The first interaction many clients have with Internal Audit is when they become aware of an impending audit engagement -- when they receive a call or memo from the Internal Audit Director informing them that the lead auditor will soon be in touch in order to schedule an entrance meeting. This introduction to the engagement may leave the client wondering, "Why am I being audited?" or "What did I do wrong?" These questions may be followed by confusion of the engagement process and how to prepare for the review. Some clients are even confused as to what an Internal Auditor does and the role the Internal Audit department plays at the University.In order for the engagement process to be successful it is important that the audit client understand its role in the audit and be familiar with the Internal Audit function and audit process at West Virginia University. We will work with you to explain our respective roles in the audit process and what you should expect. To further aid in this understanding, we provide the following list of frequently asked questions about Internal Audit, the audit process and other related topics.
The length of time it takes to complete an audit varies significantly, depending
on the audit scope and objectives, operational complexities, the cooperation and
availability of the client, and strength of the area's internal controls. Some
audits may take as little as a couple of weeks and others can take several months.
The audit is a dynamic process, the scope of which can be expanded or reduced at
any time depending on the issues uncovered as the audit proceeds.
The Lead Auditor assigned to the audit will do their best to estimate the time needed to complete the audit and keep you informed of significant changes.
Back to Top
The overall goal of a typical audit is to provide the department, unit or function being reviewed with an assessment of their control environment and compliance with appropriate policies, procedures, laws, regulations and other requirements of senior management and the University.
A secondary goal of our audit is to make recommendations, if necessary, that are aimed to improve the efficiency and/or effectiveness by which certain procedures are performed. Internal Audit is uniquely qualified in this respect as a result of our professionally trained, experienced staff and because it has broad exposure to operations throughout the University. We can therefore relate our experiences to the department, function and unit being reviewed.
Generally, auditors are not exclusively searching for the existence of fraud when performing audits; however, our auditing procedures could identify situations which may allow fraud to go undetected. An adequate system of internal control and a control conscious organizational environment will help reduce the risk of fraud. We always consider the possibility of fraud as part of our audit planning process and will design procedures to examine that possibility.
See the explanation of
Yes. For non-routine audits Internal Audit provides notice via telephone call, e-mail or memo. We will then work with you to schedule an entrance meeting where we will discuss the initial scope and objectives and discuss our audit process.
For scheduled audits, Internal Audit will communicate in advance to the department,
unit or function and senior management about an upcoming audit. We may submit an
initial request for information to the unit or department. This request may include
general department information, which aids us in gaining an understanding of the
department, unit and function being reviewed. After being notified, you can
start preparing for an audit by doing the following (not a comprehensive list):
We are primarily auditing for compliance with University policies and procedures and evaluating the design and effectiveness of internal controls. Our mission, as described in our charter, is to help Management protect University assets, ensure compliance with regulations, policies and procedures, ensure efficient and effective operations, and to help ensure the integrity and reliability of information systems. Therefore, our audits are designed to accomplish that mission.
Prior to our review, we may submit an initial request for information to the unit or department. This request may include general department information, which aids us in gaining an understanding of the department, unit and function being reviewed. When we begin the fieldwork segment of our review, the department, unit or function will need to provide us with various details supporting the transactions we are testing.
Sometimes discoveries or events that occur during performance of the audit can change the scope of an engagement. If this should happen, the client is notified if the scope changes significantly.
You will be kept informed of the auditor’s findings throughout the course of the audit. If an issue is identified during the audit where improvements can be made in operations or internal control, it will be discussed with you initially, and prior to any written reports, to ensure our understanding of the facts is correct. We will also work with you to come to agreement on how best to remedy the problem. Internal Audit’s observations, recommendations, and Management’s action plan will be described in the audit report. Click the link for more details on the reporting process and report distribution.
Yes. We consider Management requests for audit work, although our ability to perform the audit might be affected by the relative risks involved, our staffing levels or current obligations. We may also review your concern as part of the audit risk assessment process and consider it for the next year’s audit plan.
Audits to evaluate a unit’s operations and system of controls can be very beneficial. Our auditors are trained to consider your operational objectives and then evaluate risks to your ability to achieve those objectives. If a department has recently adopted significant operational changes, or implemented newly installed computer systems, an internal audit can aid Management in reviewing the new procedures to examine the internal control design and effectiveness. You should also consider engaging us in advance of any such changes. Periodic audits are recommended to ensure overall compliance with University policies and procedures and the unit’s operational procedures. Because Internal Audit is functionally and organizationally independent of the department, our evaluation will be objective and free of any potential bias that may result from a review by department resources.
Any member of management can contact Internal Audit staff members via telephone or
email for our audit services, to consult on a specific issue or
ask questions. Your request will be reviewed by our staff and our Director
will decide how to best meet your needs.
Back to Top
We will fully explore the issue with you and will typically develop an observation and recommendation for inclusion in the final audit report. All issues will be fully vetted with the unit's management and we'll coordinate with the appropriate personnel to develop a recommendation best suited for the unit's individual needs.
That is a common misunderstanding. While Internal Auditors generally come
from financial accounting and auditing roles, we are experts in evaluating all
types of risks and controls – whether financial, operational, or compliance.
Audit Services Provided for more information.
Back to Top
In addition to being audited by Internal Audit, areas, units and departments within the University may also be audited by external auditors. These audits may be in regards to the University’s annual financial audit, in relation to a specific grant or contract or some other reason. Where possible, we try to eliminate or reduce duplication of effort by using the results of any other recent audits.
When most people think of auditing the first thing that comes to mind is financial
auditing. While this is an important aspect of auditing, it is only one small facet
of Internal Audit’s role. The
Institute of Internal Auditors
(IIA) defines internal auditing as
"an independent, objective assurance and consulting activity designed to add value
and improve an organization's operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.”
The primary purpose of Internal Audit is to assist the Board of Governors and all levels of University management in the effective discharge of their responsibilities through consulting and performing independent audits, reviews, and investigations. Internal Audit also serves as a liaison between management and all external auditors. Our charter outlines Internal Audit’s mission, authority, responsibility and describes our reporting relationship with the BOG and management.
In accordance with our audit charter, Internal Audit has unrestricted access to all records, assets, personnel, and other resources of the University, which are necessary to accomplish our objectives.
The existence of a qualified, professionally staffed Internal Audit function demonstrates
the commitment of WVU management and the
Board of Governors to a strong system of
and effective, efficient, and ethical operations. Internal Audit operates
to help ensure:
WVU management is responsible for establishing and maintaining a system of internal controls. Internal Audit assists both management and the Board of Governors, specifically the Audit Committee, in fulfilling their responsibilities by bringing a systematic disciplined approach to objectively assessing the effectiveness of the design and execution of the system of internal controls and risk management processes. This provides University management, the Audit Committee, and external stakeholders with independent assurance that the University's risks have been appropriately mitigated.
No. While we often work closely with Administration and Finance, Internal Audit has a solid-line reporting relationship to the Board of Governor’s Audit Committee reports administratively to the WVU President’s Office. This arrangement helps ensure Internal Audit’s independence and objectivity in performance of our work.
Yes. All employees of the Internal Audit are West Virginia University employees.
Internal Auditors are subject to ethics rules established by the Institute of Internal Auditors which require independence and objectivity in our work. Our auditors take their professional reputation and integrity seriously. Independence is achieved through the Internal Audit reporting relationship to the Audit Committee and the WVU President’s Office. This independence strengthens Internal Audit’s ability to remain objective in the conduct of our work.
Internal Audit is staffed by professional auditors who are employees of WVU. Internal Audit operates to help ensure:
Independent public accounting firms are external auditors who review the University's
annual financial statements to ensure the information presented accurately portrays
WVU’s financial condition. Government agencies, the
Board of Governors, bond rating agencies and others rely on the independent
auditor's opinion of WVU's financial statements.
Back to Top
Internal Audit should be notified of all external audit requests. A form is provided by Internal Audit to facilitate this notification. Internal Audit will monitor the external audit activity and advise the business unit as needed. We keep the Audit Committee apprised of external audit activity as well.
An internal control is any policy, procedure, practice, or mechanism designed to provide reasonable assurance that the organization's objectives will be achieved. This includes controls designed to safeguard assets, ensure the timeliness, accuracy and reliability of financial and management reporting and to promote operational efficiency, effectiveness and compliance with all applicable laws, regulations, policies and procedures. It is the responsibility of management to ensure that appropriate controls are implemented and functioning to support the achievement of unit objectives.
Yes, generally speaking there are two types of internal controls: preventative and detective controls.
Preventative Controls are designed to prevent errors or irregularities from occurring. (Example: processing vouchers only after approval signatures have been obtained; system input validations that require a particular type of data.)
Detective Controls are designed to find errors or irregularities after they have occurred. (Example: reconciling monthly account statements.)
No, Internal Audit is not responsible for internal controls. We play a role in our system of internal controls by performing evaluations and making recommendations for improving internal controls.
Management of the University is responsible for establishing, maintaining and promoting effective business practices and effective internal controls. However, virtually all employees play some role in effecting internal controls. Systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.
You can contact Internal Audit with questions about your processes and controls and
we will be glad to provide you with expert advice. You can also request an
internal audit. Note that our ability to perform a full audit might be affected
by the relative risks involved, our staffing levels or current obligations. We
may also review your concern as part of the audit risk assessment process and consider
it for the next year’s audit plan.
Back to Top
The Association of Certified Fraud Examiners defines occupational fraud as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resource or assets.” Elements present for an employee to commit fraud include opportunity, a low chance of being caught, rationalization by the individual that the action is not a crime, and justification of the ends versus the means. It has been estimated that US businesses lose over $600 billion to fraud each year and that the average organization may lose 5% of revenue to fraud.
Fraud is found through a number of different methods. Tips are consistently
the most common form of discovery. In a 2014 report by the
Association of Certified Fraud Examiners
(ACFE) 42% of fraud was detected from tips from individuals, followed by 16%
through management reviews, and 14% by Internal Audit.
It is important to the University that all employees take responsibility for reporting suspected fraud or illegal activities. Internal Audit has established the EthicsLine to aid in this reporting process.
While Internal Audit considers the possibility of fraud in nearly all audit projects, employees and management also need to be aware of “red flags” of suspicious activity and take corrective action if needed or report the activity. When something suspicious is identified, Internal Auditors can help determine its effect and evaluate the situation with financial analysis, observation or other methods to review and test a weakness of established controls. If a review confirms potential fraud, a formal investigation is often the next step, which may include Legal Affairs and/or the WVU Police Department.
WVU encourages employees, whenever possible, to discuss concerns with their supervisors or appropriate University personnel in such units as Internal Audit, Human Resources, or Legal Affairs.
WVU also provides the EthicsLine for employees, students, and constituents of all campuses to report issues, in good faith, regarding compliance with laws, regulations, and policies. This “reporting hotline” allows anyone to report issues anonymously if they wish to do so. The issues reported will be reviewed by the appropriate officials to determine if further investigation and actions are warranted. Click here for more information on the EthicsLine. You may also call into the EthicsLine toll free at 866-413-1955. The University will not take retaliatory actions against employees or constituents who make good faith reports about potential misconduct. State and Federal “whistle-blower” statutes provide protections for those making good-faith reports of wrongdoing.
The WVU EthicsLine is a comprehensive and anonymous Internet and telephone-based reporting tool that assists management and employees in working together to address fraud, misconduct, and other violations in the workplace, while helping to cultivate a positive work environment.
The EthicsLine website provides for anonymous reporting if you desire; however issues can often be investigated more efficiently and thoroughly if we are able to contact you to ask for clarification of issues and facts. Internal Audit can also communicate with a reporter through the EthicsLine website to request more information or ask questions. We receive no information about the IP address or location of the computer used to file the report.
Yes you may. By giving you choices, the EthicsLine helps ensure that employees can file a report anonymously and in the manner most comfortable or convenient to them. To report via the toll free phone number call 1- 866-413-1955. To make a report via the internet click on the appropriate link from the West Virginia University Internal Audit Office or main WVU website or go directly to www.ethicspoint.com and follow the links under ''File a Report”.
We all have the right to work in a positive environment and with that right, comes the responsibility of acting in an ethical manner and letting the appropriate people know if someone is not acting appropriately. In addition, as stewards of public funds we all have a responsibility to the public to ensure these funds are expended in accordance with legal requirements.
The EthicsLine is currently designed to receive reports regarding accounting and financial matters, research compliance, and IT asset misuse or matters involving data privacy. See the Ethicsline link for more information about where to report on other areas of concern, including NCAA compliance, academic misconduct, etc.
EthicsLine reports are entered directly on an EthicsPoint secure server to prevent any possible breech in security. These reports are available only to a few select specific individuals at WVU, including Internal Audit, who are charged with evaluating the type of violation and facts of the incident.
When you file a report at the EthicsLine website or via the toll-free number, you receive a unique user name and are asked to choose a password. You can return to the EthicsLine system again either by Internet or telephone and access the original report to answer questions posed by an Internal Audit representative and add further information that will help resolve open issues. We strongly suggest that you return to the site in seven to ten business days to answer any questions submitted by those reviewing the report. In this way, you and Internal Audit can conduct an ''anonymous dialogue” where circumstances can be clarified and additional information obtained.
Governance is the combination of processes and structures implemented by the board or other governing body to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.
The Audit Committee sets the overall tone for an effective internal control structure at the University, supporting quality financial reporting, sound risk practices and ethical behavior. The Audit Committee Charter provides information about the Committee’s mission, membership, duties and limitations.
Internal Audit is governed by the International Professional Practices Framework,
promulgated by the
Institute of Internal Auditors
. This framework’s mandatory guidance includes the IIA
Code of Ethics as well as the
International Standards for the Professional Practice of Internal Auditing (Standards).
These professional standards are principle-focused and provide a framework
for performing and promoting internal auditing. The Standards are mandatory requirements
The IA serves over 180,000 members worldwide, with more than 72,000 members in North America; providing the internal auditing profession with standards, guidance, and information on internal auditing best practices.