Internal Audit Frequently Asked Questions

Internal Audit serves NCSSM by helping it accomplish its goals, enhance operations, improve risk management and internal controls. Internal Audit focuses on both financial and non-financial risks and controls. Internal Audit provides NCSSM’s leadership and the Board with assurance on NCSSM’s risk management and control processes.

Internal Audit follows the Standards and requirements of The Institute of Internal Auditors (IIA). Internal Audit roles include monitoring, analyzing, and assessing risks and controls; reviewing and confirming compliance with policies, procedures, regulations, and laws; ensuring the accuracy of data; and assessing current operations and procedures against best practices.

External auditors include the NC Office of State Auditor and other independent accounting firms hired by NCSSM to render an opinion on the financial statements each year. Other external auditors could include governmental auditors who perform work related to determining compliance with regulations/laws or auditors hired to perform a specialized audit or review of a specific process or area.

In general, the objectives of Internal Audit are to:

• Evaluate the adequacy of the internal control structure within a department or unit.
• Assess the extent of compliance of each area with applicable laws, regulations, policies, and procedures.
• Verify the existence of NCSSM’s assets and ensure proper safeguards for their protection.
• Evaluate the reliability and integrity of data produced by information systems.
• Investigate concerns relating to fraud, embezzlement, and theft.
• Advise management and provide methodologies, facilitation, knowledge, best practices, and independence that help solve management’s problems.

Internal Audit performs an annual risk assessment which helps to develop an audit plan of engagements to be conducted during the upcoming fiscal year. The audit plan, prepared after seeking input from leadership regarding key areas of risk, is presented to and approved by the Board of Trustees’ Fiscal, Audit and Human Resources (FAHR) Committee and the Chancellor. Throughout the year, the audit plan may be amended to include requested reviews, special projects, emerging risks, or changes in management priorities.

Some of the things that we consider when developing our audit plan include:

• To what extent is the process or area required to comply with state or federal regulations?
• Is this area subject to a great deal of public scrutiny?
• Has recent organizational or management changes occurred?
• What is the volume of activity?
• How reliant is the area on technology?
• When was the last time Internal Audit reviewed it?
• Does management have concerns that they would like us to review? Concerns can be about the internal structure, regulations, complexity of operations, or any prior audit findings.

Audit engagements and reviews vary in length. The amount of time required depends on the objectives of the engagement, the cooperation and availability of the client, and the complexity of the operation. Limited scope reviews may only take a few weeks, while a broad-based engagement may take months. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the engagement.

Also note that much of the engagement is spent in our office performing reviews and analyses of data and information. While we will request meetings and make requests for data and documentation during the audit, we will take your schedule into consideration as we strive to minimize interference with your day-to-day work.

Internal audit develops an annual audit plan that is reviewed and approved by the Board of Trustees Fiscal, Audit and Human Resources Committee and the Chancellor. The plan identifies the engagement projects to be conducted during the upcoming fiscal year; however, it can be amended to include requested reviews, special projects, or respond to changes in priority.

Not all reviews are selected in the same way. An area can be selected for a review if:

• It is identified as an area with high risk.
• It is a cyclical engagement project.
• Irregular conduct is alleged.
• Management specifically requests a review.

Selection based on assessment of risk: The most common method of selecting an area for an engagement is through the application of a risk assessment. Several factors are considered in the assessment, such as:

• Internal control structure.
• External regulations.
• Financial impact.
• Complexity of operations.
• Prior engagement findings.
• Length of time since the last engagement.

When this model is applied, areas are ranked according to their risk. Areas with the greatest risk become priority engagements and can result in three types of engagements: compliance, operational or information technology.

Cyclical engagements: Some engagements are conducted on a regular basis pursuant to UNC Policy or other regulations and mandates.

Investigative engagements: These engagements are normally requested by management and/or anonymous tips and focus on alleged misconduct. Reasons for investigative engagements include internal theft, misuse of State property, or conflicts of interest.

Requests from management: Management can request engagements by contacting the Internal Audit Office. The scope of the engagement depends on the request.

The scope of the engagement and/or review is determined from one or more of the following:

• Information collected during a preliminary survey, which includes interviews with the appropriate client personnel.
• Assessment of risk associated with the specific function or process.
• Evaluation of answers received on internal control questionnaires tailored for the assignment.
• Client requests concerning topics, functions and/or time frames.

Sometimes discoveries during a project can change the scope of an engagement. If this should happen, the client is notified of significant scope changes.

Work performed by Internal Audit is conducted in a logical, systematic manner to ensure accuracy, completeness, and consistency of results. The steps outlined below are followed during routine assurance engagements.

1. Planning – During the planning phase, an auditor becomes familiar with the subject area’s objectives (and their support/alignment with NCSSM’s mission/strategic initiatives), major activities, potential risks, and controls relating to the audit topic. The auditor uses information obtained to develop the focus and objectives of the engagement by assessing current audit risks in the subject area. The goal of the planning work is to identify areas where Internal Audit can provide further analyses and assistance that will benefit the area audited and/or NCSSM as a whole.

2. Entrance Conference – The planned engagement objectives and period to be covered are communicated to client management at an entrance conference and in written correspondence (in the form of an engagement letter which typically will be an email). Based on the information obtained during the entrance conference, the Chief Audit Officer will determine if audit fieldwork is necessary or if any changes are needed to the audit program (the outline of audit work to be performed during fieldwork).

3. Fieldwork – During the fieldwork phase, the planned testing per the audit program is completed. This phase of the engagement may include testing the internal controls, collecting and analyzing data, and/or performing other procedures necessary to accomplish the objectives of the engagement. Internal Audit realizes the value of each person’s time and tries to arrange meetings in advance and work around scheduling conflicts when possible. Also, Internal Audit will maintain an open communication with the client to ensure they are kept abreast of the audit status.

4. Audit Findings and Exit Conference – Internal Audit will discuss potential audit findings as they are identified to ensure there have been no misunderstandings or misinterpretations of fact and to provide management the opportunity to clarify specific items and to express views. At the end of fieldwork, Internal Audit will meet with department management and staff to review all potential findings, including findings that will be excluded from the report. These meetings help ensure that potential findings are accurate and that the recommendations are valid and understood. This promotes a “team approach” by actively involving management in developing solutions to issues identified by the audit.

5. Reporting Process – After the exit conference, a draft report is prepared and sent to management for review and to provide a written response that outlines management’s corrective action plan within a specified time frame. After the draft report is finalized with management’s response(s), the report will be submitted to the Chancellor for review and approval to distribute. Once approved, the report is distributed to the client, appropriate senior management, the Chancellor and the Board of Trustees Executive Committee and Fiscal, Audit, and Human Resources Committee.

Engagements with no reportable findings may be reported through a final memorandum and not a formal report.

6. Client Survey – We request that departments provide feedback about the audit to help us continuously improve our procedures and remain compliant with The Institute of Internal Auditors’ Standards regarding quality assurance. If you receive a survey after an engagement, please take a few minutes to complete it.

7. Follow-Up Review – A follow-up review is conducted within a reasonable time after the final report is issued. A follow-up review is performed to verify the resolution of the audit observations and recommendations. The review is concluded with a report that notes the status of management’s corrective actions. The draft report is shared and discussed with the client before the report is issued. Once finalized, the follow-up report will be provided to the original report recipients and other NCSSM officials as deemed appropriate.

Yes, we are audited every five years as required by The Institute of Internal Auditors’ Global Internal Audit Standards.

Yes. Internal Audit will consider all requests for inclusion on the annual audit plan. Please note that our ability to accept project requests depends on several factors including but not limited to staff workload and the level of risk and/or urgency associated with the requested engagement.

Internal controls are processes, systems, and/or policies and procedures put in place to provide reasonable assurance regarding the achievement of reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. Internal controls are anything we do or put in place to help us achieve our objective(s). Examples of internal controls include locking your desk or office space to ensure your belongings and other items are safeguarded and using strong passwords to reduce the risk of your accounts being accessed by external parties.

Management is responsible for establishing and maintaining the control environment. Auditors play a role in a system of internal controls by performing evaluations, testing the effectiveness of controls, and making recommendations for improved controls.

In general, controls can be categorized as preventive or detective. Preventive controls are aimed at preventing errors or irregularities from occurring. Detective controls are designed to identify errors or irregularities after they have occurred.

Check out the Records Retention and Disposition Schedule in the Employee Portal under the Forms & Documents-Chancellor’s Office page.