Integrity * Objectivity * Confidentiality * Competence
In order to meet the responsibilities and objectives as set forth in the Audit Charter, it is necessary for the Office of Internal Audit to perform reviews and audits of varying types and scopes depending on the circumstances and requests from management.
Each fiscal year an annual audit plan is developed and submitted to the Chancellor and Board of Trustees Audit Committee for review and approval. The audit plan is based on a risk assessment methodology, as well as requests from management. Audit services can be requested by members of the University community through memos or e-mail.
The following types of audit services are provided by the Office of Internal Audit:
Operational audits review the effectiveness and efficiency of operational units within the University. Effectiveness measures how successfully an organization achieves its goals and objectives. Efficiency measures how well an entity uses its resources to achieve its goals.
Compliance audits measure the University’s compliance with specific established University, Federal, or State laws, regulations, and/or policies, such as travel guidelines, HIPAA, FERPA, etc. An institution of the size and breadth of East Carolina University has many requirements with which we must comply.
Click here for a list of some of the most relevant compliance requirements at the University.
Information Technology Audits
Information technology (IT) audits are conducted to evaluate the quality of the controls and safeguards over the information technology resources and critical data of the University. These audits normally consist of reviewing the effective use of information technology resources, adherence to management’s policies, and assessing the design and implementation of internal controls over computer applications and the computing environments in which they are used.
In addition to “traditional” IT audits, our office provides computer forensic services to the University, in response to computer security incidents, legal requests, and other business needs, using the most current forensic tools available.
These audits are normally requested on an as-needed basis by management, or are requested by anonymous tips. Investigative audits focus on things such as alleged irregular conduct, non-compliance with established policies or laws, misuse of University resources, false time reporting, internal theft, and/or conflicts of interest.
Internal Audit uses several data analytics software programs to review data sets for trends, anomalies, red flags, and to help management answer key operational and strategic decisions. We use a data-driven approach whenever possible to ensure that we reach conclusions on the entire population of data or transactions rather than on a limited sample. After we have developed and used such tools, we frequently turn them over to functional departments so that management can use the same tools to analyze their data and fulfill their responsibility to continuously monitor operations and controls. For example, we have developed analytics tools for ProCard transactions, Accounts Payable transactions, vendor records, and student athlete course enrollment.
The Office of Internal Audit often provides routine consultation and advisory services to all levels of University management. Consultative engagements typically involve interpreting policies or reviewing specific processes and controls and offering an opinion on how internal controls might be strengthened. These are frequently undertaken when a significant process change is being planned. We strongly encourage departments to contact us for consultation when starting a new business process, implementing a new information system, or making significant changes to the way you conduct your day-to-day activities. We believe that it is easier to “get it right” from the beginning rather than having to “fix it” later!
As part of our advisory/consulting role, the Office of Internal Audit is also represented on a number of management and project committees and work groups at the University. Some of the groups with which the office participates are:
- Technology Steering Committee
- HIPAA Steering Committee
- HIPAA Security Workgroup
- Brody School of Medicine Risk Management and Compliance Committee
- Identity Theft Protection Committee
- Payment Card Industry (PCI) Compliance Committee
- Enterprise Risk Management Committee
- University Policy Committee
- Educational Support Services Working Group
- Business Process Review Oversight Group
- Computer Incident Response Team
- Youth Camps and Programs Advisory Board
- Data Stewards Committee
A financial audit is a review intended to serve as a basis for expressing an opinion regarding the fairness, consistency, and conformity to financial information with generally accepted accounting principles. Financial audits can be full or limited in scope, depending on the objectives.
A full scope financial audit consists of a review of the financial statements of an entity of sufficient extent to express an opinion on those statements. Such an audit is conducted in accordance with generally accepted auditing standards as adopted by the AICPA. The North Carolina Office of the State Auditor normally performs the University’s financial audit. External accounting firms perform the Foundation audits.
Financial audits that are limited in scope are normally performed by the Office of Internal Audit. These audits can include a transaction cycle review of administrative processes such as purchasing, payroll, and payables, or a special examination of the financial activities of a decentralized University department.
Assistance to Office of the State Auditor
The Office of Internal Audit provides assistance to the North Carolina Office of the State Auditor (OSA) upon request. These duties may involve the following:
- Assessments of Internal Controls
- Petty Cash Counts and Bank Certifications
- Identifying ECU Related Corporations
- Reviewing inventories of critical University assets
- Assisting with OSA Investigative audits
Other special projects may be performed by the Office of Internal Audit as delegated by the UNC System Office, ECU Board of Trustees, the University Chancellor, or other University management.
**Whenever feasible, we apply an integrated audit approach in performing audit services. This involves combining elements of financial, operational, compliance, and information technology audits into a single “holistic” audit. This approach is a cost saving measure that results in a broader coverage of assurance.