Office of Audit and Advisory Services
|
Policy Manual TABLE OF CONTENTS I. PREFACE Mission
Reporting
III. THE AUDIT PROCESS Selection
of Departments to Be Audited IV. THE AUDIT REPORT V. INTERFACE
WITH EXTERNAL AUDITORS MISSION To be recognized
by the University community as an integral part of the corporate governance
structure by enhancing the University's ability to achieve its mission,
goals and objectives. INTRODUCTION This manual sets
forth the standards and requirements the Georgia Southern University
Office of Audit and Advisory Services will follow in executing the
audit function and shall serve as a guideline for implementing the
work to be performed by the auditors. It is understood that the audit
guideline may not be strictly adhered to based upon the nature of
a particular assignment. The auditor is, at all times, to use professional,
reasonable judgment in his/her decision to deviate from these procedures.
Substantial deviations from the manual should be pre-approved by the
Director of the Office of Audit and Advisory Services. This manual
should be reviewed and updated periodically in order to ensure that
the Office of Audit and Advisory Services implements the most current
techniques and practices available. HISTORY In a memorandum to Dr. Nicholas L. Henry, President, Georgia Southern University, dated July 29, 1995, Stephen R. Portch, Chancellor, Board of Regents, recommended the hiring of internal auditors at several institutions in the University System and specified that Georgia Southern University had been identified as one of the institutions with this need. Dr. Henry replied on August 10, 1995, stating that an internal auditor had been hired for Georgia Southern University, effective November 14, 1994. The original Charter
for the Georgia Southern University Office of Internal Audit was approved
and signed by Dr. Henry on September 18, 1995. The Charter was
subsequently revised and approved by President Bruce F. Grube on September
13, 1999. The department changed its name to the Office of Audit
and Advisory Services in April 2000. CHARTER INTRODUCTION The Office of
Audit and Advisory Services has prepared this Charter to serve as
a guide in the performance of its duties. The Charter does not include,
nor is it intended, to include all of the Department's duties and
responsibilities as they may exist from time to time. This Charter
defines the purpose, responsibilities, authority, and scope of work
of the Office of Audit and Advisory Services. PURPOSE The overall mission
of the Office of Audit and Advisory Services is to assist Georgia
Southern University's management by providing independent evaluation
of the soundness, adequacy, and application of accounting, financial
and other operating controls necessary to accomplish the University's
objectives. Furthermore, it makes recommendations to improve systems,
processes, and internal controls designed to safeguard University
resources, promote its mission toward academic excellence, and ensure
compliance with state and federal regulations, established policies,
procedures, and sound business practices. RESPONSIBILITIES The Director is responsible for keeping the Office of the President informed of unusual transactions or other matters of significance. The responsibilities of the Office of Audit and Advisory Services include: · Developing and maintaining a comprehensive audit program for the internal controls necessary to ensure compliance with accounting standards, policies, and procedures to safeguard University funds and programs. · Conducting financial, operational, and compliance audits of departments, schools, divisions, programs, and activities. · Coordinating external audits with independent auditors and overseeing the preparation of responses to their audits. · Conducting operational reviews on the efficiency of programs upon request from the President or other members of the University's management. · Preparing reports on the results of audits, including recommendations for modification of management practices, fiscal policies, and accounting procedures as justified by audit findings. · Inspecting items in books of original entry to determine if accepted accounting procedures were followed in recording transactions. · Ensuring that audits are performed with due professional care. · Effectively communicating the results of audit reviews, both written and orally, in a timely manner. The above is only
intended to describe the general content of and requirements for the
Office of Audit and Advisory Services. It is not to be construed as
a complete list of duties, responsibilities, or requirements. Any
University administrator, vice president, manager, or other interested
party may request a special audit or examination of any portion of
the University's activities. Decisions to perform special audits rest
with the Director of Audit and Advisory Services upon consultation
with the President or as directed by the Board of Regents’ Associate
Vice Chancellor for Internal Audit or the Senior Vice Chancellor for
Capital Resources. AUTHORITY The Office of Audit and Advisory Services is an independent appraisal function reporting directly to the Office of the President. It provides management with information that may assist in the operations for which it is responsible. The Office is also subject to the provisions of the University System of Georgia Board of Regents Policy Section 710.02. As such, "the Senior Vice Chancellor for Capital Resources and Treasurer shall have the authority to direct the Internal Auditors to audit specific functions at their institutions." The Director of Audit and Advisory Services and the staff of the Office of Audit and Advisory Services are authorized to: · Have unrestricted access to all functions, records, property, and personnel relevant to the area under review to the extent permitted by law. No legitimate source of information is to be closed to the auditor. · Allocate resources, set frequencies, select subjects, determine scopes of work, and apply techniques required to accomplish audit objectives. · Obtain the necessary assistance of personnel in units of the organization where audits are performed, as well as other specialized services from within or outside the organization. It is understood that certain items are confidential in nature and special arrangements will be made by the Office of Audit and Advisory Services when examining and reporting upon such items. Documents and other materials furnished to the Office of Audit and Advisory Services will be handled in the same prudent manner as provided by the employees to whom they are normally entrusted. Independence is
essential to the effectiveness of the Office of Audit and Advisory
Services. The Director of Audit and Advisory Services and the staff
of the Office should not engage in activities that could be construed
to compromise their independence. Such activities could include initiating
or approving accounting transactions, developing or installing policies,
procedures or controls, preparing records, performing operational
duties, or engaging in activities that its personnel would normally
review and appraise. However, the Office of Audit and Advisory Services
may be consulted when new systems are designed or old systems are
redesigned to ensure that the system adequately addresses internal
controls. SCOPE OF AUDIT WORK The scope of the audit should encompass the examination and evaluation of the adequacy and effectiveness of the organization's system of internal controls and the quality of performance in carrying out assigned responsibilities. As such, the scope of audit work shall be designed to ensure the: · Reliability and integrity of information. · Compliance with policies, plans, procedures, laws, and regulations. · Safeguarding of assets. · Economical and efficient use of resources. · Accomplishment of established objectives and goals for operations or programs. STANDARDS OF AUDIT PRACTICE The Office of Audit and Advisory Services' activities will be conducted in compliance with Georgia Southern University's objectives and policies as well as the Standards for the Professional Practice of Internal Auditing and the Code of Ethics promulgated by the Institute of Internal Auditors, Inc. Approved by President
Bruce F. Grube, September 13, 1999. OBJECTIVE & SCOPE "Internal auditing is a service function. It is organized and operated primarily for the purpose of conducting audits, in accordance with professional standards, of systems of internal control, including operational controls and information systems processing applications and techniques. The evidential matter gathered from these audits forms the basis for furnishing opinions and other relevant information to affected members of management and the board of directors, or audit committees thereof, as is necessary in the opinion of the chief auditor and performing members of the audit team. Opinions and other information furnished may attest to the adequacy of internal control, the degree of compliance with established policies and procedures, and/or their effectiveness and efficiency in achieving organizational objectives. They may also recommend cost effective courses of action for management to consider in eliminating unnecessary risks identified by the audits."* The Office of Audit and Advisory Services and its staff serve the institution by helping to identify and reduce risks, ensuring that the Board of Regents' and University policies and procedures are followed and established standards are met, that resources are used efficiently and effectively, and that the University's objectives are achieved. *Internal Auditing
Manual, Second Edition, by James D. Wilson & Steven J. Root.
REPORTING "All Directors of Internal Audit at institutions having an Internal Auditor or Internal Audit Department shall have a direct reporting relationship to the President of the institution and the Senior Vice Chancellor for Capital Resources and Treasurer of the Board. The President of each institution having an Internal Auditor shall determine the organization and operating reporting relationships of the Internal Auditor at their institution. The Senior Vice Chancellor for Capital Resources and Treasurer shall have the authority to direct the Internal Auditors to audit specific functions at their institutions. The Director of Internal Audit of each System institution with an Internal Auditor shall meet at least annually with the Senior Vice Chancellor for Capital Resources and Treasurer to discuss audits, audit findings, and a proposed schedule. The Assistant Vice Chancellor for Audit and Management Advisory Services responsible for Internal Auditing and the Directors of Internal Audit for the System institutions with an Internal Auditor shall provide an annual report to an audit subcommittee of the Finance and Business Committee of the Board."* *The Policy
Manual, Board of Regents, Section 710.02, as revised April 16,
1998. JOB DESCRIPTIONS 1. Director General Description: Responsible for the design and implementation of internal audits and management reviews to assess the effectiveness of the internal controls of the institution and to evaluate the integrity of the financial data prepared and presented by the institution. The Director of Audit and Advisory Services is responsible for the evaluation and communication of internal control weaknesses, financial reporting/recording errors, and theft situations. The Director must maintain on-going contact with all management level personnel in the Financial Affairs area as well as periodic contact with management level personnel in other University areas. The Director supervises one full time and one part time employee and others as added to the department. The President of the University supervises the Director of Audit and Advisory Services. 2. Auditor II General Description:
Responsibilities include conducting financial, performance, information
system, investigative and compliance audits of departments, colleges,
divisions, programs and activities. Prepares reports on the results
of audits including recommendations for modification of management
practices and fiscal policies. PROFESSIONAL PROFICIENCY Basic Skills Although each auditor cannot be expected to be skilled in all disciplines related to internal auditing, a certain level of expertise should be maintained. The basic skills of an auditor should include an understanding of the following: · Interviewing techniques · Evaluating controls · Preparing working papers · Writing reports · Governmental accounting and auditing theory and practice · Interpersonal skills · Professional Development Professional development
is a joint responsibility between the auditor and the audit management.
The Office of Audit and Advisory Services will attempt to provide
each auditor on an annual basis at least 40 hours of continuing professional
education (CPE). The accountability of the 40 hours of CPE hours for
each auditor will be the responsibility of audit management. The Office
encourages each auditor to attend professional development sessions
held outside of the normal business office hours. Examples of these
sessions would be professional organization meetings (IIA, ISACA,
etc.), college courses and any other activity that enhances an auditor's
professional development. Each auditor is responsible for reporting
the CPE hours earned to the Office. The Office will maintain a record
of the CPE hours earned by each auditor. Staff Meetings Staff meetings
can be held to communicate information relative to the operation of
the Office or Georgia Southern University. The meeting can serve as
a forum for Office members to express their viewpoint on issues. The
meetings will be held at least quarterly or more often at the discretion
of audit management. ACTIVITY REPORTS Quarterly Reports on Findings and Audit Status On a quarterly
basis, the Office of Audit and Advisory Services compiles a summary
of audits performed during the reporting period. This report rates
both the local audit reports and those individual findings along with
audits conducted by the Board of Regents, State Department of Audits
and any other State or Federal agency. The report also indicates the
status of all audit findings regarding their implementation. In addition,
a quarterly status report on progress on the audit plan is prepared.
These reports are sent to appropriate officials at the Board of Regents,
with copies provided for the administration at the University. SELECTION OF DEPARTMENTS/UNITS TO BE AUDITED In developing an audit plan for each fiscal year, the Office of Audit and Advisory Services utilizes an instrument known as a Risk Assessment Model. This Risk Assessment Model is a survey designed to determine, through quantitative means, those auditable entities within the University that pose the highest degree of relative risk. With the assistance of the University's Vice Presidents and their staffs, values are subjectively assigned to the entities' operations using such weighted ranking criteria as: · Prior audit history · Regulatory compliance and public scrutiny · Reliance upon information technology · Dollar value and liquidity of assets · Organizational change and economic transition within the unit Using this survey, auditable areas are scored and ranked from those perceived to pose the greatest risk to those representing a lower degree of risk exposure. A tentative audit
plan is developed by the Office of Audit and Advisory Services, taking
into consideration coverage provided by the Georgia Department of
Audits and Accounts, and the Board of Regents' Office of Internal
Audit. The finalized audit plan for the fiscal year incorporates the
results of the survey with special requests and recommendations from
the University President. This final audit plan is then approved by
the University President and submitted to the Board of Regents' Associate
Vice Chancellor for Internal Audit. NOTIFICATION OF AUDIT Prior to the start
of each audit, the Director sends a letter of notification/engagement
to the appropriate Vice President and Supervisor in the department
or unit being audited. This letter describes the nature of the audit,
the anticipated start date, and asks for the cooperation of the responsible
official(s). ENTRANCE CONFERENCE An entrance conference
is scheduled with the appropriate official(s), during which the audit
objectives, timing and intended report format are discussed and a
report distribution list is requested. At this time, any necessary
background documentation is requested. The auditor makes a preliminary survey of the area under review in order to become familiar with policies and procedures that might impact the area being audited. During this time, the auditor: · Seeks to gain an understanding of existing procedures through observation, by discussions with staff and/or by review of documentation · Identifies applicable existing internal and accounting controls · Establishes the scope of the audit on the basis of the information obtained and on the risk assessment · Prepares an audit program that outlines the nature and extent of audit test work that will be performed. TYPES OF AUDITS Throughout the execution of an audit plan, the Office of Audit and Advisory Services may perform various types of audits. The types of audits the Office could perform may be of a compliance, economy and efficiency, financial, fraud or programmatic nature. The focus of an audit may emphasize a specific type (such as a compliance audit) or incorporate a combination of types. The following provides a brief description of each type of audit the Office may perform: · Compliance - assess whether an auditable area adheres to the policies, plans, procedures, laws, and regulations that impact the operations of the area. · Economy and Efficiency - assess whether an auditable area manages and utilizes the area's resources (such as personnel and property) economically and efficiently. Also, the audit should assess whether operating standards exist to measure effectiveness and efficiency, and that management monitors the standards and addresses any deviations. · Financial - assess the reliability and integrity of financial and operational information and the means used to report the information. · Fraud - assess situations or transactions indicative of fraud, abuse, or illegal acts and, if evidence exists, identify the effect of the act(s) on an area's operations. In exercising due professional care, internal auditors should be alert to the possibility of fraud. · Programmatic - assess whether the results or benefits achieved by an area are consistent with the area's established objectives and goals, and whether an area's operations or programs are carried out as planned. An auditor should
be aware that in performing different types of audits, various audit
techniques might be used to assess the activity. For greater detail
of how an auditor should perform different types of audits, an auditor
should solicit information from auditors who may have performed the
proposed audit and seek written information distributed by reputable
audit sources. The fieldwork of an audit is primarily performed in the office of the department /unit being audited. Depending upon the location and availability of records and reports, testing is often done there too. The audit work, in general, follows this pattern: Perform Audit Tests Audit tests are usually analytical in nature and are designed to determine if the controls and procedures thought to be in place are functioning efficiently and as intended. The tests are usually performed on a selected sample of transactions; therefore, they are not intended to detect all errors or irregularities that may have occurred. Document the Audit Work Performed Completed audit programs and other information gathered during an audit are assembled into files referred to as 'audit work papers.' These papers contain the results of the testing and any other pertinent documentation such as memoranda, copies of reports, reconciliations, any correspondence, etc. Conditions requiring corrective action are documented in these papers and are referred to as 'observations.' The work papers are indexed and follow an established format. Any background information that might be pertinent in future audits is maintained in a permanent work paper file. Exit Conference With Appropriate Official(s) When auditing is complete, any observations perceived as requiring corrective actions are discussed with the appropriate official(s). Suggested corrective actions are discussed and these, together with feedback from the appropriate official(s), become the basis for recommendations. Observations may be brought to the department/unit manager's attention as found or may be discussed at this time. Draft Audit Report The auditor in charge of the audit is responsible for preparing a report summarizing observations and recommendations. Review Audit Work The Director of Audit and Advisory Services reviews the work papers and approves the draft audit report. Circulate Preliminary Draft of Audit Report A preliminary draft of the proposed audit report is circulated to the appropriate official(s) for comments on observations. This gives the department/unit being audited an opportunity to verify the facts disclosed in the observations and to ensure the accuracy of the report. The department/unit manager(s) is/are given a period of time in which to request a meeting with the auditors to discuss these observations and to make comments/responses that will be included in the final report. After the responses have been received, they are reviewed by the auditor and by the Director to determine what, if any, change may be needed to present a fair and accurate audit report. Every effort is made to correct any misleading or ambiguous statements or those statements that could be liable to incorrect interpretation. Final Draft of Audit Report After the preliminary report has been modified, if necessary, to correct factual inaccuracies or disputed wording, a final draft of the audit report is compiled to include the responses of the appropriate officials(s). Each response is listed immediately following the observation/recommendation to which it refers. Issuance of Audit Report A final audit report, including department/unit manager's responses, is prepared and submitted to the President with copies to the appropriate vice president(s), department/unit administrator(s), and the Board of Regents. Follow-Up Within the first
6 months following issuance of the audit report, plans or actions
taken by the department/unit to correct observations will be reviewed.
If it does not appear that the department/unit has adequately implemented
corrective actions as indicated in the report, additional discussions
will be held with the appropriate vice president(s) and administrator(s)
to determine final disposition. Executive Summary This section provides a general summary of the scope and objectives of the audit and a synopsis of observations and recommendations. Introduction This section provides a rationalization for the audit performed, including any explanatory material. A definition of the department/unit being audited is given, if needed, and the date of entrance is noted. Organizational Structure This section provides an overview of the management of the department/unit being audited, along with explanations of assigned areas of responsibility with the department/unit. Purpose This section states the purpose of the specific audit (i.e., to obtain a general understanding of the department/unit's activities and objectives, to verify the accuracy of financial statement, etc.). Scope and Objectives This section lists the individual objectives(s) for the audit together with an explanation of each. The materials reviewed to accomplish each objective are listed. Results of Review Observations,
recommendations and responses from the department/unit manager(s)
are included in this section. V. INTERFACE WITH EXTERNAL AUDITORS INTRODUCTION Auditors should conduct their examinations in a manner that allows for maximum efficiency and coordination with independent outside auditors - principally the State Department of Audits and the Board of Regents' Audit Department. When the three groups interact effectively, they can complement each other's efforts and minimize the possibility of duplicate effort. The Director of
Audit and Advisory Services at the University functions as a liaison
between University officials and any external auditor. The Office
of Audit and Advisory Services provides copies of its audit reports
to the external auditors and cooperates fully in providing any requested
assistance. Effective communication and an adequate understanding of each other's work are key elements to the coordination of efforts between the Office and independent outside auditors. · Coordination of audit efforts may involve: · Periodic meetings to discuss topics of mutual interest · Access to each other's audit programs and working papers · Exchange of audit reports and management letters · Understanding each other's audit techniques and terminology The Director of Audit and Advisory Services will schedule meetings with independent outside auditors to discuss the coordination of audit efforts and other issues. The independent outside auditor will have access, after seeking permission from the Director of Audit and Advisory Services, to the Office's audit programs, working papers, and audit reports. The Director may solicit the independent outside auditors for suggestions in regard to the formation of the Office's audit plan. Before an internal auditor can rely on the work of an independent outside auditor, the internal auditor must assess the adequacy of the scope of work performed by the independent outside auditor. The internal auditor can assess the adequacy of the scope of work by reviewing the independent outside auditor's audit programs, working papers, and audit reports. An auditor has the responsibility to keep confidential the information contained within the audit programs, working papers, and reports of an independent outside auditor. |