Internal Audit “Partnering with
Management”
PACFAM Meeting
November 15, 2012
Updated February 2015
Internal Audit Charter
• Included in the University of Oklahoma Board of
Regents’ Policy Manual.
• Required by State Law
• Internal Audit is authorized by the Board of Regents and the President to have full, free, and unrestricted access to all university functions, records, property and personnel.
What is Internal Auditing?
Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations.
It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
Source: The Institute of Internal Auditors
What do we do?
Internal Audit Assesses:
• Adequacy of policy, procedures and internal controls.
• Compliance with laws, rules, regulations and
organizational guidelines.
• Organizational efficiency.
• Accuracy and reliability of accounting records.
• OU Norman Campus
• OU Health Sciences Center Campus
• OU Tulsa Campus
• Cameron University (Lawton)
• Rogers State University (Claremore)
• Any off-site location or function of
the above entities
Internal Audit Responsibility
Student Interns
Chandriga Suppiah
Amanda Dicken Robin Irvin, CIAAudit Manager Audit Manager
Jeremy Lynch Catherine McDaniel
Chief Audit Executive
OU INTERNAL AUDIT
University of OklahomaBoard of Regents David L. Boren
OU President
Clive Mander, FCA
Organizational Chart - 2015
Suzie Brewer
OU HSC OU Norman Quality AssuranceIT - all campuses
OU Tulsa Rogers State University Improvement ProgramOU Norman
Cameron University
Administrative Asst.
Special Investigations and
Carolyn Clink, CIA CFEAudit Director
Cindy Hall
IT Audit DirectorTim Marley, CPA CISA
Senior Auditor
Robert Green
Auditor
Ke'Yonna Wynn
Auditor
Kale ThaxtonAuditor
Bennett Pickar
Auditor
Samuel Perez Sarah PetrocchiErin Carroll
Kayli WarmkerJackson StoneHannah LeConte
Auditor
Senior Auditor
Alexandra Gerea
David Skrdla, CISA
IT Audit Manager
Auditor
IT AuditorAndy Thung, CISA
IT Auditor
Sandra AshfordAudit Manager
Code of Ethics
The Principles/Rules of Conduct We Adhere to:
• Integrity
• Objectivity
• Confidentiality
• Competency
Source: The Institute of Internal Auditors
Institute of Internal Auditors Standard
IIA Standard 1220.A1 states, “Internal auditors must exercise due
professional care by considering the:
•Extent of work needed to achieve the engagement's objectives;
•Relative complexity, materiality, or significance of matters to which
assurance procedures are applied;
•Adequacy and effectiveness of governance, risk management, and
control processes;
•Probability of significant errors, fraud, or noncompliance; and
•Cost of assurance in relation to potential benefits.”
The Institute of Internal Auditors requires risk analysis rather than a rotational schedule for annual audit plans.
• The Internal Audit Department lists all auditable entities and functions and compiles them into an ‘audit universe.’
• A risk analysis is used to determine which audits to perform on an annual basis.
The Audit Selection Process
Risk Analysis vs. Rotational Schedule
• Prior audit findings
• Perceived sensitivity
• Control environment
• Confidence in operating management
• Changes in people or systems
• Complexity
• Time since last audit
Risk Analysis Criteria
Types of Audits Performed
College and Departments, Clinics, Functional Units, Athletics,
Information Technology/Systems, Special Reviews, Special Investigations,
Centers and Institutes, Sponsored Programs
Financial Operational Compliance
Audit Process, Step-by-Step
1. Engagement letter
2. Preliminary
request for
information
3. Risk analysis and
audit program
development
4. Entrance
conference
Planning Fieldwork Reporting Post Audit
Review
1. Exit conference
2. Draft audit report
3. Final audit report, with
management responses
and scheduled completion
dates
Internal Audit Help Line
As part of our service to the
University, we encourage any
employee to contact us with
questions relating to internal
controls or to discuss any issue
relating to risks and exposures in
their area of responsibility.
Call (405) 325-3411
(Ask for an Audit Manager)
or
Email us at:
Further Information
• Visit our website at www.ou.edu/audit
• Main Office Norman Campus
1816 West Lindsey Street Phone number: 405-325-3411
• Satellite Office OUHSC Campus
Service Center Building Room 239
Phone number: 405-271-2532
Disbursements:
University Accounts:
• Personal reimbursements and travel claims not
approved by someone of institutional authority
• Not aware of change in mobile phone/device
policy
Foundation:
• Personal reimbursements and travel claims not
approved by someone of institutional authority
• Retention of departmental records to support
Foundation activity
DISBURSEMENTS
• Does the account sponsor approve your disbursements and travel
claims? Does an individual with greater institutional authority approve
the department head’s travel?
• Are disbursements business-related and in compliance with University
policy?
• Are invoices paid within 45 days as required by state legislation?
• Are purchases over $5,000 processed through a PO? Do you process all
contractual products or services through the Purchasing Department? If
not, do you have an authority to contract?
• Are accounting duties of ordering, receiving, and reconciling properly
segregated to ensure that no one individual controls the process from
beginning to end?
Resources:
State Travel Reimbursement Act (STRA), 74 O.S., Section 500.1, et seq.
• University Travel Procedures:
http://www.ou.edu/controller/fss/procedures/travel.html
• OU Purchasing Department
http://www.ou.edu/purchasing/policies/index.html
• OU Regents’ Policy Manual
http://www.ou.edu/regents/official_agenda/2004PolicyManual.pdf
Pcard:
• Allowing Pcard to be used by someone other than
the card holder, including access to the Pcard
number for online purchases
• Purchasing items not permissible per the Pcard
Policy
• Approval by account sponsor not evident
PCARD
• Did Pcard holders and Pcard administrators attend training?
• Is use of the Pcard limited to the card holder?
• Are students, including graduate students, prohibited from using the
Pcard?
• Do you retain your Pcard receipts?
• Does the account sponsor review the purchase receipts when approving
the transactions?
Resources:
• Pcard Policy
http://www.ou.edu/purchasing/home/pcard/pcard_policy.htm
• General Records Disposition Schedule for State Universities and
Colleges
http://www.odl.state.ok.us/oar/docs/ucgrds-schedule.pdf
Payroll:
Hourly Employees:
• Overtime hours incorrectly moved to other pay
periods • Timesheets not approved by employee and/or
supervisor • Payroll documentation not available (missing
Time Sheets
Monthly Employees:
• Leave certifications not approved by employee
and/or supervisor • Leave certifications not available
PAYROLL
• Hourly: Do employees sign their timecards/time sheets? Do their
supervisors sign the timecards/time sheets?
• Monthly: Do monthly personnel track their paid leave? Does the employee
sign documentation stating the amount of paid leave taken on a monthly
basis? Do their supervisors approve and sign the documentation?
• Supplemental Pay: Does the department maintain supplemental pay
records? Does the account sponsor approve the supplemental pay?
• Are HR PeopleSoft account passwords kept confidential?
• Is all access to computer systems cancelled for employees that transfer
from your department or for employees that no longer work for the
University?
Resources:
• Human Resources Guide to Services:
http://hr.ou.edu/payandrecords/
Supplemental Pay:
• Insufficient support for supplemental pay
• Approval by appropriate supervisor with
institutional authority not evident
Supplemental Pay:
• Does the department maintain supplemental pay records?
• Does the account sponsor approve the supplemental pay?
• Approval by appropriate supervisor with institutional authority?
Resources:
• Human Resources Guide to Services:
http://hr.ou.edu/payandrecords/
Records Retention/Proper
Documentation:
• Records have not been retained in compliance with
the General Records Disposition Schedules for
State Universities and Colleges
• Documentation is not available for review during
the audit
RECORDS RETENTION
• Are you retaining all records in compliance with the University
Records Retention Policy?
• Do you receive proper authorization from the Records Retention
Coordinator prior to disposing of records?
Resources:
• General Records Disposition Schedule for State Universities and
Colleges
http://www.odl.state.ok.us/oar/docs/ucgrds-schedule.pdf
• Records Retention Quick Reference
http://www.ou.edu/content/dam/AdminFinance/documents/Quick_
Reference_to_Common_University_Records_December_2010.pdf
• Records Retention Policy for University of Oklahoma, Norman
Campus
http://www.ou.edu/content/dam/AdminFinance/documents/Record
s_Retention_Policy_intro_Dec_2010.pdf
07/06/12 e-mail from Byron Burr Millsap, CPA MBA
Associate Vice President, Administration & Finance (Purchasing):
“…Here is the actual guidance from the document, “Financial Statement Reconciliation Training
Materials,” which can be found at http://www.ou.edu/controller/fss/psnews.htm :
– Statements should be reconciled on a monthly basis. Reconciliation involves the review
of the individual transactions appearing on the statement to determine that all
transactions are valid and appropriate.
– Identified discrepancies between the departmental information and the information
shown on reports should be resolved. Resolution involves contacting the originating
department regarding needed corrections, as well as following up to ensure that
corrections are completed.
– The statement reconciliation must be formalized with the signature of the preparer and
the reviewer, with the corresponding dates.
The type and manner of evidence used to prove compliance with the policy is determined by the
department. The evidence may be in hard-copy form, in image form, or in any form that
adequately demonstrates this proof.
Terri Pinkston and Burr Millsap of the implementation team met with Internal Audit on June 29.
Clive Mander, Director of Internal Audit, confirmed that it is not Internal Audit’s charge or place
to make policy but rather to audit against it. Accordingly, when performing its work, Internal
Audit seeks to understand the departmental process and observe the related evidence in
whatever form it may be to satisfy itself that the department is complying with policy.”
Data Security/Other:
Credit Card Data - PCI Compliance
Social Security Numbers
Student Information – FERPA
EIT Multimedia Accessibility Policy
House Bill 1086
Independent Contractors
Contracts: • Authority to Sign Contractual Documents
granted by the President of the University not evident at time binding agreement fully executed
• Documents include, but are not limited to: Purchase orders, Grants, Contracts, Sub-contracts,
Licenses, Leases, Funding documents, Applications,
Extensions and renewals,
letters and/or memoranda of understanding,
Sales orders, Assurances, Work orders, and the like
• Contracts not fully executed
Contracts:
• Have the agreements been fully executed by someone of proper
authority?
• Has the department established a system to ensure compliance
with the terms of the agreement?
• For revenue agreements, does the department receive proper
documentation to monitor compliance with the terms of the
agreement?
Resources:
• Regents Policy, 4.10 - Authority to Sign Contractual Documents
http://www.ou.edu/regents/official_agenda/CurrentPolicyManual.
Cash Receipts: • Cash handling not properly segregated
• Cash receipts not logged as received
• Checks not endorsed immediately upon receipt
• Custody of funds not documented
• Cash receipts not secure prior to deposit
• Spending funds prior to deposit
• Cash receipt documentation not available
Cash Receipts:
• Are the duties of receiving and depositing segregated from account
reconciliations?
• Are cash receipts logged when received?
• Are checks endorsed upon receipt?
• Who has custody of or access to the cash?
• Are cash/checks deposited timely and intact?
• Is reconciliation performed to the original documentation?
Resources:
• University Policy for Deposits and Cash Handling (Bursar) https://www.ou.edu/content/bursar/services/departments/university_policies
.html
• Oklahoma State Statute, Title 62, O.S. Supp. 986, 7.1 & 7.2 http://www.ou.edu/content/bursar/services/departments/statuatory_referenc
e.html
Change Funds: • Surprise counts not performed
• Surprise counts performed but not
documented
• Discrepancies not reported to
supervisory personnel
Change Funds:
• Are change funds kept secure with limited access?
• Are change funds reconciled to sales and deposits?
• Are discrepancies documented and reported to supervisory
personnel?
• Are monthly unannounced surprise counts performed by a
supervisor?
Resources:
• University Policy for Change Funds (Financial Services):
http://www.ou.edu/controller/fss/policies/cash.pdf
Accounts Receivable: • Proper segregation of duties between
deposit processing, accounts receivable processing and record maintenance has not been established
• Aged accounts receivable not generated and monitored
• Procedures not in place for follow-up and collection of delinquent accounts
• Account adjustments not properly authorized and approved
Accounts Receivable:
• Who maintains accounts receivable records? Are they involved in
any cash receipts functions?
• Who is responsible for reconciling the accounts receivable?
• Are aged accounts reviewed periodically? If so, who reviews
them and how often are they reviewed?
• Are there adequate procedures for follow-up and collection of
delinquent accounts?
• Are account adjustments properly authorized and approved?
Resources:
• University Policy, Responsibilities of an Account Sponsor,
Separation of Duties (Financial Services):
http://www.ou.edu/controller/fss/policies/depts.pdf
Account Reconciliations: • Not performed on all accounts
• Not performed on a monthly basis
• Account reconciliation not
documented
• Reconciliation approval not
documented
Account Reconciliations:
• Who is responsible for reconciling the statement of account? Is
there a proper segregation of duties between disbursements
and/or cash handling and account reconciliations?
• Does the preparer sign and date the reconciliation?
• Are reconciliations performed in a timely, consistent and complete
manner?
• Does the account sponsor review, sign and date the monthly
reconciliation?
Resources:
• University Policy, Responsibilities of an Account Sponsor, Account
Reconciliation (Financial Services):
http://www.ou.edu/controller/fss/policies/depts.pdf
• Financial Statement Reconciliation Training Materials (FS)
http://www.ou.edu/controller/fss/psnews.htm
Thank you
Q & A