The University of Iowa Internal Audit Department

Internal Audit Process

How Can We Help You?

Types of Audits

What is Internal Audit?

Why was my department selected for an Audit?

What are "internal controls"?

Who is responsible for internal controls?

What will the auditors need from me?

How long will the audit take?

Will the audit disrupt my department's everyday activity?

What is the audit process?

How is an audit comment reported and to whom?

How Can We Help You?

The Internal Audit Department has a staff of professionals with the education, experience, and credentials to make a positive impact in your area.

We have experience from a variety of corporate and not-for-profit industries.
We possess advanced degrees, professional designations, and licenses.
In order to maintain our professional certifications and stay up-to-date on the latest issues impacting the University, we attend continuing education programs at both the national and local level.

Our recommendations are designed to help you manage your operation more efficiently, resulting in a more effective use of resources. This might include alternate ways of approaching a problem based on our encountering similar situations in other areas. As a result, we can identify strengths and weaknesses in processes quickly and make practical recommendations. This will save you time and money on a variety of matters, and ensure that your operation is based on sound business practices and is in compliance with University, Board of Regents, and State policies, procedures and regulations.

We work closely with University leadership and a variety of other internal entities. This access along with our experience provides us with a broad prospective which we can employ to benefit your operation.

Types of Audits

Operational - Comprehensive reviews of an office or program to evaluate fundamental business practices to ensure there are adequate internal controls as well as operational efficiency and effectiveness.

Compliance - Measure adherence with:

University of Iowa and Board of Regents policies and procedures.
State and Federal laws and regulations.
NCAA Bylaws
Sponsor grant and contract requirements.
Donor restrictions on use of funds.

Investigative - Identify the facts and circumstances of possible fraud or misappropriation of the organization's assets.

Information Systems - Analyze the effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of data and programs on computer and communication systems.

Audit FAQ's

What is Internal Audit?

Internal Audit identifies and assesses risk within the University environment through independent auditing and advising. In support of the University's mission, Internal Audit reports risk and makes recommendations to promote sound operating practices. We also provide consulting services which are advisory in nature, and are generally performed at specific request.

Why was my department selected for an audit?

The process many times begins during an annual series of risk assessment discussions that are held with various leaders across campus. During these meetings, management indicates issues, processes, or areas that they believe may benefit from a review by Internal Audit. Departmental managers also represent a source of audit requests, and random selection or a change in management may also play a part.

Several factors influence the scheduling of audits, including: the degree of risk or exposure to loss, type of audit, and the current and planned work in other audit projects requiring substantial time commitments.

What are "internal controls"?

Internal controls are nothing more than policies or procedures put in place to safeguard an asset, provide reliable financial information, promote efficient and effective operations, and ensure policy compliance. For example: When you came to work this morning did you lock the doors to your house? If so, that's an example of an "internal control" you used to protect the assets you own. Generally there are three types of control:

Preventative Controls - are designed to discourage errors or irregularities from occurring. For example: Processing a requisition only after it has been properly approved by the appropriate personnel.
Detective Controls - are designed to find errors or irregularities after they have occurred. For example: Reviewing the monthly Statement of Account for activity in your area's general ledger MFK's.
Directive Controls - are designed to encourage a desirable event. For example: written policies and training seminars assist in the accomplishment of area goals and objectives.

Who is responsible for internal controls?

While everyone at the University plays a part in the internal control system, ultimately University Senior Management is responsible for ensuring that adequate controls are in place. They in turn delegate part of this responsibility out to each operational area, whether it is administrative or collegiate. Essentially, every employee has some responsibility for making sure that the internal control system functions properly. Therefore, all faculty and staff need to be aware of the concept and purpose of internal controls. If you are a departmental supervisor you must ask yourself, "How do I know that things are ok? Do I assume that all is well until a crisis happens, or do I review processes and procedures on a regular basis to make sure I know what is going on?" While good internal controls will not prevent or solve all your problems, they provide an early warning system that help prevent surprises.

What will the auditors need from me?

The main items needed from you for a successful audit are cooperation and communication with the auditor. Here are some specific examples of what you can do to help the audit process:

Supply all requested information on a timely basis.
Share any internal control concerns you have with the auditor.
Review the audit program presented for your area, and ask questions if you don't understand why certain activities have been included or excluded.
As issues are communicated to you during the audit, begin thinking about potential corrective actions.
Review the audit report draft and make any suggestions for changes or enhancements either before or during the exit conference.
Provide a written response to the issues identified in the report, along with who will be responsible for implementing the corrective actions and when they will be completed.
Be proactive in monitoring the progress of the corrective actions and reporting them.

How long will the audit take?

Audits can last from a few days to several months, depending on the scope and objectives of the audit work. The auditor(s) assigned to your area will give you an estimate of the time they will need to complete the audit, after the planning phase is complete.

Will the audit disrupt my department's everyday activity?

Like any special project, an audit affects the area's routine to some extent. The University's Internal Audit Department will make every effort to minimize this disruption and cooperate with you to make the process as smooth as possible.

What is the audit process?

Determine Which Areas Will be Audited		Criteria: Area's internal control environment. Total resources managed relative to the University as a whole. Request for review.

Planning		Notify area of selection for audit. Obtain background information on the area and understanding of area's operations. Set objectives and scope.

Entrance Conference		Auditor(s) discuss objectives and scope of the audit with the area's management and present audit program.

Field Work		Test the internal control systems. Determine if the area is operating in the most effective and efficient manner, and in compliance with policies and regulations.

Reporting		Issue draft report of identified issues and recommended actions to area management. Area reviews draft report and identifies any questions or concerns regarding it.

Exit Conference		Discuss issues regarding the draft report. Management presents their plan for correcting noted issues and timeline for implementing the corrective action.

Final Report		Issued to appropriate University management, including the President and the State Board of Regents. Becomes a public document.

Follow-up Review		Return to the area after date for corrective action has passed, to ensure the issue(s) has been addressed as agreed.

Follow-up Memorandum		Issued to all who received the original report. Reports as to whether the corrective action promised by management has been completed.

How is an audit comment reported and to whom?

We use a variety of methods for communicating issues/comments back to you and senior management, including:

Audit Report comment - Comments in this classification are included in the official audit report, and represent items that are either regulatory/policy/legal violations, or present an unacceptably high level of risk of financial loss or adverse public/political exposure. The audit report is copied to immediate area management, and all appropriate University management up to the level of the President, who receives all reports. The report is also sent to the State Board of Regents, and the Auditor of the State of Iowa .
Management Advisory comment - These are issues that the auditor noted during field work, but they are either outside the established scope of this audit project or are not of immediate concern. However, if they are not addressed in a timely manner, they could potentially have an adverse impact on the operation of the area in the future. This type of item is communicated to management of the immediate area being audited and at least their supervisor.
Non-reportable comment - These issues are generally minor in nature or scope, but are items that the auditor encountered and of which you need to be aware. They are communicated only to management in the immediate area being audited.