internal audit a collaborative effort - university of delaware · to provide independent, objective...
TRANSCRIPT
4/16/2013
1
Internal Audit A Collaborative Effort
April 25, 2013
Internal Audit/Research Training 1 4/25/2013
Attendees will learn
• What is Internal Audit
• What are Risks and Controls
• What and How Internal Audit Does What is Does
• What is Your Role in All This
• Documentation 101
4/25/2013 2 Internal Audit/Research Training
4/16/2013
2
4/25/2013 Internal Audit/Research Training 3
INTERNAL AUDIT
JUST WHO - AND WHAT -
ARE WE ?
4/25/2013 Internal Audit/Research Training 4
4/16/2013
3
Internal Audit’s Mission
To provide independent, objective assurance and consulting services designed to improve the operations and internal controls of the University.
4/25/2013 Internal Audit/Research Training 5
4/25/2013 Internal Audit/Research Training 6
WHAT WE DO
AUDITS, AUDITS, AND…..YET MORE AUDITS
4/16/2013
4
4/25/2013 Internal Audit/Research Training 7
• Financial Audits
• Compliance Audits
• Information Technology Audits
• Operational Audits
• Investigative Audits
4/25/2013 Internal Audit/Research Training 8
Based Upon Professional Standards &
Ethics
Internal Audit conducts its activities in accordance with The Institute of Internal Auditors’ “Code of Ethics” and the International Standards for the Professional Practice of Internal Auditing
4/16/2013
5
4/25/2013
Internal Audit/Research Training
9
DIRECTOR OF INTERNAL AUDITING
Edward J. Drozd, CPA
SENIOR INFORMATION TECHNOLOGY AUDITOR
Cheryl R. Morris, CISA
SENIOR INTERNAL AUDITOR
Montgomery K. McKee, CPA, CISA
INTERNAL AUDITOR
Joseph C. Hines, CPA
AUDIT SPECIALIST
Maria A. Poole
Information Systems AuditsFinancial, Compliance, Operational
AuditsFinancial Compliance Hotline
Investigations
UD Credit Card AuditsFinancial and Compliance Audits
Audit Visiting Committee Booklets
Financial, Compliance, Operational Audits
Financial Compliance Hotline Investigations
Financial, Compliance, Operational Audits
Financial Compliance Hotline Investigations
4/25/2013 Internal Audit/Research Training 10
HOW WE DO IT
• Annual Risk Assessment • Rolling 3 Year Plan • Annual Plan - Individual
Audits
4/16/2013
6
4/25/2013 Internal Audit/Research Training 11
historical data external inputs
professional judgment
4/25/2013 Internal Audit/Research Training 12
INVENTORY of INTERNAL AUDIT PROJECTS/NTERNAL AUDIT UNIVERSE
KPMG LLP ASSIGNED PROJECTS (NONE after 12/12/07 per C Chepel )
INFORMATION TECHNOLOGIES AUDITS: 1 IT Accounts Receivable/Billing Application Controls
2 IT ACH 3 IT Asset Management System
4 IT AT&T Blackboard System (UD#1 Flex, Meal Points. Etc.) 5 IT BSR Advance (Gift Processing) System
6 IT Central Cashiers System
7 IT CISP Card Industry Audit Initiative
8 IT Cognos Data Warehouse Application & Security
9 IT Cashnet Interface
10 IT Data Encryption
11 IT Data Security Function
12 IT Data Telecommunications 13 IT Database Administration
INVENTORY of INTERNAL AUDIT PROJECTS/iNTERNAL AUDIT UNIVERSE
KPMG LLP ASSIGNED PROJECTS (NONE after 12/12/07 per C Chepel )
INFORMATION TECHNOLOGIES AUDITS: 1 IT Accounts Receivable/Billing Application Controls
2 IT ACH 3 IT Asset Management System
4 IT AT&T Blackboard System (UD#1 Flex, Meal Points. Etc.) 5 IT BSR Advance (Gift Processing) System
6 IT Central Cashiers System
7 IT CISP Card Industry Audit Initiative
8 IT Cognos Data Warehouse Application & Security
9 IT Cashnet Interface
10 IT Data Encryption
11 IT Data Security Function
12 IT Data Telecommunications 13 IT Database Administration
4/16/2013
7
4/25/2013 Internal Audit/Research Training 13
4/25/2013 Internal Audit/Research Training 14
SI = Supplementary Information for Contracts and Grants System Audits:
1 CFS Cash Management (e.g, Letter of Credit Draw Downs)
2 CFS Close Outs
3 CFS Collaborations/Partnerships
4 CFS Conflict of Interest Procedures
5 CFS Compliance with Grant Restrictions, Terms and Conditions for Direct Costs
6 CFS Cost Transfers
7 CFS Fringe Benefits and Facilities and Administrative Cost Allocations
8 CFS Program Income
9 CFS Proposal Budget Preparation
10 CFS Recharge Centers
11 CFS Reporting (e.g., SF 269 Federal Financial Reports)
12 CFS Subrecipient Monitoring
4/16/2013
8
4/25/2013 Internal Audit/Research Training 15
Area
Last Internal Audit
Scheduled for Internal Audit Testing 2014-2016
1. Information Technologies FY2013 Yes -Ongoing
1. Central Financial Systems:
a. Accounts Receivable FY2012 No
a. Asset Management/Equipment Inventory FY2013 No
a. Bank Wire Transfers FY2011 Yes
a. Central Cashier FY2012 No
a. Employee Fringe Benefits Accounting and Compliance FY2012 No
a. Financial Aid Accounting and Compliance FY2012 Yes
a. Gift Processing FY2013 No
a. Investments Accounting and Compliance FY2011 Yes
a. Journal Vouchers FY2013 No
a. Payrolls FY2013 Yes
a. Procurement FY2010 Yes
a. Sponsored Programs/ Contracts and Grants Accounting and Compliance
FY2013 Yes
1. University Departments:
a. 1743 Holdings, LLP FY2012 Yes
a. Construction FY2010 Yes
a. Intercollegiate Athletics FY2012 No
a. International Programs FY2010 Yes
a. Library FY2008 Yes
a. Procurement Cards FY2013 Yes -Ongoing
a. Other University Departments (e.g., The Colleges and Other Academic, Research, Auxiliary and Administrative units) FY2013 Yes - Selected Visits and Coverage by Audits of Central Financial Systems
4. Compliance Hotline Investigations FY2013 Yes - As Needed
5. Consulting and Special Projects FY2013 Yes - As Needed
ROLLING THREE-YEAR INTERNAL AUDIT PLAN
2014-2016
4/25/2013 Internal Audit/Research Training 16
• Make Policy • Perform Departmental Work • Reconcile Accounts • Set up Internal Controls • Try to Make Life Miserable
WHAT WE DON’T DO
4/16/2013
9
4/25/2013 Internal Audit/Research Training 17
What’s Internal Control All About
4/25/2013 Internal Audit/Research Training 18
Control Types
4/16/2013
10
4/25/2013 Internal Audit/Research Training 19
INHERENT CONTROL LIMITATIONS
4/25/2013 Internal Audit/Research Training 20
CONTROL OBJECTIVES • Authorization • Completeness • Accuracy • Validity • Physical Safeguards & Security • Error handling • Segregation of Duties
4/16/2013
11
4/25/2013 Internal Audit/Research Training 21
Who’s Responsible For Internal Controls ?
4/25/2013 Internal Audit/Research Training 22
INTERNAL CONTROL COMPONENTS
Control environment Risk Assessment Control Activities Information and communication Monitoring
4/16/2013
12
4/25/2013 Internal Audit/Research Training 23
An audit by another name is still… an audit
• Federal Government – Office of Naval Research is UD’s cognizant agency
• Sponsors • A-133 Auditors—KPMG • Program Auditors
– Campus tell C&G Specialist when contacted regarding any audit
– MUST tell VP Fin office when programs contact us – Coordination and information must come from Research & VP
Finance for consistency
• Internal Audits
4/25/2013 Internal Audit/Research Training 24
What’s An Audit
4/16/2013
13
4/25/2013 Internal Audit/Research Training 25
• Opening conference • Preliminary review • Testing • Exit meeting • Draft audit report • Final audit report • Management's written response • Summarized report • Follow-up
4/25/2013 Internal Audit/Research Training 26
4/16/2013
14
4/25/2013 Internal Audit/Research Training 27
The Audit Program – The Roadmap
Purpose of Audit Program
What may be included in an audit Identify major
programs based on expenditures in fiscal year (SEFA)
Cash Management Review previous
audit findings
Cost share (committed vs.
actual)
Review new programs or those
with regulatory changes
Expenditures (budget vs actual)
Financial Reporting
Effort Reporting
Review personnel or system changes
Subawards UD Policies & Procedures
4/25/2013 28 Internal Audit/Research Training
4/16/2013
15
4/25/2013 Internal Audit/Research Training 29
AUDIT PROGRAM EXAMPLE
Audit Program
Program Step:
Results:
W/P Reference
Preliminary Documentation 1. Obtain a download of all credit card
transactions for FY2013 that have been charged to Federally Sponsored Program funds (purpose XXXX4…) from the Financial System. The query names are AUD_FEDCG_PCARD_TRANS and AUD_FEDCG_PCARD_TRANS_BYCH.
A download of all contract and grant transactions charged to sponsored funds has been secured. A copy of the spreadsheet has been doc-linked here: Fed PCard Transactions 082312.xls No copy of the report has been included in the work papers due to the number of items appearing on the report.
N/A
1. Review the transaction listing for unusual items or items that would not seem to be an appropriate purchase that would be made on a Federal contract or grant. Judgmentally select 30 transactions for further review.
Several individuals reviewed the listing and selected numerous transactions for review. A final selection of 30 grant transactions was made and the spreadsheet documenting this selection is doc-linked here: 2013 Fed_Grants_Testing.xlsx.
FPC-0-1
1. Secure copies of the grant documentation for each transaction in the selection.
The information was requested from the department and secure for each grant selected as part of the review.
Individual Sample Items
Program Objectives
This is a limited scope review and consists solely of ensuring that credit card charges to Federally sponsored programs are in compliance with
Federal rules and regulations regarding allowability, allocability, and reasonableness as well to ensure University policies and procedures were
being followed.
4/25/2013 Internal Audit/Research Training 30
4/16/2013
16
Audit questions/observations
• Verify checks and balances
• Verify terms are followed
• Verify there are appropriate processes in place
4/25/2013 Internal Audit/Research Training 31
4/25/2013 Internal Audit/Research Training 32
AUDIT WORKPAPERS
4/16/2013
17
Vulnerabilities
4/25/2013 Internal Audit/Research Training 33
Lingering close outs
Pro card /Travel
Card
Unlike circumstances
Oddities
RED FLAGS
4/25/2013 34 Internal Audit/Research Training
4/16/2013
18
4/25/2013 Internal Audit/Research Training 35
Types of findings
• Material weaknesses
• Significant deficiencies
• Deficiencies
• Questioned costs can result from all above
4/25/2013 Internal Audit/Research Training 36
4/16/2013
19
Your internal controls are found to be weak and/or non-existent? Common responses usually include:
• “We don’t have enough staff to handle adequate segregation of duties.”
• “It is too expensive to do it that way.”
• “I trust my people and controls are not necessary.”
4/25/2013 Internal Audit/Research Training 37
Controls and Research?
4/25/2013 Internal Audit/Research Training 38
WHY?
4/16/2013
20
Recent Audit Findings
Florida State University • Repay $3,000,000
• DHHS NSF OIG audit
• 2008-2010
• Failed to ensure
• Allowable
• Allocable
• Reasonable
UC – Santa Barbara • Repayment of $6.3 million
being questioned
• NSF OIG audit
• 2 year audit
• Issues
• Overcharged summer
• Cost share
• Cost Transfers
• Unallowable
Univ. of Wisconsin-Madison
• Reversal of repayment request
• HHS OIG
• Unallowable cost for equipment due to not requesting prior approval
• NIH and sponsor protested
4/25/2013
Internal Audit/Research Training 39
What to Expect if Audited? • You are guilty until proven innocent
• The burden of proof regarding allowability is on the University NOT the auditor
• Individuals in departments other than RO may be interviewed and/or expected to provide information
4/25/2013 40 Internal Audit/Research Training
4/16/2013
21
• Cost Transfers
• Effort Reporting
• Closeouts
4/25/2013 41 Internal Audit/Research Training
Who’s who: Roles and Responsibilities
4/25/2013 Internal Audit/Research Training 42
Ad
min
istr
ato
r • Read the award
• Know the terms
• Translate rules to outcomes
• Question expenses
• Maintain documentation
Pri
nci
ple
Inve
stig
ato
r • Read the award
• Know the terms
• Present ideas of WHAT is desired outcome
• Justify allowability
• Provide justification
Cen
tral
Off
ice
• Read the award
• Know the terms
• Guide and facilitate decisions
• Seek sponsor approvals as needed
• Help determine relevant documentation
4/16/2013
22
Before anything else, preparation is the key to success. ~Alexander Graham Bell
4/25/2013 Internal Audit/Research Training 43
For every minute spent in organizing, an hour is earned.
~Anonymous
4/25/2013 Internal Audit/Research Training 44
4/16/2013
23
Keys to a Successful Audit
Audit Trails…“If it’s not documented, it didn’t happen….”
Appropriate Approvals
Organized Files
Knowledge of policies
and regulations
4/25/2013 45 Internal Audit/Research Training
Building a stronger document
Approvals
Justification
Supporting details
4/25/2013 Internal Audit/Research Training 46
4/16/2013
24
Ask yourself…
• Would a stranger understand this justification?
• Would I understand these details in a 6 month review of the document?
• Do I believe this justification?
4/25/2013 Internal Audit/Research Training 47
Audits • Question: When do you start preparing for an audit?
• Answer: The day you prepare a proposal
48 4/25/2013 Internal Audit/Research Training
4/16/2013
25
Being “audit savvy” is…
• Being proactive
• Being prepared
• Being persistent
4/25/2013 Internal Audit/Research Training 49
EXERCISE
build strong documentation
4/25/2013
Internal Audit/Research Training
50
4/16/2013
26
Let’s build the documentation
• Scenario 1: Computer/peripherals purchase
• Scenario 2: Cash Withdrawal on UD credit card
• Scenario 3: Amazon.com purchase
4/25/2013 Internal Audit/Research Training 51
Scenario 1: Computer & computer peripherals purchased on federal award
• Examine receipts: are they complete?
• Documentation requirements: are they met?
• Charges: are they allowable?
4/25/2013 Internal Audit/Research Training 52
4/16/2013
27
4/25/2013 Internal Audit/Research Training 53
4/25/2013 Internal Audit/Research Training 54
4/16/2013
28
4/25/2013 Internal Audit/Research Training 55
Excerpt from Proposal Documentation
Scenario 2: Cash Withdrawal on UD credit card • Documentation requirements: are they met?
• Use of funds: is it allowable?
• Reconciliation: what is necessary?
4/25/2013 Internal Audit/Research Training 56
4/16/2013
29
4/25/13 Internal Audit/Research Training 57
Excerpt from Proposal Documentation
4/25/2013 Internal Audit/Research Training 58
4/16/2013
30
Scenario 3: Amazon.com purchase
• Documentation requirements: are they met?
• Charges: are they allowable?
• Approvals: what approvals?
4/25/2013 Internal Audit/Research Training 59
4/25/2013 Internal Audit/Research Training 60
4/16/2013
31
Receipt Documentation Excerpt
4/25/2013 Internal Audit/Research Training 61
Audits... • Are necessary
• Should not be feared
• Validate good business processes
4/25/2013 Internal Audit/Research Training 62
Documentation... • Validate expenses
• Can be obtained in many ways
• Ensures good monitoring /business processes
In summary
4/16/2013
32
Questions? Contacts
Janet Ianni – Associate Director, Post Award Administration
Cheryl Morris, Sr. Auditor – Information Technology
Maria Poole - Audit Specialist
Eileen Burns - Business Administrator II, Chemistry & Biology
Ian Janssen - Director, Archives
4/25/2013 Internal Audit/Research Training 63