Diana Hill Raheel Qureshi, CPA March 8, 2018
Transcript of Diana Hill Raheel Qureshi, CPA March 8, 2018
Please silence your cell phonesTake notes – share ideas!Feel free to ask questions throughout the presentation.
2
4
Who is Internal Audit?What are internal controls?What can I do to reduce anxiety when I’m
audited?
The Internal Audit Department is an independent and objective assurance and consulting activity guided by a philosophy of adding value to improve the operations of the University. It assists the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluating and improving the effectiveness of the University’s governance, risk management, and internal controls.
5
To enhance and protect organizational value by providing risk‐based and objective assurance, advice, and insight.
Demonstrates integrity.Demonstrates competence and due professional care.Is objective and free from undue influence (independent).Aligns with the strategies, objectives, and risks of the organization.Is appropriately positioned and adequately resourced.Demonstrates quality and continuous improvement.Communicates effectively.Provides risk‐based assurance.Is insightful, proactive, and future‐focused.Promotes organizational improvement.
1. Institutional Research2. Centers & Institutes3. Capital Construction4. NCAA compliance – Rules Ed.5. Scholarships/Restricted Gifts6. Travel/Complex Payments7. Building Access / 49er Card8. Internal Audit QAR9. Minors on Campus10.Admin Review‐International
Programs11.Residency Classification
12. IT Security‐DRP13. PCI Compliance14. Admin Review‐CCI15. Admin Review‐DoS16. Admin Review‐Alumni
Affairs17. NCAA Compliance‐FB
Attendance
8
Internal Audit
ACERM
Chancellor
VC – Institutional Integrity
Jesh Humphrey
CAOJennifer Walker
AuditorRaheel Qureshi
AuditorJulie Earls
AuditorDiana Hill
AuditorRachel Kaplan
10
Board/Audit Committee
Senior Management
1st Line of Defense
Department AdminsBusiness Managers
3rd Line of Defense
Internal Audit
2nd Line of Defense
Risk Management& Compliance
State Auditors
That’s you!College business officesBusiness support specialistsDepartment officers and administrative assistantsSupervisors, managers, directors
11
Compliance Functions (Research, Athletics, etc.)Police and Public Safety, Environmental Health & Safety IT SecurityController’s OfficeDirector of Compliance – Sue Burgess
12
14
Who is Internal Audit?What are internal controls?What can I do to reduce anxiety when I’m
audited?
Internal Controls are steps within a process designed to provide reasonable assurance regarding the achievement of objectives:
Effectiveness and Efficiency of OperationsReliability of Financial ReportingCompliance with applicable Laws, Regulations, Policies & Procedures
15
How can the job be completed to the intended result in an easier, faster way?How can the job be done with accurate results?How can the unit reach maximum productivityusing minimal resources?
16
University Policy 601.8 – Appropriate Use of University Funds:
Appropriated funds (central funds)Foundation FundsDiscretionary Funds
Grant funds – University Policy 601.12
17
Federal laws – FERPA, Title IXState laws – Department of Labor, Department of LicensingCounty/City laws – Waste disposal, code enforcementUNC System policies – Personnel, tuitionUNC Charlotte policies – legal.uncc.eduIT Standards and guidelines – itservices.uncc.edu
18
Preventive:Training on policies.Assigning user access rights.Automatic log‐off after period of inactivity.
What are some other preventive internal controls?
20
Detective:Reconciling invoices to ledger (payments).Comparing packing list/order contents with purchase order.Periodic review of user access rights.
What other detective internal controls can you think of?
21
• Computer username/password• Preset time out on screen saver• 49er Mart approval path• Card swipe door locks• 2 signatures on DPRs• Speed limit signs• Reconciliations
22
What types of controls are:University Policies?IT configuration standards?Error messages or reports?Reconciliation of petty cash?
23
Internal controls are the tasks that are in place to help address risks.
What can go wrong? What can we do to reduce the risk?
• One risk could have multiple controls. • One control could mitigate multiple risks.
24
A situation involving exposure to danger. (Merriam‐Webster)The hazard or chance of loss. (dictionary.com)A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. (businessdictionary.com)
25
What “bad thing” could happen in your department?What is the chance of it happening? (Likelihood)How big of a deal is it? (Severity / Impact)
26
“A process step is a task, activity… that moves an input closer to the final
objective.”The office submits the reimbursements to the Travel Office within 30 days
Faculty members verbally request supplies.
27
“An internal control… is a critical step within the process that leads to the
success of the entire process.”Supervisors review timesheet submissions monthly to ensure they were completed on timeSupervisors review and approve all travel reimbursements for accuracy before submission to the Travel OfficeDepartment staff match the purchase order, invoice and receiving slip before marking the supply as received in 49er Mart
28
The department admin collects timesheets and files them
The office submits the reimbursements to the Travel Office within 30 days
Faculty members verballyrequest supplies.
Supervisors reviewtimesheet submissions monthly to ensure they were completed on timeSupervisors review and approve all travel reimbursements for accuracy before submission to the Travel OfficeDepartment staff matchthe purchase order, invoice and receiving slip before marking the supply as received in 49er Mart
29
Test your knowledge!
30
? Takes inventory of office supplies before submitting an order.
? Create a spreadsheet of all laptops, desktop computers and printers in the department.
? Verify the serial numbers on all laptops, desktops and printers in the department every 6 months. A director signs off on the spreadsheet.
Check out the Internal Audit website at internalaudit.uncc.edu to read more about
Internal Controls vs. Process Steps!
31
33
Situation:
All supply requisitions come through Lisa (the administrative assistant) and are
approved by the center director, Dr. Smith. College faculty working with the
center have had no complaints about Lisa. Dr. Smith thinks things are going
well, so he is surprised when the Dean asks him why he has spent so much of
his annual budget so early in the year? He is not sure how to answer the Dean
but does manage to say he will look into it. Dr. Smith calls Lisa and asks her
about the center’s spending and she tells him she doesn’t know what the Dean
is talking about. She has been ordering what the faculty have asked for and it
has been approved by the college, so she believed everything was fine. He asks
for a spending report and it shows 75% spent. It is only November. He wants
to know more about what is being purchased but does not know what to ask
for or how to get it.
Employees:
Sarah: Lab manager and responsible for fixed assets inventory
Mary: The new office manager
Situation
When Sarah first started, keeping track of all the computers was difficult, especially the laptops.
Now that laptops are not part of the inventory, she has a much easier job. Over the years, she
has kept two laptops in the bottom drawer of a file cabinet in the department office. If a faculty
member needs one for a trip or a conference, he or she takes it out and brings it back when the
event is over. Sarah has recently been told that she would be able to attend the Association of
Lab Mangers annual conference. She wanted to take a laptop to check her email and keep up
with 49er Mart, so she went to the file cabinet to get one. When she opened the drawer, it was
empty. She asked Mary where the laptops were. Mary said, “What laptops? I didn’t know we
had any.” Sarah and Mary went to see the department chair to ask what to do.
34
Control Environment – policies & procedures, overall tone from management.
Risk Assessment – identify the things that keep you from accomplishing your objective.
Control Activities – approvals, reconciliations, segregation of duties, etc.
Information & Communication – use relevant information and communicate appropriately.
Monitoring – How are you doing? Is the process working?
36
How they apply to you
37
Control Environment –department head announcing policy changes, how financial reporting is handled and communicated, and how university standards are discussed and enforced
How they apply to you
38
Risk Assessment -considerations for security of cash collected, evaluation of student worker access to department files, and the information security vulnerabilities posed by maintaining a set of laptop computers for check-out by traveling faculty
How they apply to you
39
Control Activities –authorizations, approvals, verifications, reconciliations, business performance reviews, and segregation of duties
How they apply to you
40
Information and Communication - sharing and validating requests for information when received, then sharing and validating responses before their release
How they apply to you
41
Monitoring Activities -regular financial status reports as well as progress reports for major department initiatives
43
Who is Internal Audit?What are internal controls?What can I do to reduce anxiety when I’m
audited?
What you can do to be proactive before a visit from Internal Audit?How you can improve controls in your unit?
44
Learn University standards
Review admin operations
Check out internalaudit.uncc.edufor more information!
45
We schedule an entrance meeting with the Director of the department being auditedWe provide a list of items that we need for review, based on the nature of the auditA timeline is established – typically 6 – 8 weeksReview scope and time‐period for the auditDuring the course of the audit, we will contact you regularly with questions and updates – we encourage you to ask questions, too!
46
A. Compliance with applicable laws, regulations, policies & procedures
B. Prevention of fraudC. Incorporating ethical
business practice standardsD. Periodic reviews by Internal
Audit
53
A. The one you used last.B. All assigned funds.C. Only the petty cash fund.D. The monthly phone bill.
54
A. A means to an end.B. Authorized procedures.C. The particular category in which a control
is placed.D. Steps within a process designed to
provide reasonable assurance regarding the achievement of your objectives.
56
A. Review Internal Audit’s website for articles and presentations
B. Review Guide for Self Assessment of Internal Controls
C. Ask lots of questionsD. All of the above!
59
60
Cast:
Brittany: Primary admin assistant in the department
for over 10 years. “Go to” person for the faculty
members with reputation as someone who gets the job
done.
Christina: The new staff member
61
Situation:
Due to an unexpected illness of her mother, Brittany was out on sick
leave for two weeks during the time fee payments for lab supplies were
being collected. The chair asked Christina to follow up with those
students who still owed the fee and to give him a status report. As
Christina reviewed the spreadsheet that she found on the shared drive,
some things did not add up. The amount of money on the spreadsheet
did not match what was showing in Banner as deposited. When she
contacted several students listed as still owing the fee, each one said
they had already paid and had a receipt from Brittany. After hearing
and seeing all this, Christina took her concerns to the chair, who called
Internal Audit.
What’s happened here?What are the first steps to take? How bad is this situation?What could the department have done to prevent or detect this?What do you do now?
Segregation of Duties ‐ Does any one person have too much control?Goals and Objectives – Every unit has them. Do you know yours?New Employee Onboarding ‐ How do you welcome someone new?Policies and procedures – Do you know which ones apply to you and your department?Faith, hope and trust are not controls ‐What are the words most often said after a fraud is uncovered?
64