Frequently Asked Questions
What is internal auditing?
When most people think of auditing the first thing that comes to mind is financial auditing. While this is an important aspect of auditing, it is only one small facet. The Institute of Internal Auditors defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations”. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Does Internal Audit follow professional standards?
Internal Audit at East Carolina University follows the professional standards that have been established by the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), and the Association of Certified Fraud Examiners (ACFE).
Every five years, the Office of Internal Audit undergoes an external quality assessment to measure its compliance with IIA standards. The office received the highest possible rating from the external review teams during our 2021, 2016, 2011, and 2006 assessments.
The IIA serves over 70,000 members and provides the internal auditing profession with standards, guidance, and information on internal auditing best practices. ISACA has over 23,000 members and is recognized as a global leader in IT governance, control, and assurance. The ACFE has over 25,000 members and provides guidance on the detection and prevention of fraud. Each of these organizations has a Code of Ethics, which has been adopted by Internal Audit. One of the standards requires that the purpose, authority, and responsibility of the internal audit function be defined in a charter.
How is Internal Audit Organized?
East Carolina University is required by NCGS §143-746 to maintain an internal audit function. In accordance with the East Carolina University Internal Audit charter, Internal Audit operates as an independent appraisal function within East Carolina University and reports functionally to the Audit Committee of the ECU Board of Trustees and administratively to the Chancellor.
What are the purpose and objectives of Internal Audit?
The primary purpose of Internal Audit is to function as a service unit to assist all levels of management in the effective discharge of their responsibilities. Through consulting and performing independent audits, reviews, and investigations, the office seeks to provide reasonable assurance to management that effective stewardship is maintained over the University’s resources. Internal Audit also serves as a liaison between management and all external auditors.
In general, the objectives of Internal Audit are to:
- Evaluate the adequacy of the internal control structure within a department or unit.
- Assess the extent of compliance of each area with applicable laws, regulations, policies, and procedures.
- Verify the existence of University assets and ensure proper safeguards for their protection.
- Evaluate the reliability and integrity of data produced by information systems.
- Investigate concerns relating to fraud, embezzlement, and theft.
- Consult with management and provide methodologies, facilitation, focus, knowledge, technology, best practices, and independence that help solve management’s problems.
What is the scope of Internal Audit authority?
In accordance with the internal audit charter, NCGS §116-40.7, NCGS §143-748 and other applicable laws, Internal Audit has unrestricted access to all records, assets, and other resources of the University, which are necessary to accomplish its objectives. Internal Audit ensures the safekeeping and confidentiality of all records and information used during an engagement to the extent provided by NCGS §116-40.7, §116-40.7 and other applicable laws.
Who/What is reviewed and why?
Internal Audit develops an annual audit plan that is reviewed and approved by the Audit Committee of the ECU Board of Trustees and the Chancellor. This plan identifies the engagement projects to be conducted during the upcoming fiscal year; however, it can be amended to include requested reviews, special projects, or changes in priority.
Not all reviews are selected in the same way. An area can be selected for a review if:
- It is assessed as an area with high risk
- It is a cyclical engagement project
- Irregular conduct is alleged and a review is requested
- Management specifically requests a review
Selection based on assessment of risk: The most common method of selecting an area for an engagement is through the application of a risk assessment. Several factors that are considered in the assessment are:
- Internal control structure
- External regulations
- Financial impact
- Complexity of operations
- Prior engagement findings
- Length of time since last engagement
When this model is applied, areas are ranked according to their risk. Areas with the greatest risk become priority engagements and can result in three types of engagements: compliance, operational, or information systems.
Cyclical engagements: Some engagements are performed on a regular basis. Examples are: petty cash reviews, inventory counts, security reviews, and disaster recovery testing.
Investigative engagements: These engagements are normally requested by management and/or anonymous tips and focus on alleged, irregular conduct. Reasons for investigative engagements include: internal theft, misuse of State property, and/or conflicts of interest.
Requests from management: Management requests these engagements through the Office of Internal Audit. The scope of the engagement depends on the request.
How is the scope of the engagement determined?
The scope of the engagement and/or review is determined from one or more of the following:
- Information collected during a preliminary survey, which includes interviews with the appropriate client personnel
- Assessment of risk associated with the client’s functions
- Evaluation of answers received on internal control questionnaires tailored for the assignment
- Client requests concerning topics, functions and/or time frames
Sometimes discoveries or events that occur during a project can change the scope of an engagement. If this should happen, the client is notified if the scope changes significantly.
How long does an engagement last?
Engagements and reviews vary in length. The amount of time required depends on the objectives of the engagement, the cooperation and availability of the client, and the complexity of the operation. An internal control review may take one to two weeks, while a broad-based engagement may take months. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the engagement.
What is the actual engagement process?
1 – The engagement or review is announced through an engagement letter.
Internal Audit notifies the client in writing when their area is selected for an audit. An engagement letter is sent to the client that describes the general objectives of the engagement, the auditor in charge, the projected time frame of the engagement, and information the auditor may need the client to supply.
2 – An entrance conference is scheduled.
An entrance conference is scheduled by the auditor in charge with the client to discuss the purpose, scope, and process of the engagement. The director and auditor in charge attend the entrance conference along with personnel deemed appropriate by the client. Clients are encouraged to present any questions or concerns they have about the engagement. Clients are also given the opportunity to request that a specific function or area of their office be examined during the engagement or in future work.
3 – A preliminary survey is performed.
During this portion of the engagement, the auditor will gain an understanding of the client’s operation or area being reviewed. The auditor may request written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the client’s operation. Internal controls may be reviewed and documented during this portion of the engagement through an internal control questionnaire.
4 – Fieldwork is conducted.
This phase of the engagement includes testing the internal controls and performing other procedures necessary to accomplish the objectives of the engagement. The auditor will follow a work program when conducting this phase of the engagement. A work program lists the control objectives of the engagement and the necessary steps an auditor must follow to collect and analyze the data.
This phase of the engagement is the most time-consuming part of the review for the client because personnel will need to be available to answer questions and provide information. Internal Audit realizes the value of each person’s time and tries to arrange meetings in advance and work around scheduling conflicts when possible.
During this phase of the engagement, the auditor will strive to maintain an open communication with the client to ensure they are kept abreast of the initial observations and there are no surprises once the final report is issued.
5 – A draft report is prepared.
After the fieldwork is completed, the auditor prepares a draft report, which will include the background of area being audited, audit purpose, objectives, scope, methodology, reportable conditions, and recommendations. The draft report along with any non-reportable condition is sent to the client via email for review before the exit conference.
6 – An exit conference is scheduled.
An exit conference is scheduled by the auditor in charge with the client to discuss the draft audit report. The CAO or Associate Director and the auditor in charge attend the exit conference along with client personnel. The conference is an opportunity to discuss the observations and clarify any ambiguities. Non-reportable conditions will also be discussed during the exit conference.
7 – The client submits their responses to the audit findings and recommendations.
After the exit conference, any changes deemed necessary are made to the draft report and submitted to the client via email. The client is normally given one to two weeks to respond to the draft report. The client includes a response to each of the observations and recommendations and sends the report to the auditor in charge via email. If circumstances arise that prohibit the client from responding to the report in the allotted time frame, the client should contact the auditor to request more time.
8 – The final report is issued.
A final report is issued after the auditor in charge receives the draft report with the client’s responses. The final report is distributed to the client, senior-level management, ECU Board of Trustees Audit Committee, and the Chancellor.
9 – A follow-up review is conducted.
A follow-up review is performed in the near future after the final report is issued to verify the resolution of the observations. The review will conclude with a follow-up report, which lists the actions taken by the client to resolve the original observations. A discussion draft of the report will be circulated to the client before the report is issued. The follow-up report will be circulated to the original report recipients and other University officials as deemed appropriate.