The first interaction many clients have with Internal Audit is when they become aware of an impending audit engagement -- when they receive a call or memo from the Internal Audit Director informing them that the lead auditor will soon be in touch in order to schedule an entrance meeting. This introduction to the engagement may leave the client wondering, "Why am I being audited?" or "What did I do wrong?" These questions may be followed by confusion of the engagement process and how to prepare for the review. Some clients are even confused as to what an Internal Auditor does and the role the Internal Audit department plays at the University.
In order for the engagement process to be successful it is important that the audit client understand its role in the audit and be familiar with the Internal Audit function and audit process at West Virginia University. We will work with you to explain our respective roles in the audit process and what you should expect. To further aid in this understanding, we provide the following list of frequently asked questions about Internal Audit, the audit process and other related topics.The length of time it takes to complete an audit varies significantly, depending
on the audit scope and objectives, operational complexities, the cooperation and
availability of the client, and strength of the area's internal controls. Some
audits may take as little as a couple of weeks and others can take several months.
The audit is a dynamic process, the scope of which can be expanded or reduced at
any time depending on the issues uncovered as the audit proceeds.
The Lead Auditor assigned to the audit will do their best to estimate the time
needed to complete the audit and keep you informed of significant changes.
Back to Top
The overall goal of a typical audit is to provide the department, unit or function being reviewed with an assessment of their control environment and compliance with appropriate policies, procedures, laws, regulations and other requirements of senior management and the University.
A secondary goal of our audit is to make recommendations, if necessary, that are aimed to improve the efficiency and/or effectiveness by which certain procedures are performed. Internal Audit is uniquely qualified in this respect as a result of our professionally trained, experienced staff and because it has broad exposure to operations throughout the University. We can therefore relate our experiences to the department, function and unit being reviewed.
Generally, auditors are not exclusively searching for the existence of fraud when performing audits; however, our auditing procedures could identify situations which may allow fraud to go undetected. An adequate system of internal control and a control conscious organizational environment will help reduce the risk of fraud. We always consider the possibility of fraud as part of our audit planning process and will design procedures to examine that possibility.
See the explanation of
audit phases.
Yes. For non-routine audits Internal Audit provides notice via telephone call, e-mail or memo. We will then work with you to schedule an entrance meeting where we will discuss the initial scope and objectives and discuss our audit process.
Learning about the
types of audits we perform and the
audit process
will be very helpful as you prepare for the audit.
For scheduled audits, Internal Audit will communicate in advance to the department,
unit or function and senior management about an upcoming audit. We may submit an
initial request for information to the unit or department. This request may include
general department information, which aids us in gaining an understanding of the
department, unit and function being reviewed. After being notified, you can
start preparing for an audit by doing the following (not a comprehensive list):
We are primarily auditing for compliance with University policies and procedures and evaluating the design and effectiveness of internal controls. Our mission, as described in our charter, is to help Management protect University assets, ensure compliance with regulations, policies and procedures, ensure efficient and effective operations, and to help ensure the integrity and reliability of information systems. Therefore, our audits are designed to accomplish that mission.
Prior to our review, we may submit an initial request for information to the unit or department. This request may include general department information, which aids us in gaining an understanding of the department, unit and function being reviewed. When we begin the fieldwork segment of our review, the department, unit or function will need to provide us with various details supporting the transactions we are testing.
Sometimes discoveries or events that occur during performance of the audit can change the scope of an engagement. If this should happen, the client is notified if the scope changes significantly.
You will be kept informed of the auditor’s findings throughout the course of the audit. If an issue is identified during the audit where improvements can be made in operations or internal control, it will be discussed with you initially, and prior to any written reports, to ensure our understanding of the facts is correct. We will also work with you to come to agreement on how best to remedy the problem. Internal Audit’s observations, recommendations, and Management’s action plan will be described in the audit report. Click the link for more details on the reporting process and report distribution.
Yes. We consider Management requests for audit work, although our ability to perform the audit might be affected by the relative risks involved, our staffing levels or current obligations. We may also review your concern as part of the audit risk assessment process and consider it for the next year’s audit plan.
Audits to evaluate a unit’s operations and system of controls can be very beneficial. Our auditors are trained to consider your operational objectives and then evaluate risks to your ability to achieve those objectives. If a department has recently adopted significant operational changes, or implemented newly installed computer systems, an internal audit can aid Management in reviewing the new procedures to examine the internal control design and effectiveness. You should also consider engaging us in advance of any such changes. Periodic audits are recommended to ensure overall compliance with University policies and procedures and the unit’s operational procedures. Because Internal Audit is functionally and organizationally independent of the department, our evaluation will be objective and free of any potential bias that may result from a review by department resources.
Any member of management can contact Internal Audit staff members via telephone or
email for our audit services, to consult on a specific issue or
ask questions. Your request will be reviewed by our staff and our Director
will decide how to best meet your needs.
Back to Top
We will fully explore the issue with you and will typically develop an observation and recommendation for inclusion in the final audit report. All issues will be fully vetted with the unit's management and we'll coordinate with the appropriate personnel to develop a recommendation best suited for the unit's individual needs.
That is a common misunderstanding. While Internal Auditors generally come
from financial accounting and auditing roles, we are experts in evaluating all
types of risks and controls – whether financial, operational, or compliance.
See
Audit Services Provided for more information.
Back to Top
In addition to being audited by Internal Audit, areas, units and departments within the University may also be audited by external auditors. These audits may be in regards to the University’s annual financial audit, in relation to a specific grant or contract or some other reason. Where possible, we try to eliminate or reduce duplication of effort by using the results of any other recent audits.
When most people think of auditing the first thing that comes to mind is financial
auditing. While this is an important aspect of auditing, it is only one small facet
of Internal Audit’s role. The
Institute of Internal Auditors
(IIA) defines internal auditing as
"an independent, objective assurance and consulting activity designed to add value
and improve an organization's operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.”
The primary purpose of Internal Audit is to assist the
Board of Governors
and all levels of University management in the effective discharge of their responsibilities
through consulting and performing independent audits, reviews, and investigations.
Internal Audit also serves as a liaison between management and all external auditors.
Our
charter
outlines Internal Audit’s mission, authority, responsibility and describes our
reporting relationship with the BOG and management.
In accordance with our audit charter, Internal Audit has unrestricted access to all records, assets, personnel, and other resources of the University, which are necessary to accomplish our objectives.
The existence of a qualified, professionally staffed Internal Audit function demonstrates
the commitment of WVU management and the
Board of Governors to a strong system of
governance
and effective, efficient, and ethical operations. Internal Audit operates
to help ensure:
WVU management is responsible for establishing and maintaining a system of internal controls. Internal Audit assists both management and the Board of Governors, specifically the Audit Committee, in fulfilling their responsibilities by bringing a systematic disciplined approach to objectively assessing the effectiveness of the design and execution of the system of internal controls and risk management processes. This provides University management, the Audit Committee, and external stakeholders with independent assurance that the University's risks have been appropriately mitigated.
No. While we often work closely with University administration and management, Internal Audit has a solid-line reporting relationship to the Board of Governor’s Audit Committee reports administratively to the WVU President’s Office. This arrangement helps ensure Internal Audit’s independence and objectivity in performance of our work.
Yes. All employees of the Internal Audit are West Virginia University employees.
Internal Auditors are subject to ethics rules established by the Institute of Internal Auditors which require independence and objectivity in our work. Our auditors take their professional reputation and integrity seriously. Independence is achieved through the Internal Audit reporting relationship to the Audit Committee and the WVU President’s Office. This independence strengthens Internal Audit’s ability to remain objective in the conduct of our work.
Internal Audit is staffed by professional auditors who are employees of WVU. Internal Audit operates to help ensure:
Independent public accounting firms are external auditors who review the University's
annual financial statements to ensure the information presented accurately portrays
WVU’s financial condition. Government agencies, the
Board of Governors, bond rating agencies and others rely on the independent
auditor's opinion of WVU's financial statements.
Back to Top
Internal Audit should be notified of all external audit requests. A form is provided by Internal Audit to facilitate this notification. Internal Audit will monitor the external audit activity and advise the business unit as needed. We keep the Audit Committee apprised of external audit activity as well.
An internal control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization's objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures. It is the responsibility of management to ensure that appropriate controls are implemented and functioning to support the achievement of unit objectives.
Yes, generally speaking there are two types of internal controls: preventative and detective controls.
Preventative Controls are designed to prevent errors or irregularities from occurring. (Example: processing vouchers only after approval signatures have been obtained; system input validations that require a particular type of data.)
Detective Controls are designed to find errors or irregularities after they have occurred. (Example: reconciling monthly account statements.)
No, Internal Audit is not responsible for internal controls. We play a role in our system of internal controls by performing evaluations and making recommendations for improving internal controls.
Management of the University is responsible for establishing, maintaining and promoting effective business practices and effective internal controls. However, virtually all employees play some role in effecting internal controls. Systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.
You can contact Internal Audit with questions about your processes and controls and
we will be glad to provide you with expert advice. You can also request an
internal audit. Note that our ability to perform a full audit might be affected
by the relative risks involved, our staffing levels or current obligations. We
may also review your concern as part of the audit risk assessment process and consider
it for the next year’s audit plan.
Back to Top
The Association of Certified Fraud Examiners defines occupational fraud as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resource or assets.” Elements present for an employee to commit fraud include opportunity, a low chance of being caught, rationalization by the individual that the action is not a crime, and justification of the ends versus the means. It has been estimated that US businesses lose over $600 billion to fraud each year and that the average organization may lose 5% of revenue to fraud.
Fraud is found through a number of different methods. Tips are consistently
the most common form of discovery. In a 2014 report by the
Association of Certified Fraud Examiners 42% of fraud was detected from tips
from individuals, followed by 16% through management reviews, and 14% by Internal
Audit.
It is important to the University that all employees take responsibility for reporting
suspected fraud or illegal activities. Internal Audit has established the
EthicsLine
to aid in this reporting process.
While Internal Audit considers the possibility of fraud in nearly all audit projects,
employees and management also need to be aware of “red flags” of suspicious activity
and take corrective action if needed or report the activity. When something suspicious
is identified, Internal Auditors can help determine its effect and evaluate the
situation with financial analysis, observation or other methods to review and test
a weakness of established controls. If a review confirms potential fraud,
a formal investigation is often the next step, which may include
General Counsel
and/or the
WVU Police Department.
WVU encourages employees, whenever possible, to first discuss concerns with their supervisors or other appropriate University office or administrator. The University will not take retaliatory actions against employees or constituents who make good faith reports about potential misconduct. Specific protections are provided through the WV State Whistle-blower Law, available here.
WVU also provides the EthicsLine as an anonymous hotline for employees, students, and constituents of all campuses to report suspected unethical behavior or possible violations of the University's policies. The issues reported will be reviewed by the appropriate officials to determine if further investigation and actions are warranted. You may also call the EthicsLine toll-free at 866-413-1955.
West Virginia University holds itself to the highest ethical standards. For this
reason, the University has joined with NAVEX Global EthicsPoint to establish
WVU EthicsLine, an anonymous hotline system for reporting suspected fraud or other illegal activities, unethical behavior or policy violations. WVU EthicsLine has
three options available to anyone to submit an anonymous report:
o Browser-friendly reporting via https://wvu.ethicspoint.com
o Mobile-friendly reporting via https://wvu.navexone.com
o Reporting by phone at 866-413-1955. NAVEX Global EthicsPoint employees are available 24 hours a day, 7 days a week.
WVU’s EthicsLine is hosted on the NAVEX Global EthicsPoint’s third-party secure server, which is separate from WVU’s network. WVU does not receive identifying data or any other information about persons who choose to make a report without sharing their identity. While the EthicsPoint report system provides a field to share contact information, it is not required in order to submit a report.
Back to TopWe all have the right to work in a positive environment and with that right, comes the responsibility of acting in an ethical manner and letting the appropriate people know if someone is not acting appropriately. In addition, as stewards of public funds we all have a responsibility to the public to ensure these funds are expended in accordance with legal requirements.
The EthicsLine is currently designed to receive reports regarding accounting and
financial matters, research administration and compliance, issues involving information
technology (IT), athletics/NCAA compliance and the WVU Alumni Association. When submitting a report, please
ensure to select the report option that is most relevant to the matter you are
reporting.
WVU also provides other reporting and issue resolution resources. Below is a non-inclusive
list of these resources:
- Emergencies - Dial 911 or go to emergency.wvu.edu
- Non-emergency criminal activity - WVU Police Department
- Other WVU Safety Resources - safety.wvu.edu
- Title IX Reporting including sexual assault, misconduct, harassment, stalking, or child abuse and neglect - WVU Title IX Coordinator at the Division of Diversity, Equity and Inclusion
- Workplace discrimination or harassment - WVU Talent and Culture Office of Equal Opportunity and Affirmative Action
- Other employee conduct matters - WVU Talent and Culture Employee Relations Unit
- Student conduct, including student academic integrity - WVU Office of Student Rights and Responsibilities
- Environmental health and safety - WVU Department of Environmental Health and Safety
- Academic, housing, or transportation accessibility accommodations - WVU Office of Accessibility Services
WVU EthicsLine reports are entered directly on NAVEX Global EthicsPoint's secure server to prevent any possible breach in security. These reports are accessible to only to a few select specific individuals at WVU, including Internal Audit, who are charged with evaluating the appropriate response for all matters reported.
When you file a report at the EthicsLine browser or mobile website or by phone, you are able to receive an anonymous report key and are asked to choose a password. The report key enables you to anonymously return to the report you submitted, which will allow you to submit additional information. We strongly suggest that you return to the site in five business days after submitting your report, as the University may attempt to request additional information from you.
WVU is committed to ensuring that all EthicsLine reports—regardless of topic—are subjected to an appropriate review and/or response.
The University will post a response once it has completed its review, but details will generally not be provided.
Governance is the combination of processes and structures implemented by the board or other governing body to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
The Audit Committee sets the overall tone for an effective internal control structure at the University, supporting quality financial reporting, sound risk practices and ethical behavior. The Audit Committee Charter provides information about the Committee’s mission, membership, duties and limitations.
Internal Audit is governed by the International Professional Practices Framework,
promulgated by the
Institute of Internal Auditors
. This framework’s mandatory guidance includes the IIA
Code of Ethics as well as the
International Standards for the Professional Practice of Internal Auditing (Standards).
These professional standards are principle-focused and provide a framework for
performing and promoting internal auditing. The Standards are mandatory requirements
consisting of:
The IA serves over 180,000 members worldwide, with more than 72,000 members in North America; providing the internal auditing profession with standards, guidance, and information on internal auditing best practices.