---

Internal Audit services involve providing assurance, advice, or both. Internal Audit applies and conforms with The Institute of Internal Auditors’ (IIA’s) Global Internal Audit Standards (Standards) when performing engagements.

Each fiscal year an annual audit plan is developed and submitted to the Chancellor and the Board of Trustees’ Finance, Audit, and Human Resources (FAHR) Committee for review and approval. The audit plan is based on a risk assessment methodology but also considers requests from members of the NCSSM community.

The following types of audit services may be provided by Internal Audit:

Assurance Services

Assurance services are intended to provide confidence about governance, risk management, and the management of the activity under review. Through assurance services, Internal Audit provides objective assessments of the differences between the existing conditions of the activity under review and a set of evaluation criteria. Examples of assurance engagements are as follows:

Compliance audits measure the compliance with established University, NCSSM, federal or state laws, regulations, and/or policies. Our recommendations are intended to help management fully comply with the established regulations.

Financial audits review specific transactional cycles or processes such as cash handling, fixed assets, purchasing, payroll, receivables, and payables. These reviews are typically limited in scope as the full financial audit for the School is performed by the Office of State Auditor.

Information technology (IT) or Information security (IS) audits are conducted to evaluate the quality of the controls and safeguards over the information technology or information security resources and critical data of the organization. These audits may consist of: reviewing the effective use of information technology resources; adherence to laws, policies and industry standards; assessing the design and implementation of internal controls over computer applications and the computing environments in which they are used; and assessing information security practices.

Operational audits review the effectiveness and efficiency of operational units. Effectiveness measures how successfully an organization or unit achieves its goals and objectives. Efficiency measures how well an entity or unit uses its resources to achieve its goals. Operational audits can also be integrated audits and include compliance, financial, and information technology aspects of the area being reviewed.

Follow Up Reports

For internal or external audit work that results in reportable recommended improvements, Internal Audit conducts follow-up reviews to assess if management has implemented the corrective action(s) to mitigate risks identified during the original audit engagement.

Advisory Services

Internal Audit can initiate advisory services or perform them at the request of the Board, senior management, or the management of the activity. Advisory services are engagements that are intended to provide advice and information on internal controls, risk management, and sound business practices. Examples of advisory services include:

• Reviewing current business practices for effectiveness and efficiency
• Interpreting policies and procedures
• Facilitating the development and implementation of internal procedures
• Participating on standing committees
• Completing limited-life projects
• Attending ad-hoc meetings
• Responding to routine questions

In addition, our advisory work includes work with the UNC System Office and several professional organizations and serving as liaisons between the School and various external auditors.

Please do not hesitate to reach out for any advisory needs.

Investigations

These audits are normally requested on an as-needed basis by management or by anonymous tips or requests. Investigative audits typically cover topics such as alleged irregular conduct, non-compliance with established policies or laws, misuse of NCSSM resources, false time reporting, internal theft, and/or conflicts of interest.

Any dishonest or improper act by an employee such as those that violate the law, waste money, or endanger public health and safety, are a concern. In addition, North Carolina General Statute § 143B-920 requires all state employees, including employees of NCSSM, to report theft or misuse of state property.

To report concerns or suspected fraud, waste, or misuse, use the Internal Audit Hotline.

When Internal Audit receives information regarding potential misuse, fraud or abuse, we will conduct an initial review to determine if the allegations have merit and if further investigation is necessary. While all reports will be given careful consideration and treated seriously, it is important to remember that allegations are unsubstantiated until corroborating evidence is obtained. The initial review and subsequent investigation will be conducted in a confidential manner and with respect for the rights of the individuals involved.

The goals of investigations are to:

• Determine if allegations are valid;
• Identify control weaknesses or breakdowns in procedure that allowed the situation and any related problems to occur;
• Determine the extent of any loss; and
• Recommend corrective action to prevent the situation from recurring.

When possible, Internal Audit will notify appropriate members of management prior to beginning an investigation. Advance notice may not be possible in rare situations when even a small delay could allow additional funds to be lost or records destroyed. In these situations, Internal Audit will notify management as soon as possible after the investigation begins. If allegations involve possible misuse by management, Internal Audit will coordinate the investigation through the organizational level to which the area reports.

The processes of conducting and reporting the results of a misuse investigation will be similar to the process followed for a routine audit. However, if the investigation reveals a potential violation of any federal, state, or local law, Internal Audit may refer the matter to Campus Safety and Legal Affairs for further review and action. Internal Audit will assist these entities with their reviews as needed. In addition, Internal Audit will use professional judgment in identifying situations that warrant disclosure to the NC Office of the State Auditor. 

External Audit / Review Coordination

NCSSM is subject to external audits, compliance reviews, and similar activities by various external agencies and other organizations. The Chief Audit Officer can serve as a liaison to the process, especially since Internal Audit is responsible for following up on all findings and recommendations made by external auditors. Determining whether such recommendations have been satisfactorily addressed is a requirement mandated by UNC Policy.

If your department is contacted by an external entity regarding any type of pending review, audit, or investigation, please contact Internal Audit. This notification serves a dual purpose:

• To prevent the duplication of audit effort and
• To ensure the duties of internal audit are fulfilled

The Chief Audit Officer will accompany department representatives to any entrance and exit meetings with external reviewers.

Copies of all findings and recommendations issued by external auditors / investigators, along with management’s response to any recommendations, should be forwarded to the Chief Audit Officer in a timely manner. Upon implementation of the recommendations or other alternative action by management, Internal Audit will perform verification procedures to ensure the stated plan of action has been implemented and will issue a status report to the Chancellor and the Board of Trustees FAHR Committee.