FAQ

The first interaction many clients have with Internal Audit is when they become aware of an impending audit engagement -- when they receive a call or memo from the Internal Audit Director informing them that the lead auditor will soon be in touch in order to schedule an entrance meeting. This introduction to the engagement may leave the client wondering, "Why am I being audited?" or "What did I do wrong?" These questions may be followed by confusion of the engagement process and how to prepare for the review. Some clients are even confused as to what an Internal Auditor does and the role the Internal Audit department plays at the University.

In order for the engagement process to be successful it is important that the audit client understand its role in the audit and be familiar with the Internal Audit function and audit process at West Virginia University.  We will work with you to explain our respective roles in the audit process and what you should expect.  To further aid in this understanding, we provide the following list of frequently asked questions about Internal Audit, the audit process and other related topics.

Audits and the Audit Process
Internal Audit's Function/Role
    External Audits
    Internal Controls
    Fraud and Ethics
    Governance
    Employee Resources

    Audits and the Audit Process

    • How long will our audit take?

      The length of time it takes to complete an audit varies significantly, depending on the audit scope and objectives, operational complexities, the cooperation and availability of the client, and strength of the area's internal controls. Some audits may take as little as a couple of weeks and others can take several months. The audit is a dynamic process, the scope of which can be expanded or reduced at any time depending on the issues uncovered as the audit proceeds.

      The Lead Auditor assigned to the audit will do their best to estimate the time needed to complete the audit and keep you informed of significant changes.

      Back to Top

        • Will the audit interfere with normal workflow within my department?
          Inevitably there will be some disruption within the department's daily schedule. However, we try to keep this disruption to a minimum and will work with you to schedule our meetings with department, unit or function personnel at a mutually convenient time.

          Back to Top
          • How do you select areas for review?
          Most audits are scheduled following an annual University-wide risk assessment performed by Internal Audit, resulting in a project plan approved by the Audit Committee of the Board of Governors.  The risk assessment considers several factors (such as the size of the unit, regulatory requirements, its inherent complexity, resources, recent changes in management or organizational structure, time since the last audit, etc.) to schedule audit projects that can be useful in helping the University reach its goals. Other audits are requested by Management or may result from investigations conducted. More about our audit selection process can be found here.

          Back to Top
          • What are the Benefits of an audit for my department, unit or function?

          The overall goal of a typical audit is to provide the department, unit or function being reviewed with an assessment of their control environment and compliance with appropriate policies, procedures, laws, regulations and other requirements of senior management and the University.

          A secondary goal of our audit is to make recommendations, if necessary, that are aimed to improve the efficiency and/or effectiveness by which certain procedures are performed. Internal Audit is uniquely qualified in this respect as a result of our professionally trained, experienced staff and because it has broad exposure to operations throughout the University.  We can therefore relate our experiences to the department, function and unit being reviewed. 

          Back to Top

          • Are auditors looking for fraud when performing audits?

            Generally, auditors are not exclusively searching for the existence of fraud when performing audits; however, our auditing procedures could identify situations which may allow fraud to go undetected.  An adequate system of internal control and a control conscious organizational environment will help reduce the risk of fraud. We always consider the possibility of fraud as part of our audit planning process and will design procedures to examine that possibility. 

            Back to Top

            • What is the actual audit engagement process? What should we expect?

            See the explanation of audit phases.

            • Will I be notified of a scheduled audit for my department?

            Yes. For non-routine audits Internal Audit provides notice via telephone call, e-mail or memo.  We will then work with you to schedule an entrance meeting where we will discuss the initial scope and objectives and discuss our audit process.

            Back to Top

            • How can I prepare for an audit?

            Learning about the types of audits we perform and the audit process will be very helpful as you prepare for the audit.

            For scheduled audits, Internal Audit will communicate in advance to the department, unit or function and senior management about an upcoming audit. We may submit an initial request for information to the unit or department. This request may include general department information, which aids us in gaining an understanding of the department, unit and function being reviewed.  After being notified, you can start preparing for an audit by doing the following (not a comprehensive list):

              • Make ready for release to the audit team, the department's organization chart, list of key personnel and their job descriptions, pertinent process flowcharts, operating policies and procedures.
              • If applicable, make available the copies of recent external audit reports completed on your department within the audit period.
              • If there are known operational issues relevant to the audit scope, disclose those to the auditor at the outset.
              • Inform the department staff about the upcoming audit and encourage full cooperation with the Internal Audit team.
              • If applicable, assign areas of the audit scope to key employees so they can effectively plan and prepare to respond to audit requests. 
              • Contact the audit team, before, during or after the audit, if you have any questions or comments.
            Back to Top
              • What are internal auditors looking for?

              We are primarily auditing for compliance with University policies and procedures and evaluating the design and effectiveness of internal controls.  Our mission, as described in our charter, is to help Management protect University assets, ensure compliance with regulations, policies and procedures, ensure efficient and effective operations, and to help ensure the integrity and reliability of information systems. Therefore, our audits are designed to accomplish that mission. 

              Back to Top

              • What information will I need to provide the auditors?

              Prior to our review, we may submit an initial request for information to the unit or department. This request may include general department information, which aids us in gaining an understanding of the department, unit and function being reviewed. When we begin the fieldwork segment of our review, the department, unit or function will need to provide us with various details supporting the transactions we are testing. 

              Back to Top

              • How is the scope of the audit engagement determined?
                • The scope of the audit engagement is determined from one or more of the following:  Information collected during a preliminary survey, which includes interviews with the appropriate client personnel
                • Assessment of risk associated with the client's functions 
                • Client or other Management requests concerning topics, functions and/or time frames

              Sometimes discoveries or events that occur during performance of the audit can change the scope of an engagement. If this should happen, the client is notified if the scope changes significantly. 

              Back to Top

              • How are the results of the audit reported? Who gets the audit report?

              You will be kept informed of the auditor’s findings throughout the course of the audit.  If an issue is identified during the audit where improvements can be made in operations or internal control, it will be discussed with you initially, and prior to any written reports, to ensure our understanding of the facts is correct.  We will also work with you to come to agreement on how best to remedy the problem. Internal Audit’s observations, recommendations, and Management’s action plan will be described in the audit report. Click the link for more details on the reporting process and report distribution.

              Back to Top

              • Can a department/unit request an audit?

              Yes. We consider Management requests for audit work, although our ability to perform the audit might be affected by the relative risks involved, our staffing levels or current obligations. We may also review your concern as part of the audit risk assessment process and consider it for the next year’s audit plan. 

              Back to Top

              • Why would I want to request an audit?

              Audits to evaluate a unit’s operations and system of controls can be very beneficial. Our auditors are trained to consider your operational objectives and then evaluate risks to your ability to achieve those objectives. If a department has recently adopted significant operational changes, or implemented newly installed computer systems, an internal audit can aid Management in reviewing the new procedures to examine the internal control design and effectiveness. You should also consider engaging us in advance of any such changes. Periodic audits are recommended to ensure overall compliance with University policies and procedures and the unit’s operational procedures. Because Internal Audit is functionally and organizationally independent of the department, our evaluation will be objective and free of any potential bias that may result from a review by department resources.

              Back to Top

              • Can I request Internal Audit's assistance/advice?

              Any member of management can contact Internal Audit staff members via telephone or email for our audit services, to consult on a specific issue or ask questions. Your request will be reviewed by our staff and our Director will decide how to best meet your needs.

              Back to Top

              • What happens when Internal Audit identifies a deficiency or instance of non-compliance?

              We will fully explore the issue with you and will typically develop an observation and recommendation for inclusion in the final audit report. All issues will be fully vetted with the unit's management and we'll coordinate with the appropriate personnel to develop a recommendation best suited for the unit's individual needs. 

              Back to Top

              • Doesn’t Internal Audit only audit financial information?

              That is a common misunderstanding.  While Internal Auditors generally come from financial accounting and auditing roles, we are experts in evaluating all types of risks and controls – whether financial, operational, or compliance. See Audit Services Provided for more information.

              Back to Top

              • Why have other auditors also audited my department?

              In addition to being audited by Internal Audit, areas, units and departments within the University may also be audited by external auditors. These audits may be in regards to the University’s annual financial audit, in relation to a specific grant or contract or some other reason.  Where possible, we try to eliminate or reduce duplication of effort by using the results of any other recent audits. 

              Back to Top

              Internal Audit’s Function/Role

              • What is Internal Auditing?

              When most people think of auditing the first thing that comes to mind is financial auditing. While this is an important aspect of auditing, it is only one small facet of Internal Audit’s role. The Institute of Internal Auditors (IIA) defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

              The primary purpose of Internal Audit is to assist the Board of Governors and all levels of University management in the effective discharge of their responsibilities through consulting and performing independent audits, reviews, and investigations. Internal Audit also serves as a liaison between management and all external auditors.  Our charter outlines Internal Audit’s mission, authority, responsibility and describes our reporting relationship with the BOG and management. 

              Back to Top

              • What is the scope of Internal Audit authority?

              In accordance with our audit charter, Internal Audit has unrestricted access to all records, assets, personnel, and other resources of the University, which are necessary to accomplish our objectives. 

              Back to Top

              • Why does WVU have an Internal Audit function?

              The existence of a qualified, professionally staffed Internal Audit function demonstrates the commitment of WVU management and the Board of Governors to a strong system of governance and effective, efficient, and ethical operations. Internal Audit operates to help ensure:

                • the safeguarding of assets
                • the reliability and integrity of information systems
                • compliance with policies, plans, laws, and regulations, and
                • the economical and efficient use of resources.

              WVU management is responsible for establishing and maintaining a system of internal controls. Internal Audit assists both management and the Board of Governors, specifically the Audit Committee, in fulfilling their responsibilities by bringing a systematic disciplined approach to objectively assessing the effectiveness of the design and execution of the system of internal controls and risk management processes. This provides University management, the Audit Committee, and external stakeholders with independent assurance that the University's risks have been appropriately mitigated. 

              Back to Top

              • Is the Internal Audit Office part of the Office of Strategic Initiatives or Division of Finance?

              No. While we often work closely with University administration and management, Internal Audit has a solid-line reporting relationship to the Board of Governor’s Audit Committee reports administratively to the WVU President’s Office.  This arrangement helps ensure Internal Audit’s independence and objectivity in performance of our work. 

              Back to Top

              • Are Internal Auditors employees of West Virginia University?

              Yes. All employees of the Internal Audit are West Virginia University employees.

              • How do we know Internal Audit will be objective and independent?

              Internal Auditors are subject to ethics rules established by the Institute of Internal Auditors which require independence and objectivity in our work. Our auditors take their professional reputation and integrity seriously. Independence is achieved through the Internal Audit reporting relationship to the Audit Committee and the WVU President’s Office.  This independence strengthens Internal Audit’s ability to remain objective in the conduct of our work. 

              Back to Top

              External Audits

              • What's the difference between external and Internal Auditors?

              Internal Audit is staffed by professional auditors who are employees of WVU. Internal Audit operates to help ensure:

                • the safeguarding of assets
                • the reliability and integrity of information systems
                • compliance with policies, plans, laws, and regulations, and
                • the economical and efficient use of resources.
              External auditors can be government auditors, a contracted audit firm, professional organizations, or independent public accounting firms that the University hires. Government auditors focus primarily on compliance with government regulations and award terms. Since both federal and state governments fund a significant portion of the University's activities, they want to make sure we use their money as they intended.

              Independent public accounting firms are external auditors who review the University's annual financial statements to ensure the information presented accurately portrays WVU’s financial condition. Government agencies, the Board of Governors, bond rating agencies and others rely on the independent auditor's opinion of WVU's financial statements.

              Back to Top

              • What if an external auditor contacts me?

              Internal Audit should be notified of all external audit requests. A form is provided by Internal Audit to facilitate this notification.  Internal Audit will monitor the external audit activity and advise the business unit as needed.  We keep the Audit Committee apprised of external audit activity as well. 

              Back to Top

              Internal Controls

              • What are internal controls?

              An internal control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization's objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures.  It is the responsibility of management to ensure that appropriate controls are implemented and functioning to support the achievement of unit objectives.   

              Back to Top

              • Are there different types of internal controls?

              Yes, generally speaking there are two types of internal controls: preventative and detective controls.

              Preventative Controls are designed to prevent errors or irregularities from occurring. (Example: processing vouchers only after approval signatures have been obtained; system input validations that require a particular type of data.)

              Detective Controls are designed to find errors or irregularities after they have occurred. (Example: reconciling monthly account statements.) 

              Back to Top

              • Why should I care about Internal Controls – Isn’t Internal Audit responsible for them?

              No, Internal Audit is not responsible for internal controls. We play a role in our system of internal controls by performing evaluations and making recommendations for improving internal controls.

              Management of the University is responsible for establishing, maintaining and promoting effective business practices and effective internal controls. However, virtually all employees play some role in effecting internal controls. Systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management. 

              Back to Top

              • How can I be sure my unit has appropriate controls?

              You can contact Internal Audit with questions about your processes and controls and we will be glad to provide you with expert advice.  You can also request an internal audit. Note that our ability to perform a full audit might be affected by the relative risks involved, our staffing levels or current obligations. We may also review your concern as part of the audit risk assessment process and consider it for the next year’s audit plan.

              Back to Top

              Fraud and Ethics

              • What is Fraud?

              The Association of Certified Fraud Examiners defines occupational fraud as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resource or assets.”  Elements present for an employee to commit fraud include opportunity, a low chance of being caught, rationalization by the individual that the action is not a crime, and justification of the ends versus the means.  It has been estimated that US businesses lose over $600 billion to fraud each year and that the average organization may lose 5% of revenue to fraud. 

              Back to Top

              • How is Fraud detected?

              Fraud is found through a number of different methods.  Tips are consistently the most common form of discovery. In a 2014 report by the Association of Certified Fraud Examiners 42% of fraud was detected from tips from individuals, followed by 16% through management reviews, and 14% by Internal Audit.

              It is important to the University that all employees take responsibility for reporting suspected fraud or illegal activities.  Internal Audit has established the EthicsLine to aid in this reporting process.  

              Back to Top

              • What is Internal Audit’s role in preventing, detecting and investigating fraud?

              While Internal Audit considers the possibility of fraud in nearly all audit projects, employees and management also need to be aware of “red flags” of suspicious activity and take corrective action if needed or report the activity. When something suspicious is identified, Internal Auditors can help determine its effect and evaluate the situation with financial analysis, observation or other methods to review and test a weakness of established controls.  If a review confirms potential fraud, a formal investigation is often the next step, which may include  General Counsel and/or the WVU Police Department.

              Back to Top

              • What should I do if I suspect someone is involved in something illegal or unethical?

              WVU encourages employees, whenever possible, to first discuss concerns with their supervisors or other appropriate University office or administrator. The University will not take retaliatory actions against employees or constituents who make good faith reports about potential misconduct. Specific protections are provided through the WV State Whistle-blower Law, available here

              WVU also provides the EthicsLine as an anonymous hotline for employees, students, and constituents of all campuses to report suspected unethical behavior or possible violations of the University's policies. The issues reported will be reviewed by the appropriate officials to determine if further investigation and actions are warranted. You may also call the EthicsLine toll-free at 866-413-1955. 

              Back to Top

              • What is the WVU EthicsLine?

              West Virginia University holds itself to the highest ethical standards. For this reason, the University has joined with NAVEX Global EthicsPoint to establish WVU EthicsLine, an anonymous hotline system for reporting suspected fraud or other illegal activities, unethical behavior or policy violations. WVU EthicsLine has three options available to anyone to submit an anonymous report:

              o   Browser-friendly reporting via https://wvu.ethicspoint.com

              o   Mobile-friendly reporting via https://wvu.navexone.com

              o   Reporting by phone at 866-413-1955. NAVEX Global EthicsPoint employees are available 24 hours a day,                    7 days a week.

              Back to Top

              • If I submit an EthicsLine report, will my identity be kept a secret?

              WVU’s EthicsLine is hosted on the NAVEX Global EthicsPoint’s third-party secure server, which is separate from WVU’s network. WVU does not receive identifying data or any other information about persons who choose to make a report without sharing their identity. While the EthicsPoint report system provides a field to share contact information, it is not required in order to submit a report.

              Back to Top
              • Why should I report what I know about potential fraud or wrongdoing? What ’s in it for me?

              We all have the right to work in a positive environment and with that right, comes the responsibility of acting in an ethical manner and letting the appropriate people know if someone is not acting appropriately. In addition, as stewards of public funds we all have a responsibility to the public to ensure these funds are expended in accordance with legal requirements.      

              Back to Top

              • What type of situations should I report to EthicsLine?

              The EthicsLine is currently designed to receive reports regarding accounting and financial matters, research administration and compliance, issues involving information technology (IT), athletics/NCAA compliance and the WVU Alumni Association. When submitting a report, please ensure to select the report option that is most relevant to the matter you are reporting.

              WVU also provides other reporting and issue resolution resources. Below is a non-inclusive list of these resources:

              Back to Top

              • Where do these EthicsLine reports go? Who can access them?

              WVU EthicsLine reports are entered directly on NAVEX Global EthicsPoint's secure server to prevent any possible breach in security. These reports are accessible to only to a few select specific individuals at WVU, including Internal Audit, who are charged with evaluating the appropriate response for all matters reported. 

              Back to Top

              • What if I remember something important about the incident after I filed the EthicsLine report? Or what if the university has further questions for me concerning my report?

              When you file a report at the EthicsLine browser or mobile website or by phone, you are able to receive an anonymous report key and are asked to choose a password. The report key enables you to anonymously return to the report you submitted, which will allow you to submit additional information. We strongly suggest that you return to the site in five business days after submitting your report, as the University may attempt to request additional information from you. 

              Back to Top

              • Will the University tell me what happens to my report?

              WVU is committed to ensuring that all EthicsLine reports—regardless of topic—are subjected to an appropriate review and/or response.

              The University will post a response once it has completed its review, but details will generally not be provided.

              Governance

              • What do we mean by Governance?

              Governance is the combination of processes and structures implemented by the board or other governing body to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives. 

              Back to Top

              • What does the Board of Governors’ Audit Committee do?

              The Audit Committee sets the overall tone for an effective internal control structure at the University, supporting quality financial reporting, sound risk practices and ethical behavior. The Audit Committee Charter provides information about the Committee’s mission, membership, duties and limitations. 

              Back to Top

              • Is Internal Audit subject to any professional standards?

              Internal Audit is governed by the International Professional Practices Framework, promulgated by the Institute of Internal Auditors .  This framework’s mandatory guidance includes the IIA Code of Ethics as well as the International Standards for the Professional Practice of Internal Auditing (Standards).  These professional standards are principle-focused and provide a framework for performing and promoting internal auditing. The Standards are mandatory requirements consisting of:

                • Statements of basic requirements for the professional practice of internal auditing and for evaluating the effectiveness of its performance. The requirements are internationally applicable at organizational and individual levels.
                • Interpretations, which clarify terms or concepts within the statements.

              The IA serves over 180,000 members worldwide, with more than 72,000 members in North America; providing the internal auditing profession with standards, guidance, and information on internal auditing best practices.  

              Back to Top