The Institute of Internal Auditors (IIA) definition is: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Audit and Advisory Services (IAAS) reports directly to the Idaho State Board of Education Audit Committee and administratively to the University President.
In addition to being audited by IAAS, the University units and departments may also be audited by external auditors. External auditors include the outside CPA firm engaged to perform the annual audit of the University financial statements, and could include Idaho Legislative Auditors, Federal Auditors, Environmental Health and Safety Auditors, or other auditors. In addition, employees from the University Controllers office may perform “audits” of your area. However, these audits are very narrowly focused (often only on a small group of transactions) and are not as substantial as those performed by IAAS. While we try to eliminate or reduce duplication of effort by coordinating our schedule with these other auditors, an area or department may occasionally be reviewed more than once during the year.
Each year IAAS prepares an assessment of risk exposures that may affect the University. An annual audit plan is then developed based on this assessment. The IAAS plan includes cyclical internal control reviews of campus units as well as audits focused on areas or processes identified in the audit risk assessment. A variety of factors are used to prioritize these audits including materiality, quality of internal controls, degree of change or stability, complexity, and length of time since the last internal audit was performed. The audit plan may be revised during the year if more exigent University risks arise. The Executive Director IAAS finalizes a draft of the audit plan and reviews it with the University President for input. It is then submitted to the State Board of Education Audit Committee for review, input and approval.
There are many different types of audits. An audit may be of one or more of the following types:
Internal controls encompass a unit’s entire set of methods and procedures that are used in the day-to-day activities of the unit. These methods and procedures safeguard the unit’s assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed policies. Effective internal control systems are designed to ensure that resource use is consistent with laws, regulations, and policies, and to safeguard resources from waste, loss, and misuse.
No. University management is responsible for maintaining an adequate system of internal control. Internal Audit independently evaluates the adequacy of existing internal control systems by analyzing and testing controls, and makes recommendations to improve controls based on this analysis.
Unless we are conducting an investigative audit, you will be notified in advance that we will be starting an audit in your department, and we will request to set up an entrance meeting. The purpose of the entrance meeting is to explain the audit and the audit process. During the entrance, please ask questions, express your concerns, and make any special requests you might have.
After the entrance meeting, auditors will begin their field work. Fieldwork includes, but is not limited to:
Once fieldwork is complete, we will prepare a draft of all audit observations and recommendations. We will then schedule an exit meeting to discuss these observations with you. Again, during the exit meeting it is important that you communicate concerns and identify errors. If you disagree with an audit observation we will ask you to provide extra information to support your side and will re-perform work if necessary. Following the exit meeting, we will prepare and issue the final audit report (including management responses).
Yes. During the audit, the assigned auditor(s) will keep you and your employees informed of progress. Auditors may discuss some audit issues with you or your staff during the fieldwork. However, all issues will be discussed with you during the exit meeting at the end of field work.
During the fieldwork please ask questions and talk to the auditors. Please make time for them while they are performing your audit. Our auditors understand you are busy and have jobs to do. They will try to stay out of your way as much as possible. If you would like more frequent updates or are simply curious, just ask.
Take advantage of the exit meeting. Ask questions and don’t be afraid to disagree with an audit observation. The purpose of the exit meeting is to communicate issues and make sure they are accurately resolved. We will make reasonable efforts to work with you.
Having an IAAS observation in your report is not necessarily bad. Our audit observations are meant to provide you with information so that you can effectively manage risks in your area of responsibility that may prevent you from achieving your objectives. Observations generally assist you in performing your responsibilities more adequately and effectively.
Not necessarily. The list of observations we provide to you prior to the exit meeting are opportunities we have identified to help you manage risks more adequately and effectively. We take the view that you are our client and we strive to provide you with the best and most comprehensive information for to you to make decisions to improve the procedures and controls in your area of responsibility.
Yes. Typically, IAAS will identify best practices while performing audit fieldwork. However, if there is something you are very proud of or want to share, please bring it to the auditors’ attention. We may include it in our report, share it with other units as a best practice, or recommend that the University adopt it campus-wide.
Our recommendations are provided because we don’t want to identify problems without offering suggested solutions. The decision to implement the suggested solutions is up to management. We want to discuss our recommendations further if there are disagreements to ensure that any differences in opinion are accurately discussed, considered, and resolved. In some cases this could result in a recommendation being modified or dropped from our report. However, if after the discussions, there continues to be disagreement on the recommendation, IAAS is required to bring the matter to the attention of the University President and the State Board of Education Audit Committee, if considered necessary, for final resolution.
Audits may last several days or several months and will vary in length depending on an area’s size, complexity, and the specific audit objectives. Not all the time devoted to the audit will be evident to you because a lot of the time for preparation, analysis, and related audit work can be performed without direct assistance. The availability of audit documentation and the responsiveness of your department to audit requests and questions also affect the time required to complete an audit.
You can help with the following:
Finally, if you suspect or know that someone is involved in some irregularity, please report the individual immediately by contacting the University Compliance Office. You can also contact IAAS directly. You have a responsibility as a member of the Boise State University community to report irregularities.
While our department’s mission is principally accomplished through formal audits, there is no need for you to rely solely on audits to utilize the resources of our department. IAAS acts as an in-house consultant on internal control matters, and will be happy to provide you with information and suggestions on controls in specific areas.
An audit is very beneficial to assess procedures and controls within your area, identify risks and identify areas for improvement or change. This assistance may be especially helpful if you have recently assumed a new or additional supervisory role, have implemented (or are planning to implement) a new process or IT system, or have had key employee turnover.
Unless they are performing an investigative audit, auditors are not specifically searching for the existence of fraud. During a routine audit they are more concerned with ensuring that adequate systems of internal control exist to reduce the risk of fraud. However, procedures are performed that are meant to detect potential fraud and to assess your area’s exposure to fraud related risk.
If you suspect fraud or other questionable acts in your department contact your supervisor, the University Compliance Office, or IAAS. Do not try to investigate or resolve the issue yourself.
The Institute of Internal Auditors requires that an external review (Quality Assurance Review) be performed on the Internal Audit Department operations at least once every five years. These reviews can be performed by an external review team or can be a self assessment with independent validation by a qualified reviewer. These reviews cover compliance with IIA standards including independence and objectivity, audit planning and coverage, audit documentation and reporting, and staffing. We have included a copy the report on our last review in the Quality Assurance Review section.