3 AUTHORITY

4 RESPONSIBILITY

5 ACCOUNTABILITY

6 INDEPENDENCE

7 CONTINUITY AND IMPARTIALITY

1 INTRODUCTION

This charter primarily aims to define and establish:

a) The formal mission statement of the Internal Audit Department of the Mahatma Gandhi Institute (MGI);

b) The objectives and scope of Internal Audit Department;

c) The Internal audit Department’s position within the MGI, its access to various records, department and activities; and

d) Its responsibility and accountability.

2 MISSION STATEMENT

a) To provide an independent appraisal of all the activities of MGI aiming to add value, improve operational efficiency, risk management and

internal control systems;

b) The prime objective of Internal Audit Department is to examine and evaluate whether the MGI’s frame work of risk management, control, and governance processes, is adequate and functioning properly;

c) In addition, the objectives of Internal Audit Department include advising and recommending senior management for improvements in internal control and risk management systems;

d) In order to fulfill its mission statement and objectives, the Internal Audit Department’s scope of work includes:

i. The examination and evaluation of the adequacy and effectiveness of the internal control systems at various operations and activities of

MGI;ii. The review of the application and effectiveness of risk management

procedures and risk assessment methodologies at various operations and activities of MGI;

iii. The review of the management and financial information systems, including the electronic information system;

iv. The review of the accuracy and reliability of MGI accounting records and financial reports;

v. The testing of both transactions and functioning of specific internal control procedures at various MGI departments and offices;

vi. The evaluation of adherence to legal and regulatory requirements and approved policies and procedures;

vii. The evaluation of the effectiveness of existing policies and procedures and give recommendations for improvements;

viii. Identifying opportunities for cost savings and making recommendations for improving cost efficiencies;

ix. Examining that resources are acquired economically, used efficiently and safeguarded adequately;

x. The carrying-out of special investigations assigned by the Audit Committee and Director of the MGI;

xi. Precisely, every activity, department and office of MGI falls within the scope of the Internal audit Department for independent appraisal; and

xii. The Internal Auditor and staff of Internal Audit Department are, however, not allowed to:a) Perform any operational duties for MGI outside Internal audit Department

function;b) Initiate or approve accounting transactions external to the Internal Audit

Department; andc) Direct the activities of any MGI employee except to the extent such

employees have been appropriately assigned to auditing teams or to otherwise assist the Internal Audit Department.

3 AUTHORITY

The Internal Auditor and staff of the Internal Audit Department are authorized to:

a) Have unrestricted access to all MGI departments, offices, activities, records, information, properties and personnel, relevant to the performance of audit function;

b) Determine the scope of work and apply the techniques required to accomplish audit objectives;

c) Obtain the necessary assistance of personnel in various departments / offices of the MGI where they perform audits; and

d) Obtain assistance of specialists/ professionals where considered necessary from within or outside MGI.

4 RESPONSIBILITY

The Internal Auditor and staff of Internal Audit Department have responsibility to:

a) Formulate an annual audit plan in consultation with the Audit Committee and Management;

b) Implement the annual audit plan, including as appropriate any special tasks or projects requested by the Audit Committee and Director of the MGI;

c) Maintain a professional audit staff strength with sufficient knowledge, skills, experience, and professional qualifications to meet the requirements of this Charter;

d) Issue periodic reports on a timely basis to the Audit Committee and Director of the MGI summarizing results of audit activities;

e) Keep the Audit Committee informed of emerging trends and developments in internal auditing practices and give recommendations for necessary revisions in the Internal Audit Charter. Provide a list of significant measurement goals and results to the audit committee;

f) Assist in the investigation of significant suspected fraudulent activities and notify the Audit Committee and Director of the MGI of the results;

g) Ensure that the department complies with sound internal auditing principles and best practices; seek guidance from the standards issued by the Institute of Internal Auditors;

h) The Internal Auditor and staff of audit department have responsibility to:i. Follow the guidelines and methodology given by the Institute of Internal

Auditors;ii. Exercise due professional care in carrying out audit assignments;

iii. Maintain integrity and objectivity; andiv. The internal audit process, however, does not relieve departmental heads

and head of sections of their responsibility for the maintenance and improvement of controls in their respective areas.

5 ACCOUNTABILITY

The Internal Auditor in the discharge of his duties shall be accountable to the Audit Committee to:

a) Submit an assessment on the adequacy and effectiveness of the MGI’s processes for controlling its activities and managing its risks in all the areas of MGI operations on an annual basis;

b) Report significant issues related to the processes for controlling the activities of MGI, together with recommendations for improvements to those processes;

c) Provide information on the status and results of the annual audit plan on a quarterly basis;

d) Coordinate with external auditors and provide oversight of other control and monitoring functions e.g. security and legal etc.

e) The performance of the Internal Audit Department will be evaluated by the Audit Committee.

6 INDEPENDENCE

a) To maintain the independence of Internal Audit Department from other MGI departments and offices, its personnel shall report to the Internal Auditor who shall report administratively to Director of the MGI and functionally to the Audit Committee;

b) The Internal Audit Department shall be independent of the activities audited. The department must also be independent from the everyday internal control process;

c) The Internal Audit Department shall exercise its assignment on its own initiative in all departments, offices and functions of the MGI; and

d) The Internal Auditor shall be authorised to communicate directly, and on his own initiative, to the Council and the members of audit committee.

7 CONTINUITY AND IMPARTIALITY

a) The Internal Audit Department within MGI shall be a permanent function;

b) The Internal Audit Department shall be objective and impartial in performing its assignment;

c) Objectivity and impartiality entails that the Internal Audit Department itself seeks to avoid any conflict of interest.

d) Impartiality requires that the Internal Audit Department is not involved in the operations of MGI or in selecting or implementing internal control measures. However, the Internal Audit Department may give recommendations for strengthening internal controls and can also give opinions on specific matters related to internal control procedures as per the request of senior management.

ORGANIZATIONAL CHART

AUDIT COMMITTEE CHARTER

PURPOSEThe Audit Committee will serve to ensure:

the activities of the internal audit function complies with the Internal Audit Charter and the Institute of Internal Auditors’ Standards for Professional Practice of Internal Auditing;

audit coverage for the Mahatma Gandhi Institute adequately encompasses all aspects of the Institute’s operations and that coverage is not inhibited or limited by any individual or group;

audit activities are responsive to executive management’s needs and objectives; executive management is aware of internal audit activities, results of audits, and progress

toward implementation of audit recommendations.

RESPONSIBILITYResponsibilities of the Audit Committee include:

ensuring that internal audit goals and objectives, staffing plans, financial budgets, and audit activities provide adequate support of goals and objectives;

assessing the performance of the internal audit function; ensuring that the audit planning process, including the risk assessment methodology,

considers appropriate aspects of the System’s operations and executive management’s concerns;

approving the annual audit plan; ensuring that internal audit is given the opportunity to attend technical or professional

development training to assist in keeping up to date with financial, management, internal control, and other relevant issues;

reviewing the results of significant audit activities, audit reports, and auditee responses; monitoring the adequacy and timeliness of corrective actions taken in response to audit

activities; monitoring audits performed by external auditors (e.g. Legislative Auditor, Federal

auditors, etc.); providing reasonable assurance that the universities’ business goals and objectives are

being achieved in an efficient and economical manner, within an appropriate framework of internal control and risk management;

reviewing internal audit peer reviews and determining whether the function complies with Standards for the Professional Practice of Internal Auditing;

reviewing and revising the System’s Internal Audit Charter as needed; monitoring adherence to ethical standards within the Institute system related to

compliance with laws and regulations, ethics, conflicts of interest, and investigation of misconduct and fraud;

notifying executive management immediately and reviewing actions taken in the respective universities relative to significant frauds, violations of laws or regulations, and other significant issues raised by Institute, State, Federal, or other agency auditors;

appointing the System Director of Internal Audit based on recommendation from the System President.

MEMBERSHIP

The Audit Committee will be composed of three members. One member of the Committee will be appointed as Chair. As a guide, it is desirable that members of the Committee shall possess:

acumen in business functions and management skills, understanding of best practice internal control and risk management, knowledge of information systems and emerging technology, competency in financial and operational reporting.

Members of the Audit Committee will, at all times in the discharge of their duties and responsibilities, exercise honesty, objectivity, and probity and not engage knowingly in acts or activities that have the potential to bring discredit to the System. Members also must refrain from entering into any activity that may prejudice their ability to carry out their duties and responsibilities objectively and must at all times act in a proper and prudent manner in the use of information acquired in the course of their duties. Members must not use System information for any personal gain for themselves or their immediate families or in any manner that would be contrary to law or detrimental to the welfare and goodwill of the System.

MEETINGSThe Audit Committee will meet as it deems necessary. Committee meetings should be scheduled in advance, members notified, and agenda topics assembled. The Internal Auditor will coordinate this activity. Prior to the meeting, the Internal Auditor will provide the Committee members with information relating to the status of audit activities. Such information should include, but not be limited to, audit reports, audit follow-up and the implementation of recommendations, management services, external audits, and other relevant information. In addition, annual audit plans and other appropriate information essential for the Committee to fulfill its responsibilities, will be provided and reviewed as necessary.

A majority of members must be present to provide a quorum. Minutes shall be recorded and maintain

Standards of Audit Practice The internal auditing staff shall govern themselves by adherence to the Institute of Internal Auditors’ “Code of Ethics.”  Assurance and consulting services shall be conducted in accordance with the Institute’s “Standards for the Professional Practice of Internal Auditing” using such audit programs, techniques, and procedures as are considered necessary under the circumstances. Although not mandatory, internal auditing staff may obtain guidance in particular engagement situations from the Institute of Internal Auditors' “Practice Advisories”, the Information Systems Audit and Control Association’s “Standards for Information Systems Auditing”, the American Institute of Certified Public Accountants “Statements on Auditing Standards”, and the United States General Accounting Office’s “Government Auditing Standards”.

MGI Management Control Policy

1. Management is charged with the responsibility for establishing a network of processes with the objective of controlling the operations of the Institute in a manner which provides the Council with reasonable assurance that:

Data and information published either internally or externally is accurate, reliable, and timely.

The actions of directors, officers, and employees are in compliance with the Institute’s policies, standards, plans and procedures, and all relevant laws and regulations.

The Institute’s resources are adequately protected. Resources are acquired economically and employed profitably and quality business

processes and continuous improvement are emphasized. The Institute’s plans, programs, goals, and objectives are achieved.

Controlling is a function of management and is an integral part of the overall process of managing operations. As such, it is the responsibility of managers at all levels of the Institute to:

Identify and evaluate the exposures to loss which relate to their particular sphere of operations.

Specify and establish policies, plans, and operating standards, procedures, systems, and other disciplines to be used to minimize, mitigate, and/or limit the risks associated with the exposures identified.

Establish practical controlling processes that require and encourage employees to carry out their duties and responsibilities in a manner that achieves the five control objectives outlined in the preceding paragraph.

Maintain the effectiveness of the controlling processes they have established and foster continuous improvement to these processes.

2. The internal audit activity is charged with the responsibility for ascertaining that the ongoing processes for controlling operations throughout the Institute are adequately designed and are functioning in an effective manner. Internal auditing is also responsible for reporting to

management and the audit committee on the adequacy and effectiveness of the Institute’s systems of internal control, together with ideas, counsel, and recommendations to improve the systems.

3. The audit committee is responsible for monitoring, overseeing, and evaluating the duties and responsibilities of management, the internal audit activity, and the external auditors as those duties and responsibilities relate to the Institute’s processes for controlling its operations.

4. The audit committee is also responsible for determining that all major issues reported by the internal audit activity, the external auditor, and other outside advisors have been satisfactorily resolved. Finally, the audit committee is responsible for reporting to the full Council all important matters pertaining to the Institute’s controlling processes.

Objectivity

Internal Audit employees are assigned to engagements so that potential and actual conflicts of interest and bias are avoided. Members of the internal audit department are required to be objective and maintain an independent mental attitude in performing assignments. They must have an impartial, unbiased attitude and avoid conflicts of interest.

Internal audit personnel complete a conflict of interest statement concerning potential conflicts of interest. Internal audit staffs have been instructed to report to the Director General any situations in which a conflict of interest or bias is present or may reasonably be inferred. If independence or objectivity is impaired in fact or appearance, the details of the impairment will be disclosed to appropriate parties. When any such situations are reported, the director will then reassign the auditor. Independence is addressed in the audit planning memoranda of individual audits to remind internal audit staff of the importance of maintaining an independent mental attitude when conducting audits.

Members of the Internal Audit Department are required to refrain from assessing specific operations for which they were previously responsible. Providing assurance services for an activity for which the internal auditor had responsibility within the previous year is not allowed. Assurance engagements for functions over which the chief audit executive has responsibility will be overseen by a party outside the internal audit activity. However, internal audit personnel may provide consulting services relating to operations for which they had previous responsibilities. If internal audit personnel have potential impairments relating to proposed consulting services, disclosure will be made to appropriate personnel prior to acceptance of the project.

As detailed in the audit charters, internal auditors do not assume operating responsibilities. In performing their work, the internal audit staff members have no direct authority over, nor responsibility for, any of the activities reviewed. Internal auditors will not develop and install

procedures, prepare or approve records, make management decisions, or engage in any other activity, which could be construed to compromise their independence.

Therefore, internal audit reviews and appraisals do not in any way substitute for nor relieve other persons in the institute of the responsibilities assigned to them. The drafting of procedures for systems is not an audit function. The Internal Auditor reviews the results of internal auditing work before the related audit report is released to provide reasonable assurance that the work was performed objectively.

If senior management directs the Internal Audit Department to perform non-audit related work, the Internal Auditor will inform management that the activity is not audit related, the employees are not functioning as internal auditors; and, therefore, audit-related conclusions should not be drawn.

Proficiency

The internal audit staffs are expected to have sufficient knowledge to identify the indicators of fraud; however, they are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

The internal audit staffs are expected to have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, the auditors are not expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

If the internal audit staff does not possess the required expertise to conduct an audit or consulting project, the department has the option of declining the engagement or obtaining the required expertise through training or the use of consultants. If the Internal Auditor decides to use and rely on the work of an outside consultant or service provider, the director will assess the competency, independence, and objectivity of the outside service provider.

Fraud

Internal audit members are not expected to have the expertise of a person whose primary responsibility is fraud detection and investigation. Internal auditors are responsible for assisting in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of the system of internal control. The internal audit department’s responsibilities for fraud detection are to: Have sufficient knowledge of fraud to be able to identify indicators that fraud may have been

committed. However, the auditors are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Be alert to opportunities, such as control weaknesses, that could allow fraud. Evaluate the indicators that fraud may have been committed and decide whether any further

action is necessary or whether an investigation should be recommended. Notify the appropriate authorities within the organization if a determination is made that

there are sufficient indicators of the commission of a fraud to recommend an investigation.

The internal audit department may perform extended procedures to determine whether fraud has occurred.

When conducting fraud investigations, the internal auditor staff will: Assess the probable level and the extent of complicity in the fraud within the Institute. Determine the knowledge, skills, and disciplines needed to effectively carry out the

investigation. Design procedures to follow in attempting to identify the perpetrators, extent of the fraud,

techniques used, and cause of the fraud. Coordinate activities with management personnel, legal counsel, and other specialists as

appropriate throughout the course of the investigation. Be cognizant of the rights of alleged perpetrators and personnel within the scope of the

investigation and the reputation of the Institute itself.

Once a fraud investigation is concluded, internal auditors will assess the facts in order to: Determine if controls need to be implemented or strengthened to reduce future vulnerability. Design audit tests to help disclose the existence of similar frauds in the future. Help meet the internal auditor's responsibility to maintain sufficient knowledge of fraud and

thereby be able to identify future indicators of fraud.

When the incidence of significant fraud has been established to a reasonable certainty, senior management and the Council will be notified immediately.

Internal Auditor Job Description

1. Examine all divisional and departmental financial and compliance operations at appropriate intervals to determine that:

a) Management has established an adequate internal control environment;b) Internal control processes are adequate and effective;c) Institute policies and procedures are being followed;d) Adequate safeguards exist to safeguard assets recorded in the accounting records; e) The system of accounting and financial reporting is reliable and adequate.

2. Report promptly to the Audit Committee the results of audits, the opinions formed, the recommendations for improving the reported conditions, the comments of affected administrative personnel, and appropriate action planned or taken.

AUTHORITY:

To maintain an independent status, the Internal Auditor shall have no authority or responsibility for the activities the department audits.

Internal Auditing examines and evaluates the adequacy of the internal control environment and subsequent effectiveness of the internal control processes provided by management. The purpose of those processes is to direct Institute activities toward the accomplishment of its objective in accordance with established policies and procedures and other plans. Internal Auditing also examines systems to determine that they are operating in the most efficient manner to accomplish their intended goals. In accomplishing his activities, the Director and his audit staff are authorized to have full, free, and unrestricted access to all Institute functions, records, property, and personnel.

RESPONSIBILITIES:

Within the restraints of time and staff, the Internal Auditor is responsible for:1. Establishing policies for audit activity and directing technical and administrative

functions.2. Developing and executing a comprehensive audit program to include planning and

performance of financial, compliance, irregularity, and special projects within the Institute.

3. Examining the effectiveness of all levels of management in his stewardship of Institute resources and in compliance with established policies and procedures.

4. Recommending improvements in the internal of control environment design to safeguard Institute resources, promote Institute growth, and ensure compliance with government laws and regulations.

5. Reviewing procedures and records for their adequacy to accomplish intended objectives, and appraising policies and plans relating to the activity or function under audit review.

6. Authorizing the publication of reports on the results of audit examinations, including recommendations for improvement.

7. Appraising the adequacy of the action taken by operating management to correct reported deficient conditions; accepting adequate corrective action; continuing reviews with appropriate management personnel on action he considers inadequate until there has been a satisfactory resolution of the matter.

8. Preparing a comprehensive, long-range program of audit coverage.9. Identifying those activities subject to audit coverage, evaluating their significance, and

assessing the degree of risk inherent in the activity in terms of cost, schedule, and quality.10. Establishing the departmental structure.11. Obtaining training and maintaining an audit staff capable of accomplishing the internal

audit function.12. Assigning audit areas, staff, and budget to auditors.13. Developing a system of schedule control over audit projects.14. Establishing and monitoring accomplishment of objectives directed toward increasing his

department's ability to serve management.15. Coordinating internal and external audit efforts.

Due Professional CareMembers of the Internal Audit Department are required to exercise due professional care in performing audits/assurance services. The auditors are expected to use reasonable audit skill and judgment in performing the audits and consider the following: Extent of audit work needed to achieve the audit objectives. Relative materiality or significance of matters to which audit procedures are applied. Adequacy and effectiveness of risk management, control, and governance processes. Audit cost relative to potential benefits. Probability of significant errors, irregularities, or noncompliance. The use of computer-assisted audit tools and other data analysis techniques.

The auditors are expected to exercise due professional care during a consulting engagement by considering the: Needs and expectations of clients, including the nature, timing, and communication of

engagement results. Relative complexity and extent of work needed to achieve the engagement’s objectives. Cost of the consulting engagement in relation to potential benefits.

The internal audit staffs are required to be alert to the possibility of errors and/or fraud and the significant risks that might affect operations. However, assurance procedures alone do not guarantee that all significant risks will be identified. The members of the internal audit department document their assessment of at-risk areas in the planning memo/preliminary survey and the audit program.

Continuing Professional Education

Members of the Internal Audit Department are responsible for continuing their education in order to maintain their professional proficiency. Continuing education is obtained through membership and participation in professional organizations and attendance at conferences, seminars, college courses, and other training programs.

CertificationEach auditor is encouraged to obtain professional certification, such as: Certified Public Accountant (CPA) Certified Internal Auditor (CIA) Certified Information Systems Auditor (CISA) Certified Fraud Examiner (CFE) Certified Management Accountant (CMA)

Quality Program AssessmentsThe Internal Auditor has implemented and maintains a quality assurance program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. The program includes periodic internal and external quality assessments and ongoing internal monitoring. The process is designed to help the internal auditing activity add value and improve the institute’s operations and to provide assurance that the internal audit activity is in conformity with applicable standards and the internal audit charter.

External AssessmentsExternal assessments include continuous oversight of the department by the System Director of Internal Audit and the Council and reviews of the internal audit reports and working papers by external auditors. In addition, the internal audit department will have an external assessment (self assessment with independent validation by an independent reviewer or review team from outside the organization) conducted by January 1, 2007, and at least once every five years thereafter.

ReportingThe results of the external assessments will be communicated to management and the Council. If full compliance is not achieved and the noncompliance impacts the overall scope or operation of the internal audit activity, this will be communicated to senior management and the Council. The internal audit department will report that their activities are “conducted in accordance with the International Standards for the Professional Practice of Internal Auditing” only if the assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards.

Audit Plan

Prior to the beginning of each fiscal year, the Internal Auditor meets with the Director General to discuss the internal audit plan for the upcoming year.

To assist in preparing the annual audit plan and assessing risk, input is obtained or requested from prior external and internal audit findings, Institute’s operations.

Communication and Approval

After the plan is prepared, the Internal Auditor obtains the Audit Committee approval of the plan. The plan is then sent to the Council for approval. Significant interim changes in the plan or resource requirements are communicated to the Audit Committee and the council.

Resource Management

The internal auditing department attempts to set measurable goals that are capable of being accomplished within specified operating plans.

Example Annual Audit Plan

Mahatma Gandhi InstituteAudit Hours Available and Allocable

2011Audit Hours Available

Standard hours available (2,080 hrs./auditor) x 2 auditors 4,160Less: Vacation Time 160

Paid Holidays 224

Sick Leave 80 - 464

Available Audit Hours 3,696

Allocation of Audit HoursGrade Change Audit 300

Follow-up on Single Audit Findings 280

Follow-up on Legislative Auditor’s Findings 280

Student Technology Fees 280

Cash Collection Points 300

Athletics 200

Financial Aid 340

Contract Compliance 240

Auxiliary Enterprise Profit/Loss 200

GASB 39 120

Quarterly Certifications 140

Management Advisory & Special Projects 450

Supervision 166

General Administration & Planning 200

CPE & Other Training 200

Total Allocable Hours 3,696

Policies and ProceduresInternal audit policies and procedures have been formalized in the Internal Audit Manual to provide guidance to the employees of the Internal Audit Department. In addition, audit staff are directed and controlled through daily, close supervision and written memoranda. The form and content of the policies and procedures have been adapted to the relative small size and uncomplicated structure of the department and the specialization of its work. Due to the small number of staff and uncomplicated structure of the department, management is more informal than in a larger audit department

Coordination

The external auditors generally review the working papers of the department when performing their audit of the financial statements. To the extent the external auditors and professional and organizational reporting responsibilities allow, the department shares information and coordinates activities with the other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

1. The Internal Audit Department and the external auditors periodically discuss matters of mutual interest.

2. The external auditors are allowed access to the Internal Audit Departments’s audit programs, working papers, and reports. The Department of Internal Audit obtains copies of the external auditor’s reports and follows up on the findings contained therein. The external auditor allows the Internal Audit Department access to selected working papers. Questions regarding significant control weaknesses, errors and irregularities, illegal acts, disagreements with management, and any difficulties encountered in performing the audit are discussed with the external auditors.

3. The internal audit department may agree to perform work for external auditors in connection with their annual audit of the financial statements.

Reporting to Management

All internal audit reports and executive summaries are submitted to the Audit Committee.

Nature of Work

As discussed in the audit charter, the mission of the internal audit activity is to provide independent, objective assurance and consulting services designed to add value and improve the Institute’s operations. Internal audit helps the Institute accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit activity is guided by a value-driven philosophy of partnering with other departmental units to continuously improve the operations of the Institute. The scope of work of the internal audit activity is to determine whether the Institute’s network of risk management, control, and governance processes, as designed and represented by management, is adequate and functioning in a manner to ensure:

Risks are appropriately identified and managed. Interaction with the various governance groups occurs as needed. Significant financial, managerial, and operating information is accurate, reliable, and

timely. Employee’s actions are in compliance with policies, standards, procedures, and

applicable laws and regulations. Resources are acquired economically, used efficiently, and adequately protected. Programs, plans, and objectives are achieved. Quality and continuous improvement are fostered in the Institute’s control process.

Significant legislative or regulatory issues impacting the Institute are recognized and addressed properly.

The Institute’s internal audit activity includes the following general objectives: Determining that the Institute’s overall system of internal control and the controls in each

departmental unit or activities under audit are adequate, effective, efficient, and functioning by conducting audits on a periodic basis so that all major systems are reviewed.

Determining the reliability and adequacy of the accounting, financial, and reporting systems and procedures.

Determining, on a test basis, that Institute activities, including the administration of grants and contracts received or made, are in conformance with the Institute policies and procedures, state and federal laws and regulations, contractual obligations, Council Rules, and good business practices.

Determining the extent to which Institute assets are accounted for and safeguarded from losses of all kinds and, as appropriate, verifying, on a test basis, the existence of such assets.

Evaluating operational procedures to determine whether results are consistent with established objectives and goals and whether the procedures are being carried out as planned.

Conducting investigations as required or directed related to the general objectives previously stated.

The management process of planning, organizing, and directing is evaluated by internal audit to determine whether reasonable assurance exists that objectives and goals will be achieved. All business systems and processes within the Institute are subject to evaluation by internal audit.

Risk Management

The internal audit activity assists the Institute by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. The key objectives of the Institute’s risk management process are, as follows:1. Risks arising from business strategies and activities are identified and prioritized.2. Management and the Council have determined the level of risks acceptable to the Institute,

including the acceptance of risks designed to accomplish the Institute’s strategic plans.3. Risk mitigation activities are designed and implemented to reduce, or otherwise manage, risk

at levels that were determined to be acceptable to management and the Council.4. Ongoing monitoring activities are conducted to periodically reassess risk and the

effectiveness of controls to manage risk.5. The Council and management receive periodic reports of the results of the risk management

processes. The corporate governance processes of the Institute provide periodic communication of risks, risk strategies, and controls to stakeholders.

Management’s expectation of the internal audit activity in relation to the Institute’s risk management process is documented in the internal audit charter. The internal audit activity monitors and evaluates the effectiveness of the Institute’s risk management system. Risk exposures relating to the Institute’s governance, operations, and information systems regarding the reliability and integrity of financial and operational information; effectiveness and efficiency of operations; safeguarding of assets; and compliance with laws, regulations, and contracts are subject to evaluation.

During consulting engagements, the Institute’s internal auditors are expected to address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks. Knowledge of risks gained from consulting engagements may be incorporated into the process of identifying and evaluating significant risk exposures.

Internal Control

The internal audit activity assists the Institute in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. Internal audit evaluates the adequacy and effectiveness of controls encompassing the Institute’s governance, operations, and information systems regarding the reliability and integrity of financial and operational information; effectiveness and efficiency of operations; safeguarding of assets; and compliance with laws, regulations, and contracts.

The internal audit activity is responsible for ascertaining the extent to which operating and program goals and objectives have been established and conform to those of the Institute. Operations and programs are reviewed to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended. Internal audit ascertains the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal audit uses such criteria in their evaluation. If inadequate, internal audit works with management to develop appropriate evaluation criteria. During consulting engagements, the internal auditors are expected to address controls consistent with the engagement’s objectives and be alert to the existence of any significant control weaknesses. Knowledge of controls gained from consulting engagements is to be incorporated into the process of identifying and evaluating significant risk exposures of the Institute.

Information SecurityInternal audit assesses the Institute’s information security practices. General and application control reviews may be performed. Reviews of disaster recovery, business continuity plans, and electronic funds transfers may also be conducted. In most cases, such assessments are integrated

into other engagements conducted as part of the approved audit plan. However, separate stand-alone engagements may be conducted.

When conducting field work, the auditors are alert for the key information technology risks and controls. Use of available technology-based audit techniques are considered in performing assigned work. The use of data extraction software by the internal auditors is not considered cost beneficial due to the small size of the Institute’s internal audit activity and the related costs of training and software updates. If the internal audit staff lacks the knowledge, skills, or other competencies needed to perform information technology tests the chief audit executive obtains competent advice and assistance. Information technology personnel in the computing center are often used to extract data through use of FOCUS, E-print, and other programs and reports. If E-Commerce processes are audited, the overall audit objective will be to ensure that all processes have effective internal controls.

Risk Management Processes

The internal audit department could be asked to act in a consulting role to assist the Institute in identifying, evaluating, and implementing risk management methodologies and controls. The Institute has an informal risk management program that is appropriate given the nature of the Institute’s activities and its relatively small size.

Reliability and Integrity of Information

Management is responsible for establishing systems to ensure reliability and integrity of information. The Department of Internal Audit is responsible for reviewing the processes to determine whether financial and operating records and reports contain accurate and useful information. Internal Audit is also responsible for determining whether controls over record keeping and reporting are adequate and effective. These audits may include the following:

Determining if transactions have been properly reviewed and approved. Determining if information systems produced data that was useful, accurate, complete,

timely, and relevant. Identifying and documenting key controls designed to ensure the reliability and integrity

of information. Testing key controls.

Compliance with Laws and Regulations

Management is responsible for establishing systems to ensure compliance with policies, plans, procedures, laws, regulations, and contracts. The Department of Internal Audit is responsible for

reviewing the systems to determine whether the Institute is in compliance with the policies, plans, procedures, laws, regulations, and contracts. These audits may include the following:

Obtaining background information to identify and interpret the relevant policies, plans, procedures, laws, regulations, and other items that could have a significant impact on operations.

Identifying key controls designed to ensure compliance with policies, plans, procedures, laws, regulations, and contracts.

Testing key controls. Determining if the auditee is compliance with the relevant policies, plans, procedures,

laws, regulations, and contracts.

Safeguarding of Assets

Management is responsible for safeguarding the Institute’s assets. The Department of Internal Audit is responsible for performing audits to test the means used by management to safeguard assets from various types of losses such as theft, fire, improper or illegal activities, and exposure to elements. These audits may include the following:

Determining the adequacy of the separation of duties. Testing the rotation of sensitive duties among employees. Ascertaining that reconciliation procedures are timely, thorough, and appropriately

reviewed. Verifying the adequacy of management’s periodic surprise reviews. Testing the review and approval of transactions by authorized individuals. Determining the adequacy of the physical protection of assets and records. Identifying key controls designed to prevent or detect errors and fraud. Testing key controls. Verifying the physical existence of Institute assets.

Economical and Efficient Use of Resources

Management is responsible for setting operating standards to measure an activity's economical and efficient use of resources. The Department of Internal Audit may perform economy and efficiency audits to determine whether:

Operating standards have been established for measuring economy and efficiency. Established operating standards are understood and are being met. Deviations from operating standards are identified, analyzed, and communicated to those

responsible for corrective action. Corrective action has been taken.

These audits may include the following: Identifying the operating standards.

Determining whether the standards are appropriate in keeping with the auditee’s goals and objectives.

Determining if the information used by management to measure its success is accurate, current and relevant.

Ascertaining whether management has procedures to ensure that they met their standards. Determining whether management identified and analyzed deviations from the standards. Determining whether management discussed deviations with the appropriate individuals. Identifying any inefficient or uneconomic use of resources. Identifying key controls designed to ensure compliance with the auditee’s goals,

measures, or targets. Testing key controls designed to ensure compliance with the auditee’s goals, measures, or

targets.

Accomplishment of Established Objectives and Goals for Operations or Programs

Management is responsible for establishing operating or program objectives and goals, developing and implementing control procedures, and accomplishing the desired operating or program results. The Department of Internal Audit is responsible for the following:

Ascertaining if management identified relevant objectives and goals and developed a system for measuring their accomplishment.

Appraising whether management established criteria for evaluating their program’s effectiveness.

Assessing whether management determined if their objectives and goals were met. Determining if the techniques and data used by management to measure effectiveness is

appropriate. Reviewing for evidence that the auditee was looking for cost effective ways to

accomplish objectives and goals. Determining whether management has estimated the costs and benefits of not meeting

goals.

The Department of Internal Audit reviews operations (purchasing, human resources, finance, governmental assistance, etc.) or programs (fund-raising campaigns, capital expenditures, etc.) to determine whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned. These audits may include the following:

Identifying key controls designed to ensure compliance with established objectives and goals.

Testing the effectiveness of the key controls.

Examining & Evaluating Information

When performing engagements, the internal audit staff will analyze sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives. Conclusions and engagement results will be based on appropriate analyses and evaluations and documented in the working papers. The procedures performed during most engagements may include reviewing applicable laws, regulations, policies and procedures; interviewing selected employees and others; examining selected documents and records; comparing relationships among financial and non-financial information; and performing observations.

Working Papers

Working papers (Audit Evidence) are the connecting link between the objectives and the auditor’s report. All pertinent information obtained by internal audit must be documented. Engagement working papers serve the following purposes: Provide a systematic record of work performed; Provide a record of the information and evidence obtained and developed to support findings,

conclusions, and recommendations; Provide information to the Audit Director to enable him to supervise and manage

assignments and to evaluate auditor performance; and Provide a record of information for future use in planning and carrying out subsequent

assignments.

The working papers document various aspects of the engagement process to include planning, risk assessment, evaluation of the system of internal control, engagement procedures performed, information obtained, conclusions reached, supervisory review, communication of results, and follow-up

Working papers must be neat, competent, relevant, useful, and accurate. Anyone using the working papers should be able to readily determine their source, purpose, procedures performed, findings, conclusions and the auditor's recommendations.

At the top right section of the working paper, the auditor completing the work will initial and date the working paper. The reviewer will initial and date, directly beneath the auditor's initials on the working paper, indicating that the working paper has been reviewed.

Permanent Files

This file will contain information necessary to gain an understanding of (a) the function of the department/area to be audited; (b) its organization and resources; (c) how it relates to other departments; (do) internal control adequacy and effectiveness; and (e) general information about relevant policies and procedures. The file generally contains the following types of information:

Organizational charts. Applicable statutes, regulations, policies, and procedures Fraud letter. Copy of audit plan. Monitoring reports. Contracts. Description of the accounting records, management reports, department budget, and FRS

Screens. Departmental mission statement. Background/history on the department and/or area to be examined. Important permanent correspondence (other than that pertaining to the current audit).

Data contained in the permanent file should be updated whenever a new engagement of the department or area is started. An index should be maintained of the data/material contained in the permanent file.

Communicating & Disseminating Engagement Results

At the completion of each project, the Internal Auditor will issue a written report, addressed to the Institute President, to communicate the engagement’s results. Every attempt will be made to make the report accurate, objective, clear, concise, constructive, timely, and complete. The report will include the engagement objectives and scope as well as applicable conclusions, recommendations, and responses and corrective action plans. In general, the layout for assurance related reports will be as follows:

1. Cover page 2. Executive summary3. Background information 4. Objective (Purpose): Explanation of why the audit was performed.5. Scope and methodology: The audit scope is a description of the depth and coverage of

work conducted (period and number of locations covered). The audit methodology is an explanation of the nature and extent of the evidence gathering and analysis techniques used to meet the objectives.

6. Noteworthy accomplishments7. Overall opinion, results, or conclusions8. Specific observations (findings) and recommendations9. General section: Acknowledge appreciation and includes limitations on use of the results. 10. Responses and corrective action plans

Description of Reportable Conditions

Reportable Conditions or Comments: Matters coming to the auditor’s attention that, in his judgment, represent significant or material deficiencies in the system of internal control or noncompliance with applicable laws and regulations. Comments and/or recommendations designed to enhance Institute operations may also be reported to management.

Non-reportable or Discussion Only Comments: Matters the auditor chooses to communicate, verbally or in writing, for the benefit of management or others that do not represent significant or material deficiencies in the system of internal control or noncompliance with applicable laws and regulations. These are normally communicated in a correspondence separate from the internal audit report. Sometimes insignificant items may be verbally discussed and documented in the auditor’s working papers.

Monitoring Progress

A system has been established and is maintained to monitor the disposition of engagement results communicated to management. As requested by the audit committee of approximately six months after an internal audit report is issued and presented to the audit committee, the Department of Internal Audit follows up on the reported findings. The purpose of the follow up is to ascertain that corrective action has been taken and is achieving the desired results, or that senior management or the Council has assumed the risk of not taking corrective action on the reported findings.

The department considers the following factors in determining the procedures to be employed in the follow-up:a. The significance of the reported finding.b. The degree of effort and cost needed to correct the reported condition.c. The risks that may occur should the corrective action fail.d. The complexity of the corrective action.e. The time period involved.

The Internal Auditor conducts the following functions relating to following up:a. A time frame within which management's response to the audit findings is required.b. An evaluation of management's response.c. A verification of the response (if appropriate).d. A follow-up audit (if appropriate).e. A reporting procedure that escalates unsatisfactory responses/actions, including the

assumption of risk, to the appropriate levels of management.

Resolution of Management’s Acceptance of Risks

If management’s response indicates they will not take corrective action, the Internal Auditor will determine if the level of risk is acceptable. If the Internal Auditor believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the Internal Auditor will discuss the matter with senior management and obtain an explanation. If the decision regarding residual risk is not resolved, the Internal Auditor and senior management should report the matter to the Council for resolution

Table of contentsIntroductionPOLICY

Internal Audit Charter Mission-Vision Statement State of Illinois Fiscal Control and Internal Auditing Act Policy on Internal Auditing Confidentiality Independence Organization Institute of Illinois Nondiscrimination Statement/Statement on Sexual Harassment Quality Assurance

AUDIT PLANNING Annual Audit Planning

AUDIT PROCESS Overview Audit Assignment Risk Assessment Process Audit Procedures Opening Conference Fieldwork Workpapers Audit Observations Auditor Timekeeping

REPORTING AND FOLLOW-UP Reporting Overview Exit Conference Follow-up Annual Report

PERSONNEL Performance Appraisal Process Training and Professional Development Employment Orientation Personnel Management Telecommuting Policy

ADMINISTRATIVE PROCEDURES Computers General Policies Dess Code

POLICY

INTERNAL AUDIT CHARTER Mission The mission of the Office of Institute Audits (Institute Audits) is to provide independent and objective services to protect and strengthen the Institute and its related organizations. Definition of Internal Auditing Internal auditing is an independent, objective assurance, and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Purpose The purpose of Institute Audits is to determine whether the Institute’s control, risk management, and governance processes, as designed and implemented by management, are adequate and functioning to ensure: • Risks are appropriately identified and managed. • Interaction with the various governance groups occurs as needed. • Financial, managerial, and operating information is accurate, reliable, and timely. • Employee actions are in compliance with Institute policies and procedures, and applicable laws and regulations. • Resources are acquired economically, used efficiently, and adequately protected. • Plans and objectives are achieved. • Quality and continuous improvement are fostered in the Institute’s control processes. • Significant legislative or regulatory issues impacting the Institute are recognized and addressed appropriately.

Institute Audits reports functionally to the President of the Institute (President) and The Council of Trustees (BOT) of the Institute of Illinois through its Audit, Budget, Finance, and Facilities Committee (ABFFC), and administratively to the Comptroller of the Council of Trustees, who is also the Vice President and Chief Financial Officer. Internal Auditing Responsibilities Institute Audits responsibilities include: • Develop a flexible two-year plan identifying audits scheduled for the pending fiscal year, using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit the plan to the President for approval by June 30 of each year. • Implement the audit plan, as approved by the President, including as appropriate any special tasks or projects requested by management and the ABFFC. • Issue periodic reports to the President and Chairman of the ABFFC summarizing results of audit activities.

Report annually to the ABFFC regarding audit plans, activities, staffing, and the organizational structure. • Report to the ABFFC and BOT by September 30 of each year the scope and results of audits and the adequacy of management’s corrective actions. • Maintain sufficient knowledge, skills, and experience to meet the requirements of this Charter.

• Assist Institute management by conducting special services to assist management in meeting its objectives, where appropriate, the nature of which is agreed to with management, and for which Institute Audits assumes no management responsibility. • Assist in the investigation of significant suspected fraudulent activities within the institution and notify management and the ABFFC of the results. • Establish a follow-up process to monitor and identify whether management actions have been effectively implemented, or senior management has accepted the risk of not taking action. • Consider the scope of work of the external auditors and regulators as appropriate for the purpose of providing optimal audit coverage to the institution. • Periodically provide the Internal Audit Charter to the ABFFC for review and approval. Authority The general scope of audit coverage is Institute-wide and no function, activity, or unit of the Institute or a related organization is exempt from audit and review. No officer, administrator, or staff member may interfere with or prohibit internal auditors from examining any Institute or related organization’s record or interviewing any employee or student that the auditors believe necessary to carry out their duties. Additionally, the Executive Director has the authority to audit the accounts of all organizations required to submit financial statements to the Institute. In performing their work, internal auditors have neither direct authority over, nor responsibility for, any of the activities reviewed. Internal auditors do not develop and install procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably construed to compromise their independence or impair their objectivity. Therefore, internal audit reviews do not, in any way, substitute for or relieve other Institute personnel from their assigned responsibilities. Professional Standards Institute Audits has the responsibility to carry out its duties as defined by the State of Illinois Fiscal Control and Internal Auditing Act (Illinois Compiled Statutes, 30 ILCS 10/1001). Those responsibilities include performing audits in accordance with The Institute of Internal Auditor’s International Professional Practices Framework (IPPF), which the State of Illinois Internal Audit Advisory Council has adopted as the standard of performance for all state internal auditors. The IPPF requires mandatory adherence to the Definition of Internal Auditing, the Code of Ethics, and the Standards.

STATE OF ILLINOIS FISCAL CONTROL AND INTERNAL AUDITING ACT The Fiscal Control and Internal Auditing Act (Illinois Compiled Statues, 30 ILCS 10/1001) (FCIAA) is the state legislation which provides guidance for internal audit activities of state agencies. The State Internal Audit Advisory Council, established by FCIAA, has approved the Internal Audit Advisory Council Standards with their Bylaws. Excerpts from each section are included below. Section III, Standards, states that "All audits performed by the internal audit staffs of State agencies shall be conducted in accordance with the 'Standards for the Professional Practice of

Internal Auditing' published by the Institute of Internal Auditors, or where required, in accordance with government auditing standards published by the U.S. General Accounting Office. All audit reports issued by the internal audit staffs of State agencies shall include a statement that the audit was conducted pursuant to the appropriate standards." Section IV, Code of Ethics, states that state auditors shall adhere to standards of conduct which were derived from the Code of Ethics published by the Institute of Internal Auditors. Sections V, VI, and VII address continuing professional education (CPE), and the qualifying and recording of CPE activities. The requirement for CPE is that "Effective beginning January 1, 2003, all internal auditors must complete a total of 80 hours of acceptable continuing professional education during two successive calendar years, with a minimum of 20 hours completed each year.

POLICY ON INTERNAL AUDITING The Institute’s policy on Internal Auditing is stated in Section 9.3 of the Office of Business and Financial Services (OBFS), Business and Financial Policies and Procedures, which is included below. The Office of Institute Audits is a staff function in the Institute of Illinois administration. The office assists all levels of the administration in achieving Institute objectives by striving to provide a positive impact on the efficiency and effectiveness of administrative functions. The office achieves this impact through independent appraisals, analyses, and counsel related to: • Assessment of business risk. • Identification and implementation of internal control improvements. • Enhancements to the efficiency and effectiveness of business functions. • Compliance with federal and state regulations and Institute policies and procedures.

The Executive Director of the Office of Institute Audits reports functionally to the President of the Institute and the Budget and Audit Committee of the Council of Trustees and administratively to the Vice President and Chief Financial Officer. The Budget and Audit Committee of the Institute's Council of Trustees maintains oversight of the auditing function. Objectives of Audits and Reviews Internal auditors carry out their work in order to: • Determine whether the Institute's overall internal control system and unit administrative controls are adequate, effective, and efficient. • Determine the reliability and adequacy of the accounting, financial, and reporting systems and procedures. • Determine that Institute activities conform to Institute policies and procedures, state and federal laws and regulations, contractual obligations, and good business practices. • Determine the extent to which Institute assets are accounted for and safeguarded from losses of all kinds, and verify the existence of assets. • Evaluate operational procedures to determine whether results are consistent with established objectives and goals, and whether the procedures are carried out as planned. • Evaluate the design of major new electronic data processing systems and major modifications to existing systems before installation to determine whether the system of internal control is adequate, effective, and efficient.

In addition, internal auditors conduct or support investigations, as required or directed. Scope of Audit Coverage The general scope of audit coverage is Institute-wide and no function, activity, or unit of the Institute is exempt from audit and review. No officer, administrator, or staff member may prohibit internal auditors from examining any Institute record or interviewing any employee or student that the auditors think relevant to their audits and reviews. Additionally, the Executive Director of the Office of Institute Audits has authority to audit the accounts of all organizations required to submit financial statements to the Institute.Operational Limitation of Authority and Responsibility In performing their work, the Executive Director of the Office of Institute Audits and other internal auditors have neither direct authority over, nor responsibility for, any of the activities reviewed. Internal auditors do not develop and install procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably construed to compromise their independence. Therefore, internal audit reviews and appraisals do not, in any way, substitute for or relieve other Institute personnel from their assigned responsibilities. Auditing Procedures The internal auditors conduct audits and reviews in accordance with the Standards for the Professional Practice of Internal Auditing (The Institute of Internal Auditors). The internal audit function is carried out in compliance with requirements of the Fiscal Control and Internal Auditing Act of the State Internal Audit Advisory Council. Performance standards for the audit function are defined in the Audit Manual of the Office of Institute Audits, and are developed from the Standards for the Professional Practice of Internal Auditing, General Standards for Information Systems Auditing (Information Systems Audit and Control Association), Statement on Auditing Standards No. 1 (American Institute of Certified Public Accountants), the Audit Guide for Performing Compliance Audits of Illinois State Agencies (Auditor General, State of Illinois), and the Standards for Audit of Governmental Organizations, Programs, Activities, and Functions (Comptroller General of the United States). FOUNDATION GENERAL POLICY AND GUIDELINESMANUAL Institute of Illinois Foundation The following policy and guidelines concerning internal auditing are included in the Institute of Illinois Foundation General Policy and Guidelines and represent the Foundation's "Charter" for the Office of Institute Audits. General Policy The Council of Directors of the Institute of Illinois Foundation is committed to a vigorous program of internal auditing designed to test the effectiveness of internal control. Guidelines The internal audit program is conducted by the Executive Director of Institute Audits in accordance with the 1983 policy statement "Institute of Illinois Foundation Internal Audit Function" which follows. Policy Statement It is the policy of the Council of Directors of the Institute of Illinois Foundation to establish and maintain an internal audit function that: provides all levels of management with information about the managerial control of the operations for which it is responsible; provides the Audit Committee of the Council of Directors with necessary information to discharge its responsibilities; and assists management and Audit Committee members in deciding how

effective the total system of internal control is in achieving its broad objectives for the governance and operation of the Foundation.ALUMNI ASSOCIATION GENERAL POLICY AND GUIDELINESMANUAL Institute of Illinois Alumni Association The following policy and guidelines concerning internal auditing are included in the Institute of Illinois Alumni Association General Policy and Guidelines and represent the Alumni Association’s "Charter" for the Office of Institute Audits. General Policy The Council is committed to a program of internal auditing designed to test the effectiveness of internal control. Guidelines The internal audit program is conducted by the Office of Institute Audits.

CONFIDENTIALITY Definition Confidential information is information of a proprietary or sensitive nature about the Institute of Illinois, its students, contracted agents, and employees. Policy Internal auditors respect the value and ownership of information they receive and do not discuss information without appropriate authority unless there is a legal or professional obligation to do so. Confidential information acquired by audit staff through their employment is considered to be privileged and must be held in strictest confidence. Audit staff shall be prudent in the use and protection of information acquired in the course of their duties. It is to be used solely for Institute purposes and not as a basis for personal gain by the audit staff, or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the Institute. Confidential information is transmitted only to those persons who need the information to discharge their duties as Institute employees or audit staff. Any other dissemination of workpaper or correspondence contents must be approved by the appropriate Director. Any dissemination without authorization will be considered serious misconduct and could result in suspension or dismissal. Prior to disposal, all paper documents generated in the course of performing audit work must be shredded. The following standard e-mail disclaimer must be used for all messages distributed outside of the audit office: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to which it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. Report Security and Control

Access to audit reports and management communications is restricted to authorized audit staff. Audit reports are available to all audit staff from the electronic copies maintained on the Office of Institute Audits computer network. Illinois statute exempts certain audit information from being available for public inspection and copying.Illinois Compiled Statutes, Chapter 5, General Provisions 140. ILLINOIS FREEDOM OF INFORMATION ACT 7. Exemptions from inspection and copying (effective July 1, 1984). (1). The following shall be exempt from inspection and copying: ... (n) Communications between a public body and an attorney or auditor representing the public body that would not be subject to discovery in litigation, and materials prepared or compiled by or for a public body in anticipation of a criminal, civil or administrative proceeding upon the request of an attorney advising the public body, and materials prepared or compiled with respect to internal audits of public bodies. [Emphasis added] Due to the sensitive and confidential nature of our audit reports, all efforts should be made to keep reports protected from public disclosure. Audit reports should not be voluntarily disclosed outside of the Institute and should only be released at the express direction of the President or upon presentation of a valid court order. The following restriction on distribution is to appear in all audit reports: This report is for the use of (URO and the) (Institute, Foundation, Alumni Association) administrators only and should not be distributed outside the (URO or the) (Institute, Foundation, Alumni Association) without permission of the (President of the [URO] or) the President of the Institute. If the President directs release of an audit report, we should encourage the release of an “Executive Summary” of the audit report rather than the report itself in order to help maintain the non-disclosure shield afforded by statute. The “Executive Summary” should not reference the specific audit as to preserve the intent of the law. In addition, when presented a valid court order, audit management should seek an agreement between parties in litigation to keep our work product confidential prior to and subsequent to any court action. This agreement should be sought with the assistance of Institute Counsel. Voluntary distribution of an audit report outside the Institute negates our Freedom of Information Act (FOIA) exemption. To ensure our exemption provided under FOIA, Institute Audits will require authorized review of reports or workpapers by an outside party to be performed in our office, under our control as to access, review, and notes taken by the outside party. It is our policy to not permit removal of documents, or copies thereof, from our office. Some audits may be performed under the direction of Institute Counsel as a matter of attorney-client privilege. Audits are performed this way solely for the purpose of assisting Institute Counsel in assessing issues. As a result, all information learned, documents or notes created, and communications prepared may be entitled to legal protection from disclosure. Investigations and other sensitive audits may benefit from this privilege, and audit management should make requests of Institute Counsel when appropriate. Office staff is prohibited from providing public comment on Institute matters. Any media contact should be referred to Public Affairs (UIUC - Office of Public Affairs, UIC - Office of Public Affairs, UIS - Campus Relations). The Office staff should immediately inform their Director who shall inform the Executive Director.

Confidentiality Statement On the first day of employment staff must sign the following statement. (Statement should be on office letterhead in memo format.) TO: FROM: (Audit Management) DATE: SUBJECT: Confidentiality During the course of any job duties, employees of the Office of Institute Audits may have access to information that is sensitive, nonpublic, or protected by Federal or State privacy statutes. All information contained in audit workpapers and audit reports or disclosed to audit staff is confidential. It is the policy of the Office of Institute Audits not to disclose to anyone outside the Institute the contents of any audit workpapers, audit reports, or other information made available by the Institute of Illinois. Disclosure within the Institute will be only for job-related purposes and only to those who, in the audit staff’s judgment, have a need to know. I have received, read, and understand the Office of Institute Audits’ confidentiality policy. I understand that it is a condition of my employment to adhere to the confidentiality policy, and that violation of this work rule may result in disciplinary action including dismissal. _______________________ ____________________ Signature Date R

INDEPENCENCE Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. The objective of internal auditing is to assist members of the organization in the achievement of the organization’s goals and objectives. To this end, internal auditing furnishes them with independent appraisals, analyses, and counsel concerning the activities reviewed. In order for the desired results to be realized, internal auditing must perform their work fully and objectively, that is, be independent of the activities they audit. They must have no authority over or responsibility for the activities they audit. In order to maintain independence and objectivity, staff members will not be assigned audits involving the following instances: 1. Any situation in which a conflict of interest or bias is present or may reasonably be inferred. 2. Any situation that involves a member of the auditor's immediate family. 3. Any activity that the auditor previously performed or supervised unless a reasonable period of time has elapsed.

If through your actions or state of mind your audit objectivity is or can be inferred to be impaired, notify audit management immediately. To assist in recognizing potential or perceived areas of conflict of interest, an Auditor Independence form will be completed by auditors on the first day of employment and annually thereafter. (Statement should be on office letterhead in memo form.)

Council of Trustees Audit, Budget, Finance, and Facilities Committee President Vice President and Chief Financial Officer Julie A. Zemaitis Executive Director CPA Microcomputer Support Specialist II Eduardo R. Mascorro Data Analyst Auditor Maureen L. Sorensen (75%), CPA, CIA, MAS The Office of Institute Audits reports functionally to the President of the Institute and the Institute of Illinois Council of Trustees through its Audit, Budget, Finance, and Facilities Committee. The Office of Institute Audits reports administratively to the Comptroller of the Council of Trustees, who is also the Vice President and Chief Financial Officer Urbana-Champaign, Springfield, Institute of Illinois Foundation, and Institute of Illinois Alumni Association Chicago Information Technology Neal F. Crowley Director MBA, CPA, CIA, CFE Darla J. Hill Director CPA, CIA, CFE Gene V. Fruit Director CISA, CIA, MBA Healthcare Auditors Pelagija (Gia) Milenkovic Open Position Open Position Enterprise-wide Auditors Lea Fox Lataunia Green, MBA Jeffrey N. Mina, CPA Enterprise-wide Auditors Ryan P. Holmes, CPA Jessica L. Hoppe, CIPA, CIA Carla N. Jones, CIA, Ed.M. Kevin K. Jones, CPA, CIA Sandra K. King (80%), CIA, MBA Teri A. Travis, CPA, CIA Jill M. Verdeyen, CPA Information Technology Auditors Andrew M. Mosio, CISA Jared E Ross, CISA, CIA OFFICE OF INSTITUTE AUDITS ORGANIZATION CHART Continuous Auditing Program Certifications and Advanced Degrees held by Members of the Office of Institute Audits Professional Certifications Advanced Degrees 10 CIA = Certified

Internal Auditor 4 MBA = Master of

Business Administration

10 CPA = Certified Public Accountant

1 MAS = Master of Accounting Science

3 CISA = Certified Information Systems Auditor

1 Ed.M. = Master of Education

2 CFE = Certified Fraud Examiner

QUALITY ASSURANCE General The establishment and implementation of a quality assurance and improvement program for the Office is required by the Standards. The objective of the program is to ensure achievement of

audit objectives, performance of audits in accordance with applicable standards, and development of staff. Internal Assessments Internal assessments can provide both quality assurance to audit management and training for the staff. The assessments can be done regularly or intermittently. The assessments are appraisals of how well auditors and supervisors have complied with the Standards and Office policy. They encompass the work of both staff and audit management and are an evaluation of a sample of audit working papers and reports. The assessments should also provide recommendations for improvement. The internal assessments should typically be performed by an experienced auditor, audit management, or combination thereof. External Assessments The purpose of the external assessments is to provide an independent assurance of quality to the Office management and staff, Institute management, the Council of Trustees, and others such as external auditors who may rely on the work of the Office. In compliance with The IIA Standards and the State of Illinois Internal Audit Advisory Council Peer Review Program Bylaws, an external assessment of the Office will be performed every five years to appraise the quality of the Office's operation. Upon completion, the Office will receive a formal, written report expressing an opinion as to the Office's compliance with the Standards and will include recommendations for improvement as appropriate.

AUDIT PLANNING

ANNUAL AUDIT PLANNING Overview The Executive Director has the responsibility to develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management. In accordance with IIA Standards, the annual audit plan is based on an annual risk assessment, and includes the input of senior management and the Council of Trustees through its Audit, Budget, Finance, and Facilities Committee. The Fiscal Control and Internal Auditing Act requires the plan to cover two years and be approved by the President by June 30 of each year. Key Elements of the Risk Assessment Process Risk Categories Categories of risk we assess include the following: • Financial - Financial risks deal with the accounting for internal controls over and reporting of financial transactions, including assets, liabilities, revenues, and expenditures. • Compliance - Compliance risks deal with the adequacy of a unit’s system to ensure compliance with applicable laws, regulations, and policies.

Operational - Operational risks deal with deficiencies in a unit’s effective and efficient use of resources. • Reputational - Reputational risks deal with issues that may not be significant from a financial, compliance, or operational perspective, but could have a potentially negative public perception impact.

• Safety - Safety risks include events, situations, or other circumstances that have the potential to cause harm to individual(s), including employees and/or the public. Key Elements of the Risk Assessment Process • Define the Audit Universe • Identify Major Risks o Data Analytics o Key Stakeholder Interviews

• Consider Other Factors o External Audit Findings o State Statutorily - Required Elements of Plan o Higher Education Industry Issues

• Develop Audit Plan Based on Assessed Risks

AUDIT PROCESS

OVERVIEW Types of Audits Internal control audits determine whether the unit is conducting its financial and business processes under an adequate system of internal control, as required by Institute policy and guidelines and good business practice. Compliance audits determine the adequacy of a unit's system(s) designed to ensure compliance with Institute policies and procedures and external requirements. Examples of external requirements include donor intent, federal and state laws and regulations, National Collegiate Athletic Association legislation, and Big Ten Conference legislation. Audit recommendations typically address the need for improvements in procedures and controls intended to ensure compliance with applicable regulations. Financial audits address the accounting for, and reporting of, financial transactions, including commitments, authorizations, and receipt and disbursement of funds. The purpose of this type of audit is to verify that sufficient controls exist over assets, liabilities, revenues, and expenditures and that there are adequate controls over the acquisition and use of resources. Information technology (IT) audits address the internal control environment of automated information processing systems and how people use those systems. IT audits typically evaluate system input, output, and processing controls; backup and recovery plans; system security; and computer facilities. Operational audits examine the use of unit resources to evaluate whether those resources are being used in the most efficient and effective ways to fulfill the unit's mission and objectives. An operational audit can include elements of a compliance audit, a financial audit, and an IT audit. Investigative audits focus on alleged civil or criminal violations of state or federal laws or violations of Institute policies and procedures that may result in prosecution or disciplinary action. Allegations of theft or misuse of Institute assets, white-collar crime, and conflicts of interest are examples of issues addressed by investigative audits.

Consulting projects may range from formal engagements, defined by written agreements, to advisory activities, such as participating in standing or temporary management committees or project teams.

This section of the manual explains the steps for conducting an audit from the initial assignment through fieldwork. Similarly, the reporting and follow-up processes are covered in a separate section of the Manual. A flowchart of the audit process follows. Annual Audit PlanDirector Initiates AuditRisk Assessment by Auditor(s)Audit Procedures(including audit objective and scope)Opening ConferencePerform Fieldwork1Audit Observation Form(s)Discuss with Director and AuditeeSend Letter of Intent (via E-mail)1Complete Workpaper(by Section)Director Reviews WorkpapersComplete?2

AUDIT ASSIGNMENT Each year, a two-year audit plan of Institute audits is submitted by the Executive Director of Institute Audits to the President of the Institute and the Chairman of the Budget and Audit Committee of the Council of Trustees for approval. Similar two-year audit plans are also prepared for the Presidents and Chief Executive Officers of the Institute of Illinois Foundation and Institute of Illinois Alumni Association. Assigning the Audit Each Director assigns audits to each individual auditor on their staff. The Completion Table within AutoAudit is completed by the auditor and any planning comments are noted. Information is provided to the auditor including the preliminary objectives, general scope of the audit, and any additional information that is needed (reference material available, what to watch for in certain tests, problems noted during other audits, information about who requested the audit and why, the area of responsibility, etc., so the auditor can begin the risk assessment process). Auditee Notification The Director will notify the auditee via e-mail, prepared by the auditor, that an audit of their unit has been scheduled. The message should explain that the auditor will contact the auditee to arrange an opening conference. The auditor will draft the email using the template "Format for Letter of Intent E-mail" in AutoAudit's Standard Library (Maintenance Menu, Standard Library Menu, Audit Formats view). The template of the Letter of Intent Memorandum is in the Standard Library section of Auto Audit.

RISK ASSESSMENT PROCESS The risk assessment process is our identification and analysis of risk for an audit. It begins with the draft audit objective(s), the hours budgeted for the project (included in the Two-Year Plan), and any other information provided by audit management. Research is performed during the planning process to increase the auditor's efficiency. The following sources of information are considered during the risk assessment process to increase audit efficiency: • Review Controls Assessment Tool (CAT) results -- From the most recent risk assessment survey of the unit (performed by the Office of Institute Audits on a four-year cycle).

• Perform an analytical review of all the BANNER accounts (balances and activity) for the unit under review. • If the unit has self-supporting funds, obtain and review copies of the Fact Sheets, the LAC-1 (LAC stands for Legislative Audit Commission) schedules or the deferred revenue information sheets (UIS only, and only if deferred revenue is involved) sent to the Accounting Division by the unit at year-end. • If the unit has Service Plan accounts, obtain and review copies of the LAC-2 schedules (Balance Sheet Questionnaires) (UIC only) sent to the Accounting Division by the unit at year-end. • Continuous Auditing Issues Identified (located in the Red Tab of Auto Audit, Continuous Auditing section). • The Unit's most recent Strategic Plan, if applicable.

When applicable, the following documentation should be reviewed or considered. • Review previous internal audit reports and audit workpapers. These workpapers can assist in further developing the audit scope and procedures. The previous audits' workpapers also facilitate follow-up during the current audit. • Review previous reports from the External Auditors' Compliance and/or Financial audits. • Consult with other audit staff that have been involved in similar audits or are familiar with this unit or subject matter. • Consult with auditors from other Universities/Organizations -- Others who have audited or are familiar with a Institute operation/system or specialized subject matter may be consulted for technical assistance, answers, and ideas. • Consult with technical experts to learn about a technical subject or to request technical assistance/guidance in a new or specialized subject matter or area. • Review Library Database Searches -- Searches are available from Institute and other local libraries and can be useful in audits of specialized or technical areas/subjects. • Review the OBFS Business and Financial Policies and Procedures manual -- This manual contains policies and guidelines in the area of business and finance. • Review Campus Administrative Manual (UIUC only) -- This manual supplements Institute and campus policy for administrative staff. • Review Executive Notices (e.g., Provost Communications) • Review ACUA Internal Control Questionnaires and Audit Guides -- Available for various college and Institute operations and systems. • Review Federal and State Regulations -- Regulations governing the Institute of Illinois' operations are contained in the Code of Federal Regulations and the Illinois Compiled Statutes. • Review accounting/auditing technical guidance (e.g., GARS).

Review applicable campus Academic Staff Handbooks, http://www.ahr.illinois.edu/ahrhandbook/default.html -- UIUC, http://www.uic.edu/depts/oaa/policies_proced.html -- UIC, http://www.uis.edu/academicstaffhandbook/ -- UIS • Review applicable Course Catalogs (for reviews of academic units). • Review AICPA Guide to Audits of State and Local Government. • Review Institute Statutes, Bylaws, and General Rules, -- Concerning Institute Organization and Procedures.

• Review State Universities Civil Service System Statutes and Rules -- Sections of the Illinois Compiled Statutes, and the Illinois Administrative Code pertaining to the State Universities Civil Service System. • Review Policy and Rules for Civil Service Staff -- Provides uniform guidelines for the management of the Civil Service staff of the Institute. • Review Council of Trustees agenda items/minutes (for UROs, review URO Council meeting minutes). • Review Comptroller's Statewide Accounting Management Systems (SAMS) --This manual documents the fiscal policies, accounting principles, controls, operating procedures, and reporting requirements for the Uniform Statewide Accounting System. • Review Campus Telephone Directory -- The telephone directory provides general information and is useful in determining the reporting structure (for example, the "Official Lists" section of the UIUC Student/Staff Directory includes All-Institute Organization, Institute Officers, Council of Trustees, UIUC Organization, Campus Officers, and abbreviated information for UIC and UIS). • Review Legislative Audit Commission Institute Guidelines. • Other relevant materials as deemed necessary. A flowchart of the risk assessment process is provided to further illustrate the process. Using professional judgment and available information, determine the most appropriate audit objective(s) and scope (e.g., statement of audit boundaries). Consider: • The unit's mission and objectives. • The organizational structure of the unit and the related campus or Institute Administration structure from reviewing the unit's organization chart. • The probability of significant errors, irregularities, noncompliance, and other exposures that would adversely affect the unit's operations and/or their ability to efficiently and effectively accomplish their objective or would adversely affect the Institute's overall mission/objective. • Key financial and administrative data relevant to the audit from BANNER or other unit reports. • Unit, campus/Institute, and other applicable standards (e.g., NCAA Legislation, JCAHO standards) for measuring critical functions. • Control processes to monitor critical functions for compliance with established standards. • Issues and concerns raised in prior audits of the unit.

Determine the audit procedures needed to gather sufficient, competent, relevant, and useful evidence to accomplish the established objective(s).

Based on the information gathered above, select the appropriate audit approach. Consider: • The evidence necessary to reach conclusions on audit objectives. • The tests and other procedures to be performed to gather the required evidence. • The objectives, steps, and procedures so that the high risk processes are performed first. This will assist the auditor in keeping focused on completing the audit by developing sufficient information to report on the audit early in the process. If necessary, the audit can be ended (e.g., as a result of revised objectives, budget changes, new audit requests), before all of the originally anticipated procedures are performed.

Prepare audit procedures and submit for audit management's approval. If the objective and scope warrants a change in the budgeted hours, the auditor should submit to audit management a justification for the change. Approved changes would be reflected in the Overview. The approved audit objective(s), scope, and budget should be constantly reassessed throughout the audit process to ensure efficient use of audit resources (e.g., should the remaining audit steps be eliminated, should the objective or scope be limited or expanded, have more efficient procedures been identified, or should additional hours be allocated). If, through this constant reassessment, significant changes are made to the objective and/or scope communicated in the opening conference, the changes should be communicated to the auditee. In addition, ideas for future audits identified during the audit should be documented in AutoAudit in Audit Observation forms with the disposition of future audit concern.

ANNUAL PROCEDURES Audit Procedures The purpose of audit procedures is to provide detailed audit steps to be performed during the audit fieldwork that will achieve the specific audit objectives. In conjunction with the risk assessment, audit procedures will be developed by the auditor and approved by audit management prior to performance of the audit procedures. If, subsequent to the approval of audit management, a decision is made not to perform one or more of the procedures, a note documenting the reasons for the decision should be included in the audit procedures. The specific objectives of any audit will address one or more of the following general management objectives: • Risks are appropriately identified and managed. • Interaction with the various governance groups occurs as needed. • Financial, managerial, and operating information is accurate, reliable, and timely. • Employees’ actions are in compliance with Institute policies and procedures, and applicable laws and regulations. • Resources are acquired economically, used efficiently, and adequately protected. • Plans and objectives are achieved. • Quality and continuous improvement are fostered in the Institute’s control process. • Significant legislative or regulatory issues impacting the Institute are recognized and addressed appropriately.

During the course of the audit, conditions may arise which warrant revising the audit procedures, scope, or budgeted hours. The auditor should evaluate the situation, make timely recommendations to audit management, and obtain approval before incorporating any changes. Audit procedures should be organized in the following manner: Audit Procedures

Results/DocLink Initials

Audit Objective: Scope: Audit Step 1: Conclusion: Procedures Performed Audit Step 2: Conclusion:

Procedures Performed Audit Step 3: Conclusion: Procedures Performed

Internal Control Audits Standard procedures have been devised for internal control audits and can be found in the Maintenance Menu, Standard Library of AutoAudit. Auditors may access these standard procedures through the "Completion Table" workpaper in AutoAudit. (Under the "Audit Procedures" section, choose "View Standard" to access a list of these standard procedures.

OPENING CONFERENCE The opening conference should be held to gather information about the mission, critical processes, and control procedures of the unit. The auditor uses this information in the risk assessment process to determine an appropriate objective and scope for the audit. Under some conditions, the objective and scope may be predetermined. The auditor should prepare an opening conference e-mail confirming the appointment. The e-mail should briefly state the announcement of the audit; the date, time, and place of the opening conference; the purpose of the opening conference; and the desire to resolve any questions regarding the tentative draft objective and scope. Audits with a surprise component, such as investigative audits, cash counts, etc., may not have an opening conference. The opening conference is an important step in a regular audit. It is an opportunity to establish the proper tone and to begin building good relationships. Explain the "who, what, where, when, why, and how" for those who have not been exposed to the audit process. During the opening conference: 1. Provide and discuss the Office brochure (first-time auditee, optional afterward). 2. Explain the audit focus. 3. Emphasize that the purpose of an audit is to help improve Institute of Illinois controls and operations. 4. Review the objective(s) and scope of the audit, encouraging management to discuss any aspect of the audit. 5. Ask for suggestions of potential auditee problem areas within the audit scope. This communicates an intention of being helpful rather than critical. 6. Determine what assistance from personnel other than those attending the opening conference is needed to answer detailed questions concerning the functions to be performed. Contact should be made via the "Chain of Command" until an understanding with the appropriate manager is established. 7. Explain how audit concerns (observations) are handled. Explain that concerns will be reviewed with the designated auditee at the time they arise and identify who will be responsible for reviewing the audit concerns. Explain the purpose of discussing each audit concern is to verify that both the facts defined in the concern and the impact of the concern is accurate. Some findings may be resolved verbally. 8. Establish how frequently the department head/director wants to be updated on audit progress and findings.

9. Explain we will review the draft audit report in detail at the exit conference. 10. Explain that a copy of the final audit report will be sent to their reporting line up to and including the Chief Financial Officer and the President. 11. Inquire about working hours, working area, access to records, and any other information that details the office routines. This information may have considerable influence on the cooperation extended to the audit staff. 12. Identify information needed to complete the audit procedures. 13. Establish a tentative schedule for the audit process. 14. Ask if there are any questions concerning anything discussed at the opening conference or any questions in general about the auditor or audit approach that will assist the auditees in their understanding of the audit project. 15. Inquire as to any areas within their operations that they feel are more susceptible to fraud or over which they have concerns. 16. Ask about any fraudulent activity that has occurred in the unit within the last two years.

Effective communication at the beginning of the audit can materially influence the tone in which the entire audit is conducted.

OPENING CONFERENCE MINUTES The Opening Conference's date, attendees, and substantive items discussed which are directly related to audit scope, objectives, timing, or confidentiality should be documented in the workpapers and DocLinked to the Key Activities document. Such items may include possible reorganizations of the unit, auditee requests for delaying the audit due to poor timing or unusual circumstances, special concerns of the auditee, etc. If such items were not part of the opening conference, nothing more than the date and attendees is required. The template of the Opening Conference Email and Opening Conference Discussion Items are in the Standard Library section of Auto Audit.

FIELDWORK Definition and Purpose Fieldwork is the process of gathering evidence and analyzing and evaluating that evidence as directed by the approved Audit Procedures. The audit objectives and procedures should be performed so that the most important and significant audit steps are completed first. Conclusions on audit objectives will form the basis for an audit opinion. Workpapers, including Audit Observation Forms, should be forwarded for review by audit management upon completion of a meaningful section of the audit rather than waiting until all fieldwork is completed. Throughout fieldwork, professional judgment should be used to: a) determine whether evidence gathered is sufficient, relevant, competent, and useful to conclude on the established objectives; and b) based on the information available, reassess the audit objectives, scope, and procedures to ensure efficient use of audit resources (e.g., should the remaining audit steps be eliminated, should the objective or scope be modified, have more efficient procedures been identified, or should additional hours be allocated to achieve an expanded audit objective). Document changes in audit objectives, scope, and procedures in the workpapers. Fieldwork includes:

1. Gaining an understanding of the activity, system, or process under review and the prescribed policies and procedures, supplementing and continuing to build upon the information already obtained in the risk assessment process. 2. Observing conditions or operations. 3. Interviewing people. 4. Examining assets and accounting, business, and other operational records. 5. Analyzing data and information. 6. Reviewing systems of internal control and identifying internal control points. 7. Evaluating and concluding on the adequacy (effectiveness and efficiency) of internal controls. 8. Conducting compliance testing. 9. Conducting substantive testing. 10. Determining if appropriate action has been taken in regard to significant audit concerns and corrective actions reported in prior audits.

Standards for documenting fieldwork (e.g., the evidence gathered, the analyses made, the tests performed), to support the findings and conclusions are presented in the sections Workpapers and Audit Observations. In general, all audit work performed should be documented. Each audit procedure should be supported by and have DocLinks to workpapers (schedules, memos, spreadsheets) on which testing performed and results achieved are documented. Fieldwork should be performed at the auditee's location to facilitate communication with the auditee. The auditor should maintain contact with auditee management and keep them informed of the audit observations and other developments throughout the audit. They may be able to provide additional information or may wish to adopt procedures quickly to rectify deficiencies.

FIELDWORK

Definition and Purpose Fieldwork is the process of gathering evidence and analyzing and evaluating that evidence as directed by the approved Audit Procedures. The audit objectives and procedures should be performed so that the most important and significant audit steps are completed first. Conclusions on audit objectives will form the basis for an audit opinion. Workpapers, including Audit Observation Forms, should be forwarded for review by audit management upon completion of a meaningful section of the audit rather than waiting until all fieldwork is completed. Throughout fieldwork, professional judgment should be used to: a) determine whether evidence gathered is sufficient, relevant, competent, and useful to conclude on the established objectives; and b) based on the information available, reassess the audit objectives, scope, and procedures to ensure efficient use of audit resources (e.g., should the remaining audit steps be eliminated, should the objective or scope be modified, have more efficient procedures been identified, or should additional hours be allocated to achieve an expanded audit objective). Document changes in audit objectives, scope, and procedures in the workpapers. Fieldwork includes:

WORKPAPERS Introduction

The auditor documents the work performed in AutoAudit. The workpapers serve as the connecting link between the audit assignment, the auditor's fieldwork, and the final report. Workpapers contain the records of the planning and risk assessment process, audit procedures, fieldwork, and other documents relating to the audit. Most importantly, the workpapers document the auditor's conclusions and the reasons those conclusions were reached. The disposition of each audit observation identified during the audit and its related corrective action should be documented on an Audit Observation Form within AutoAudit. Workpapers should be completed throughout the audit. As each meaningful section is completed, the auditor should submit the related workpapers for review. The workpapers provide a basis for evaluating the Office's quality assurance program and demonstrate the Office's compliance with the The Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing. Workpapers should be economical to prepare and to review. It is easy to include every scrap of information and every form in the workpapers. However, the workpapers then become a confused mixture of data that is difficult to assimilate and use. Workpapers should be complete but concise--a usable record of work performed. Auditors should include in their workpapers only what is essential; and they should ensure that each workpaper included serves a purpose that relates to an audit procedure. Workpapers that are created and later determined to be unnecessary may be deleted. Among other things, workpapers may include: • Planning documents and audit procedures. • Controls questionnaires, flowcharts, checklists, and narratives. • Notes and minutes resulting from interviews. • Organizational data, such as charts and job descriptions. • Copies of important documents. • Information about operating and financial policies. • Results of control evaluations. • Letters of confirmation and representation. • Analysis and test of transactions, processes, and account balances. • Results of analytical review procedures. • Audit reports and management responses. • Audit correspondence that documents the audit conclusions reached.

Workpapers should be clear and understandable. The auditor should keep in mind that other people will examine and refer to the workpapers. The workpapers should not need any supplementary information and should stand alone. An experienced auditor reviewing the workpapers, without referring to documents outside of those included in the workpapers and without asking questions, should be able to identify what the auditor set out to do, what they did, what they found, and what they concluded. Conciseness is important; but clarity should not be sacrificed just to save time and space.

SCANNED DOCUMENTS –

Scanned documents should include a reference to the source and the purpose of the document when relevant to understanding or appreciating the actual audit work performed. Such

information needs to be included only when it is not provided elsewhere in the workpapers or apparent by the actual document.

1. WEBLINKS –

When using references to websites in auto workpapers, to help ensure the site can be readily accessed in the future, both the name of the site and a hotlink to the website should be included. If specific information from a website was referenced (e.g., Federal Register, IRS publications, various guidelines), the webpage should be saved to a file and attached to the workpapers.

TICKMARKS –

Tickmarks do not need to be standardized throughout the set of workpapers, but must be consistent throughout a particular workpaper. Tickmark explanations must be a part of the workpaper.

DOCLINKS (CROSS-REFERENCING) –

Workpapers should be prepared using the appropriate DocLinks (cross-referencing). A DocLink from the Audit Procedures to the primary workpaper provides a reference to where the work was performed. It is not necessary to DocLink all workpapers to the Audit Procedures - only the primary workpaper. The primary workpaper will then contain DocLinks to other, supporting workpapers, which provide additional information regarding the audit procedures performed, results, conclusions reached, and audit observations. DocLinks should be used to reference information useful in more than one place or to other relevant information including the source of information, composition of summary totals, or other documents or examples of transactions. Documents/information should be in the workpapers only once.

STANDARD WORKPAPERS – Auditor

The auditor should conduct a review of the workpapers prior to submission to the appropriate member of audit management to determine whether they are relevant and have a useful purpose, evidence the audit work performed, and sufficiently support the audit findings. In addition, the auditor should ensure the conclusions reached were reasonable and valid, and that Office workpaper standards were followed. The auditor should review all comment forms to be certain that all issues have been resolved within the workpapers since the comment forms will not be retained. All other information obtained during the audit should be reviewed to determine whether all documentation relevant to the audit has been included in the audit workpapers. Documentation obtained and not relevant to the audit should be returned/destroyed upon the completion of the audit.

Audit Management

Approval should be documented at the time the risk assessment process, audit procedures, and workpapers are reviewed. This approval is recorded by using the approval function within AutoAudit. It is important to document appropriate and timely management supervision. All workpapers should be independently reviewed to ensure there is sufficient evidence to support conclusions and all audit objectives have been met. A comprehensive review will be conducted by audit management before approving the draft audit report. Audit management will: • Determine compliance with workpaper guidelines. • Review the risk assessment process to ensure that objectives are defined. • Review the audit procedures to ensure that they are adequate to accomplish the objectives. • Review the referenced workpapers to ensure they support the procedures performed and all procedures have been completed. • Determine that the workpapers adequately document the conclusions reached in the report. • Confirm that all observation forms prepared have been discussed with the appropriate member of management, and that the disposition of the audit concern is documented.

Document review comments by using the comment form within AutoAudit. When review comments have been satisfactorily cleared in the audit workpapers, audit management will remove the comments from the workpapers. Upon completion of the Audit Report Checklist audit management will close the audit in the AutoAudit Overview document using the current date.

FILING AND PROTECTION OF WORKPAPERS –

All workpapers are the property of the Office of Institute Audits and are considered confidential. Workpapers often contain sensitive information or data that must be protected from unauthorized use or review. (See section on Confidentiality).

WORKPAPERS RETENTION POLICY –

All electronic workpapers are to be retained by the Office of Institute Audits subject to the retention requirements below: 1. Audit workpapers are maintained on the production file until audit management deems no pending items related to the audit remain. Audit workpapers are then moved to an AutoAudit archive file for the year the audit was established. Workpapers on the AutoAudit archive file are retained 10 years. Workpaper retention should be destroyed after 10 years unless workpapers related to a lawsuit inactive less than 10 years are included on the electronic media. 2. Each annual AutoAudit archive file of audit reports will be moved to electronic media (tape, CD-Rom) 10 years after the end of the fiscal year of report publication. This media will be given to the Archivist 10 years after reports are moved to this media and 20 years after the year of report publication.

3. Audit management must ensure any investigative audit reports on the tape or CD-Rom media to be given to the Archivist have had no active lawsuits in the past 10 years.

AUDIT OBSERVATIONS

Overview

The auditor should complete an Audit Observation Form (AO) whenever the auditor identifies a possible (a) opportunity for operational improvement, (b) discrepancy, (c) error, (d) irregularity, (e) weakness or (f) deviation from internal control standards, regulations, or policies. Prior audit reports and linked AOs should be reviewed and used to the extent possible to avoid re-creating an AO already developed.

At the time the auditor realizes they have an audit concern, they should begin to complete the AO and discuss the observation with the auditee. This discussion should be documented in the applicable fields of the AO. The AO should stand-alone and should document the auditor's analysis (criteria, condition, cause, consequence, and corrective action) related to the finding; this information should not be located elsewhere in the workpapers. The workpaper where the work was performed which resulted in the observation and supporting workpaper references should be DocLinked to the AO in the space provided. Documenting the analysis assists the auditor in preparing to discuss the observation with the auditee. The AO should document the results of the problem analysis/resolution process. The form is not a step-by-step recipe for doing the work itself, because problem analysis/resolution is not a linear process. Simply completing the form is not a substitute for critical analysis of the situation. The auditor should answer such questions as the following: • What is the problem that exists? • How extensive is the problem? • What is the risk associated with the problem, or lack of controls? • Do we have our facts correct? Does the auditee agree that the problem exists? • Are there other controls to compensate for the problem? • Are there practical solutions to the problem? • Has management agreed with our recommended corrective action or formulated their own corrective action?

Since the AOs contain the auditor's professional analysis of audit concerns, they are among the most important workpapers created. Aspects of the Audit Observation Form Finding - Description of Observation [Condition]

This section of the AO should contain a clear and concise statement of the condition. This sentence will be the only explanation of the problem in the final report. The statement should be concise but provide enough detail to support the reader's understanding of the problem. Per the IIA Standards, "Condition: The factual evidence that the internal auditor found in the course of the examination (what does exist)."

Discussion and Background - Analysis of the Audit Finding [Criteria and Cause] The auditor should document the analysis of the problem in this section. References to applicable standards and/or good business practice should be included. If possible, the auditor should

FOLLOW-UP Follow-up

Corrective action is subject to follow-up in accordance with the Standards for the Professional Practice of Internal Auditing of the IIA. All corrective action with expected implementation dates past due or due within 30 days appear in Auto Audit.

Follow-up Process Objective – The objective of the follow-up process is to determine whether the audit concern has been adequately addressed. When follow-up is performed, the auditor will find one of the following situations: • Implemented--the concern has been adequately addressed by implementing the original corrective action or the concern has been adequately addressed by implementing an alternate corrective action. • Withdrawn--the concern no longer exists because of changes in the unit’s processes. • Open--the corrective action has been initiated but is not complete; or the concern has not been addressed (if the auditor believes that the unit fully intends to address the concern, a new expected completion date should be entered). • Not Implemented--if the auditor concludes that management does not intend to implement the recommendation, notify audit management.

Performance – Audit evidence in accordance with the IIA Standards is to be applied to follow-up work. Internal auditors should ascertain that actions taken on audit findings remedy the underlying conditions. The auditor's recommendation regarding the status (i.e., Implemented, Withdrawn, Not Implemented) should be documented in the Follow-up field on the Observation form. The auditor must send the AO to audit management for review using the Request Review function. Communication of Follow-up Results Unit – Follow-up results should be communicated by the auditor to the management team associated with the concern. If the audit concerns have been adequately addressed, a verbal or e-mail notification to the unit head is sufficient. If the concerns have not been adequately addressed, a meeting or more formal communication may be required. Reporting "Not Implemented" Corrective Action – On a quarterly basis, the Executive Director reports to Institute management the corrective action items where follow-up was performed and the "Disposition" remains "Open." On an annual basis, Institute management is notified of all "Open" corrective action. Follow-up, and discussions with Institute management, will continue until the corrective action is resolved, or the risk of continuing the current practice is accepted by Institute management.

Statistics of the follow-up process for all Institute audits are provided to the following Councils in the Annual Reports to their organizations: • Budget and Audit Committee of the Institute of Illinois Council of Trustees • Audit Committee of the Institute of Illinois Foundation • Audit Committee of the Institute of Illinois Alumni Association