You are on page 1of 54

INTERNAL AUDIT MANUAL

INTRODUCTION
The purpose of this manual is to outline the authority and scope of the internal audit function
within the Mahatma Gandhi Institute (MGI and to pro!ide standards and "uidelines and
procedures for the Internal Audit Department# These "uidelines aim to pro!ide for consistency$
sta%ility$ continuity$ standards of accepta%le performance$ and a means of effecti!ely
coordinatin" the efforts of the staff mem%ers comprisin" the Internal Audit Department# The
o!erall o%&ecti!e of the internal audit acti!ity is to pro!ide all le!els of MGI mana"ement and the
MGI ' RTI (ouncil ((ouncil with an independent assessment of the )uality of the Institute*s
internal controls and administrati!e processes$ and pro!ide recommendations and su""estions for
continuous impro!ement#
The o%&ecti!es of this manual are to document office standards$ "uidelines$ and procedures to
assist mem%ers of the +ffice of Institute Audits in,
-ro!idin" all le!els of Institute mana"ement and the (ouncil of Trustees with an
independent assessment of the )uality of the Institute*s internal control$ ris. assessment$
and "o!ernance processes$ includin" recommendations and su""estions for continuous
impro!ement#
The auditor/s &ud"ment will %e re)uired in applyin" these o%&ecti!es to specific audit
assi"nments# This manual pro!ides "uidance$ %ut it should not inhi%it ima"ination$
practicality$ and inno!ati!e auditin"# 0u""estions for chan"es to these "uidelines and
procedures should %e proposed to audit mana"ement# 0u""estions will %e e!aluated and
adopted %ased on their applica%ility to the audit en!ironment on all campuses# 1
INTERNAL AUDIT AUDIT MANUAL
TABLE OF CONTENTS
Description Page No.
Purpose Aut!orit" an# Responsi$i%it"
-urpose 2
Internal Audit (harter 3
+r"ani4ational (hart 5
Audit (ommittee (harter 67
In#epen#ence an# O$&ecti'it"
+r"ani4ational Independence 68
Mana"ement (ontrol -olicy 65
+%&ecti!ity 97
E:ample (onflict of Interest (ertification 96
Pro(icienc" an# Due Pro(essiona% Care
-roficiency 99
;raud 99
(ouncil -olicy on Ille"al Acts 9<
Re!ised 0tatute 9<,29= 92
Director of Internal Audit$ >o% Description 93
Internal 0taff Auditor$ >o% Description 95
Due -rofessional (are =7
(ontinuin" -rofessional Education =7
(ertification =6
)ua%it" Assurance an# I*pro'e*ent Progra*
?uality -ro"ram Assessments =9
Internal Assessments =9
E:ternal Assessments ==
Reportin" ==
E:ample Auditee 0ur!ey =<
Managing t!e Interna% Au#it Acti'it"
Audit -lan =2
(ommunication and Appro!al =2
Resource Mana"ement =3
E:ample Annual Audit -lan =8
-olicies and -rocedures <7
(oordination <7
Reportin" to Mana"ement <7
Nature o( +or,
Nature of @or. <6
Ris. Mana"ement <9
Internal (ontrol <=
Go!ernance <=
Le"al (onsiderations <<
Information 0ecurity <<
En!ironmental Ris.s <2
-ri!acy Ris.s <2
Ris. Mana"ement -rocesses <2
Ausiness (ontinuity <2
0cope of @or. <2
Relia%ility and Inte"rity of Information <3
(ompliance @ith Laws and Re"ulations <3
0afe"uardin" of Assets <8
Economical Use of Resources <8
Accomplishment of +%&ecti!es <B
Engage*ent P%anning
-lannin" the En"a"ement <5
+%&ecti!es and 0cope of @or. <5
Entrance (onference <5
-reliminary 0ur!ey 27
0taffin" 26
En"a"ement @or. -ro"ram 26
-ersonal Information 26
Per(or*ing t!e Engage*ent
E:aminin" and E!aluatin" Information 29
@or.in" -apers (Audit E!idence 29
-ermanent ;iles 2=
Inde:in" and Referencin" 2<
En"a"ement 0uper!ision 22
Co**unicating Resu%ts
(ommunicatin" En"a"ement Results 23
;act ;indin" ;orm 28
E:ample ;act ;indin" ;orm 2B
Description of Reporta%le (onditions 25
Monitoring Progress
Monitorin" -ro"ress 37
Reso%ution o( Manage*ent-s Acceptance o( Ris,s
36
Purpose
The internal audit acti!ity was esta%lished in accordance with an Act of the Louisiana Le"islature
which re)uires any 0tate a"ency with an appropriation le!el of thirty million dollars or more to
ha!e an internal auditor# The purpose$ authority$ and responsi%ility of the internal auditin"
function are defined in formal written charters# The Institute*s charter was appro!ed %y the
Institute -resident and the (ouncil chairman# The system charter was appro!ed %y the (ouncil#
The charters (6 esta%lish internal audit*s position within the system and InstituteC (9 authori4e
access to records$ personnel$ and physical properties rele!ant to the performance of auditsC and
(= define the scope of internal auditin" acti!ities# As pro!ided in the audit charters$ the Internal
Audit Department has full$ free$ and unrestricted access to all acti!ities$ records$ property$ and
personnel of the Institute#
MA.ATMA /AND.I INSTITUTE
INTERNAL AUDIT C.ARTER
Contents
0 INTRODUCTION
1 MISSION STATEMENTS
2 AUT.ORIT3
4 RESPONSIBILIT3
5 ACCOUNTABILIT3
6 INDEPENDENCE
7 CONTINUIT3 AND IMPARTIALIT3
0 INTRODUCTION
This charter primarily aims to define and esta%lish,
a The formal mission statement of the Internal Audit Department of the
Mahatma Gandhi Institute (MGIC
% The o%&ecti!es and scope of Internal Audit DepartmentC
c The Internal audit Department*s position within the MGI$ its access to
!arious records$ department and acti!itiesC and
d Its responsi%ility and accounta%ility#
9 MISSION STATEMENT
a To pro!ide an independent appraisal of all the acti!ities of MGI aimin" to
add !alue$ impro!e operational efficiency$ ris. mana"ement and
internal control systemsC
% The prime o%&ecti!e of Internal Audit Department is to e:amine and
e!aluate whether the MGI*s frame wor. of ris. mana"ement$ control$ and
"o!ernance processes$ is ade)uate and functionin" properlyC
c In addition$ the o%&ecti!es of Internal Audit Department include ad!isin"
and recommendin" senior mana"ement for impro!ements in internal
control and ris. mana"ement systemsC
d In order to fulfill its mission statement and o%&ecti!es$ the Internal Audit
Department*s scope of wor. includes,
i# The e:amination and e!aluation of the ade)uacy and effecti!eness of
the internal control systems at !arious operations and acti!ities of
MGIC
ii# The re!iew of the application and effecti!eness of ris. mana"ement
procedures and ris. assessment methodolo"ies at !arious
operations and acti!ities of MGIC
iii# The re!iew of the mana"ement and financial information systems$
includin" the electronic information systemC
i!# The re!iew of the accuracy and relia%ility of MGI accountin"
records and financial reportsC
!# The testin" of %oth transactions and functionin" of specific internal control
procedures at !arious MGI departments and officesC
!i# The e!aluation of adherence to le"al and re"ulatory re)uirements and appro!ed
policies and proceduresC
!ii# The e!aluation of the effecti!eness of e:istin" policies and procedures and "i!e
recommendations for impro!ementsC
!iii# Identifyin" opportunities for cost sa!in"s and ma.in" recommendations for
impro!in" cost efficienciesC
i:# E:aminin" that resources are ac)uired economically$ used efficiently and
safe"uarded ade)uatelyC
:# The carryin"Dout of special in!esti"ations assi"ned %y the Audit (ommittee
and Director of the MGIC
:i# -recisely$ e!ery acti!ity$ department and office of MGI falls within the scope
of the Internal audit Department for independent appraisalC and
:ii# The Internal Auditor and staff of Internal Audit Department are$ howe!er$ not
allowed to,
a -erform any operational duties for MGI outside Internal audit Department
functionC
% Initiate or appro!e accountin" transactions e:ternal to the Internal Audit
DepartmentC and
c Direct the acti!ities of any MGI employee e:cept to the e:tent such
employees ha!e %een appropriately assi"ned to auditin" teams or to
otherwise assist the Internal Audit Department#
2 AUT.ORIT3
The Internal Auditor and staff of the Internal Audit Department are authori4ed to,
a Ea!e unrestricted access to all MGI departments$ offices$ acti!ities$ records$
information$ properties and personnel$ rele!ant to the performance of audit
functionC
% Determine the scope of wor. and apply the techni)ues re)uired to accomplish
audit o%&ecti!esC
c +%tain the necessary assistance of personnel in !arious departments F offices of the
MGI where they perform auditsC and
d +%tain assistance of specialistsF professionals where considered necessary from
within or outside MGI#
4 RESPONSIBILIT3
The Internal Auditor and staff of Internal Audit Department ha!e responsi%ility to,
a ;ormulate an annual audit plan in consultation with the Audit (ommittee and
Mana"ementC
% Implement the annual audit plan$ includin" as appropriate any special tas.s or
pro&ects re)uested %y the Audit (ommittee and Director of the MGIC
c Maintain a professional audit staff stren"th with sufficient .nowled"e$ s.ills$
e:perience$ and professional )ualifications to meet the re)uirements of this
(harterC
d Issue periodic reports on a timely %asis to the Audit (ommittee and Director of the
MGI summari4in" results of audit acti!itiesC
e Geep the Audit (ommittee informed of emer"in" trends and de!elopments in
internal auditin" practices and "i!e recommendations for necessary re!isions in
the Internal Audit (harter# -ro!ide a list of si"nificant measurement "oals and
results to the audit committeeC
f Assist in the in!esti"ation of si"nificant suspected fraudulent acti!ities and notify
the Audit (ommittee and Director of the MGI of the resultsC
" Ensure that the department complies with sound internal auditin" principles and
%est practicesC see. "uidance from the standards issued %y the Institute of Internal
AuditorsC
h The Internal Auditor and staff of audit department ha!e responsi%ility to,
i# ;ollow the "uidelines and methodolo"y "i!en %y the Institute of Internal
AuditorsC
ii# E:ercise due professional care in carryin" out audit assi"nmentsC
iii# Maintain inte"rity and o%&ecti!ityC and
i!# The internal audit process$ howe!er$ does not relie!e departmental heads
and head of sections of their responsi%ility for the maintenance and
impro!ement of controls in their respecti!e areas#
5 ACCOUNTABILIT3
The Internal Auditor in the dischar"e of his duties shall %e accounta%le to the Audit
(ommittee to,
a 0u%mit an assessment on the ade)uacy and effecti!eness of the MGI*s
processes for controllin" its acti!ities and mana"in" its ris.s in all the areas
of MGI operations on an annual %asisC
% Report si"nificant issues related to the processes for controllin" the
acti!ities of MGI$ to"ether with recommendations for impro!ements to
those processesC
c -ro!ide information on the status and results of the annual audit plan on a
)uarterly %asisC
d (oordinate with e:ternal auditors and pro!ide o!ersi"ht of other control
and monitorin" functions e#"# security and le"al etc#
e The performance of the Internal Audit Department will %e e!aluated %y the
Audit (ommittee#
6 INDEPENDENCE
a To maintain the independence of Internal Audit Department from other
MGI departments and offices$ its personnel shall report to the Internal
Auditor who shall report administrati!ely to Director of the MGI and
functionally to the Audit (ommitteeC
% The Internal Audit Department shall %e independent of the acti!ities
audited# The department must also %e independent from the e!eryday
internal control processC
c The Internal Audit Department shall e:ercise its assi"nment on its own
initiati!e in all departments$ offices and functions of the MGIC and
d) The Internal Auditor shall %e authorised to communicate directly$ and on
his own initiati!e$ to the (ouncil and the mem%ers of audit committee#
7 CONTINUIT3 AND IMPARTIALIT3
a The Internal Audit Department within MGI shall %e a permanent functionC
% The Internal Audit Department shall %e o%&ecti!e and impartial in
performin" its assi"nmentC
c +%&ecti!ity and impartiality entails that the Internal Audit Department itself
see.s to a!oid any conflict of interest#
d Impartiality re)uires that the Internal Audit Department is not in!ol!ed in
the operations of MGI or in selectin" or implementin" internal control
measures# Eowe!er$ the Internal Audit Department may "i!e
recommendations for stren"thenin" internal controls and can also "i!e
opinions on specific matters related to internal control procedures as per the
re)uest of senior mana"ement#
OR/ANI8ATIONAL C.ART
AUDIT COMMITTEE C.ARTER
PURPOSE
The Audit (ommittee will ser!e to ensure,
the acti!ities of the internal audit function complies with the Internal Audit (harter and
the Institute of Internal Auditors* 0tandards for -rofessional -ractice of Internal Auditin"C
audit co!era"e for the Mahatma Gandhi Institute ade)uately encompasses all aspects of
the Institute*s operations and that co!era"e is not inhi%ited or limited %y any indi!idual or
"roupC
audit acti!ities are responsi!e to e:ecuti!e mana"ement*s needs and o%&ecti!esC
e:ecuti!e mana"ement is aware of internal audit acti!ities$ results of audits$ and pro"ress
toward implementation of audit recommendations#
RESPONSIBILIT3
Responsi%ilities of the Audit (ommittee include,
ensurin" that internal audit "oals and o%&ecti!es$ staffin" plans$ financial %ud"ets$ and
audit acti!ities pro!ide ade)uate support of "oals and o%&ecti!esC
assessin" the performance of the internal audit functionC
ensurin" that the audit plannin" process$ includin" the ris. assessment methodolo"y$
considers appropriate aspects of the 0ystem*s operations and e:ecuti!e mana"ement*s
concernsC
appro!in" the annual audit planC
ensurin" that internal audit is "i!en the opportunity to attend technical or professional
de!elopment trainin" to assist in .eepin" up to date with financial$ mana"ement$ internal
control$ and other rele!ant issuesC
re!iewin" the results of si"nificant audit acti!ities$ audit reports$ and auditee responsesC
monitorin" the ade)uacy and timeliness of correcti!e actions ta.en in response to audit
acti!itiesC
monitorin" audits performed %y e:ternal auditors (e#"# Le"islati!e Auditor$ ;ederal
auditors$ etc#C
pro!idin" reasona%le assurance that the uni!ersities* %usiness "oals and o%&ecti!es are
%ein" achie!ed in an efficient and economical manner$ within an appropriate framewor.
of internal control and ris. mana"ementC
re!iewin" internal audit peer re!iews and determinin" whether the function complies
with 0tandards for the -rofessional -ractice of Internal Auditin"C
re!iewin" and re!isin" the 0ystem*s Internal Audit (harter as neededC
monitorin" adherence to ethical standards within the Institute system related to
compliance with laws and re"ulations$ ethics$ conflicts of interest$ and in!esti"ation of
misconduct and fraudC
notifyin" e:ecuti!e mana"ement immediately and re!iewin" actions ta.en in the
respecti!e uni!ersities relati!e to si"nificant frauds$ !iolations of laws or re"ulations$ and
other si"nificant issues raised %y Institute$ 0tate$ ;ederal$ or other a"ency auditorsC
appointin" the 0ystem Director of Internal Audit %ased on recommendation from the
0ystem -resident#
MEMBERS.IP
The Audit (ommittee will %e composed of three mem%ers# +ne mem%er of the (ommittee will
%e appointed as (hair# As a "uide$ it is desira%le that mem%ers of the (ommittee shall possess,
acumen in %usiness functions and mana"ement s.ills$
understandin" of %est practice internal control and ris. mana"ement$
.nowled"e of information systems and emer"in" technolo"y$
competency in financial and operational reportin"#
Mem%ers of the Audit (ommittee will$ at all times in the dischar"e of their duties and
responsi%ilities$ e:ercise honesty$ o%&ecti!ity$ and pro%ity and not en"a"e .nowin"ly in acts or
acti!ities that ha!e the potential to %rin" discredit to the 0ystem# Mem%ers also must refrain from
enterin" into any acti!ity that may pre&udice their a%ility to carry out their duties and
responsi%ilities o%&ecti!ely and must at all times act in a proper and prudent manner in the use of
information ac)uired in the course of their duties# Mem%ers must not use 0ystem information for
any personal "ain for themsel!es or their immediate families or in any manner that would %e
contrary to law or detrimental to the welfare and "oodwill of the 0ystem#
MEETIN/S
The Audit (ommittee will meet as it deems necessary# (ommittee meetin"s should %e scheduled
in ad!ance$ mem%ers notified$ and a"enda topics assem%led# The Internal Auditor will coordinate
this acti!ity# -rior to the meetin"$ the Internal Auditor will pro!ide the (ommittee mem%ers with
information relatin" to the status of audit acti!ities# 0uch information should include$ %ut not %e
limited to$ audit reports$ audit followDup and the implementation of recommendations$
mana"ement ser!ices$ e:ternal audits$ and other rele!ant information# In addition$ annual audit
plans and other appropriate information essential for the (ommittee to fulfill its responsi%ilities$
will %e pro!ided and re!iewed as necessary#
A ma&ority of mem%ers must %e present to pro!ide a )uorum# Minutes shall %e recorded and
maintain
Stan#ar#s o( Au#it Practice
The internal auditin" staff shall "o!ern themsel!es %y adherence to the Institute of Internal
Auditors* H(ode of Ethics#I Assurance and consultin" ser!ices shall %e conducted in
accordance with the Institute*s H0tandards for the -rofessional -ractice of Internal Auditin"I
usin" such audit pro"rams$ techni)ues$ and procedures as are considered necessary under the
circumstances# Althou"h not mandatory$ internal auditin" staff may o%tain "uidance in particular
en"a"ement situations from the Institute of Internal Auditors/ H-ractice Ad!isoriesI$ the
Information 0ystems Audit and (ontrol Association*s H0tandards for Information 0ystems
Auditin"I$ the American Institute of (ertified -u%lic Accountants H0tatements on Auditin"
0tandardsI$ and the United 0tates General Accountin" +ffice*s HGo!ernment Auditin"
0tandardsI#
M/I Manage*ent Contro% Po%ic"
6# Mana"ement is char"ed with the responsi%ility for esta%lishin" a networ. of processes with
the o%&ecti!e of controllin" the operations of the Institute in a manner which pro!ides the
(ouncil with reasona%le assurance that,
Data and information pu%lished either internally or e:ternally is accurate$ relia%le$
and timely#
The actions of directors$ officers$ and employees are in compliance with the
Institute*s policies$ standards$ plans and procedures$ and all rele!ant laws and
re"ulations#
The Institute*s resources are ade)uately protected#
Resources are ac)uired economically and employed profita%ly and )uality %usiness
processes and continuous impro!ement are emphasi4ed#
The Institute*s plans$ pro"rams$ "oals$ and o%&ecti!es are achie!ed#
(ontrollin" is a function of mana"ement and is an inte"ral part of the o!erall process of
mana"in" operations# As such$ it is the responsi%ility of mana"ers at all le!els of the Institute
to,
Identify and e!aluate the e:posures to loss which relate to their particular sphere of
operations#
0pecify and esta%lish policies$ plans$ and operatin" standards$ procedures$ systems$
and other disciplines to %e used to minimi4e$ miti"ate$ andFor limit the ris.s
associated with the e:posures identified#
Esta%lish practical controllin" processes that re)uire and encoura"e employees to
carry out their duties and responsi%ilities in a manner that achie!es the fi!e control
o%&ecti!es outlined in the precedin" para"raph#
Maintain the effecti!eness of the controllin" processes they ha!e esta%lished and
foster continuous impro!ement to these processes#
9# The internal audit acti!ity is char"ed with the responsi%ility for ascertainin" that the on"oin"
processes for controllin" operations throu"hout the Institute are ade)uately desi"ned and are
functionin" in an effecti!e manner# Internal auditin" is also responsi%le for reportin" to
mana"ement and the audit committee on the ade)uacy and effecti!eness of the Institute*s
systems of internal control$ to"ether with ideas$ counsel$ and recommendations to impro!e
the systems#
=# The audit committee is responsi%le for monitorin"$ o!erseein"$ and e!aluatin" the duties and
responsi%ilities of mana"ement$ the internal audit acti!ity$ and the e:ternal auditors as those
duties and responsi%ilities relate to the Institute*s processes for controllin" its operations#
<# The audit committee is also responsi%le for determinin" that all ma&or issues reported %y the
internal audit acti!ity$ the e:ternal auditor$ and other outside ad!isors ha!e %een satisfactorily
resol!ed# ;inally$ the audit committee is responsi%le for reportin" to the full (ouncil all
important matters pertainin" to the Institute*s controllin" processes#
O$&ecti'it"
Internal Audit employees are assi"ned to en"a"ements so that potential and actual conflicts of
interest and %ias are a!oided# Mem%ers of the internal audit department are re)uired to %e
o%&ecti!e and maintain an independent mental attitude in performin" assi"nments# They must
ha!e an impartial$ un%iased attitude and a!oid conflicts of interest#
Internal audit personnel complete a conflict of interest statement concernin" potential conflicts of
interest# Internal audit staffs ha!e %een instructed to report to the Director General any situations
in which a conflict of interest or %ias is present or may reasona%ly %e inferred# If independence
or o%&ecti!ity is impaired in fact or appearance$ the details of the impairment will %e disclosed to
appropriate parties# @hen any such situations are reported$ the director will then reassi"n the
auditor# Independence is addressed in the audit plannin" memoranda of indi!idual audits to
remind internal audit staff of the importance of maintainin" an independent mental attitude when
conductin" audits#
Mem%ers of the Internal Audit Department are re)uired to refrain from assessin" specific
operations for which they were pre!iously responsi%le# -ro!idin" assurance ser!ices for an
acti!ity for which the internal auditor had responsi%ility within the pre!ious year is not allowed#
Assurance en"a"ements for functions o!er which the chief audit e:ecuti!e has responsi%ility will
%e o!erseen %y a party outside the internal audit acti!ity# Eowe!er$ internal audit personnel may
pro!ide consultin" ser!ices relatin" to operations for which they had pre!ious responsi%ilities# If
internal audit personnel ha!e potential impairments relatin" to proposed consultin" ser!ices$
disclosure will %e made to appropriate personnel prior to acceptance of the pro&ect#
As detailed in the audit charters$ internal auditors do not assume operatin" responsi%ilities# In
performin" their wor.$ the internal audit staff mem%ers ha!e no direct authority o!er$ nor
responsi%ility for$ any of the acti!ities re!iewed# Internal auditors will not de!elop and install
procedures$ prepare or appro!e records$ ma.e mana"ement decisions$ or en"a"e in any other
acti!ity$ which could %e construed to compromise their independence#
Therefore$ internal audit re!iews and appraisals do not in any way su%stitute for nor relie!e other
persons in the institute of the responsi%ilities assi"ned to them# The draftin" of procedures for
systems is not an audit function# The Internal Auditor re!iews the results of internal auditin"
wor. %efore the related audit report is released to pro!ide reasona%le assurance that the wor. was
performed o%&ecti!ely#
If senior mana"ement directs the Internal Audit Department to perform nonDaudit related wor.$
the Internal Auditor will inform mana"ement that the acti!ity is not audit related$ the employees
are not functionin" as internal auditorsC and$ therefore$ auditDrelated conclusions should not %e
drawn#
Pro(icienc"
The internal audit staffs are e:pected to ha!e sufficient .nowled"e to identify the indicators of
fraudC howe!er$ they are not e:pected to ha!e the e:pertise of a person whose primary
responsi%ility is detectin" and in!esti"atin" fraud#
The internal audit staffs are e:pected to ha!e sufficient .nowled"e of .ey information
technolo"y ris.s and controls and a!aila%le technolo"yD%ased audit techni)ues to perform their
assi"ned wor.# Eowe!er$ the auditors are not e:pected to ha!e the e:pertise of an internal
auditor whose primary responsi%ility is information technolo"y auditin"#
If the internal audit staff does not possess the re)uired e:pertise to conduct an audit or consultin"
pro&ect$ the department has the option of declinin" the en"a"ement or o%tainin" the re)uired
e:pertise throu"h trainin" or the use of consultants# If the Internal Auditor decides to use and
rely on the wor. of an outside consultant or ser!ice pro!ider$ the director will assess the
competency$ independence$ and o%&ecti!ity of the outside ser!ice pro!ider#
Frau#
Internal audit mem%ers are not e:pected to ha!e the e:pertise of a person whose primary
responsi%ility is fraud detection and in!esti"ation# Internal auditors are responsi%le for assistin"
in the deterrence of fraud %y e:aminin" and e!aluatin" the ade)uacy and the effecti!eness of the
system of internal control# The internal audit department*s responsi%ilities for fraud detection are
to,
Ea!e sufficient .nowled"e of fraud to %e a%le to identify indicators that fraud may ha!e %een
committed# Eowe!er$ the auditors are not e:pected to ha!e the e:pertise of a person whose
primary responsi%ility is detectin" and in!esti"atin" fraud#
Ae alert to opportunities$ such as control wea.nesses$ that could allow fraud#
E!aluate the indicators that fraud may ha!e %een committed and decide whether any further
action is necessary or whether an in!esti"ation should %e recommended#
Notify the appropriate authorities within the or"ani4ation if a determination is made that
there are sufficient indicators of the commission of a fraud to recommend an in!esti"ation#
T!e interna% au#it #epart*ent *a" per(or* e9ten#e# proce#ures to #eter*ine :!et!er
(rau# !as occurre#.
@hen conductin" fraud investigations$ the internal auditor staff will,
Assess the pro%a%le le!el and the e:tent of complicity in the fraud within the Institute#
Determine the .nowled"e$ s.ills$ and disciplines needed to effecti!ely carry out the
in!esti"ation#
Desi"n procedures to follow in attemptin" to identify the perpetrators$ e:tent of the fraud$
techni)ues used$ and cause of the fraud#
(oordinate acti!ities with mana"ement personnel$ le"al counsel$ and other specialists as
appropriate throu"hout the course of the in!esti"ation#
Ae co"ni4ant of the ri"hts of alle"ed perpetrators and personnel within the scope of the
in!esti"ation and the reputation of the Institute itself#
+nce a fraud in!esti"ation is concluded$ internal auditors will assess the facts in order to,
Determine if controls need to %e implemented or stren"thened to reduce future !ulnera%ility#
Desi"n audit tests to help disclose the e:istence of similar frauds in the future#
Eelp meet the internal auditor/s responsi%ility to maintain sufficient .nowled"e of fraud and
there%y %e a%le to identify future indicators of fraud#
@hen the incidence of si"nificant fraud has %een esta%lished to a reasona%le certainty$ senior
mana"ement and the (ouncil will %e notified immediately#


Interna% Au#itor ;o$ Description
6# E:amine all di!isional and departmental financial and compliance operations at appropriate
inter!als to determine that,
a Mana"ement has esta%lished an ade)uate internal control en!ironmentC
% Internal control processes are ade)uate and effecti!eC
c Institute policies and procedures are %ein" followedC
d Ade)uate safe"uards e:ist to safe"uard assets recorded in the accountin" recordsC
e The system of accountin" and financial reportin" is relia%le and ade)uate#
9# Report promptly to the Audit (ommittee the results of audits$ the opinions formed$ the
recommendations for impro!in" the reported conditions$ the comments of affected administrati!e
personnel$ and appropriate action planned or ta.en#
AUTE+RITJ,
To maintain an independent status$ the Internal Auditor shall ha!e no authority or responsi%ility
for the acti!ities the department audits#
Internal Auditin" e:amines and e!aluates the ade)uacy of the internal control en!ironment and
su%se)uent effecti!eness of the internal control processes pro!ided %y mana"ement# The purpose
of those processes is to direct Institute acti!ities toward the accomplishment of its o%&ecti!e in
accordance with esta%lished policies and procedures and other plans# Internal Auditin" also
e:amines systems to determine that they are operatin" in the most efficient manner to
accomplish their intended "oals# In accomplishin" his acti!ities$ the Director and his audit staff
are authori4ed to ha!e full$ free$ and unrestricted access to all Institute functions$ records$
property$ and personnel#
RE0-+N0IAILITIE0,
@ithin the restraints of time and staff$ the Internal Auditor is responsi%le for,
6# Esta%lishin" policies for audit acti!ity and directin" technical and administrati!e
functions#
9# De!elopin" and e:ecutin" a comprehensi!e audit pro"ram to include plannin" and
performance of financial$ compliance$ irre"ularity$ and special pro&ects within the
Institute#
=# E:aminin" the effecti!eness of all le!els of mana"ement in his stewardship of Institute
resources and in compliance with esta%lished policies and procedures#
<# Recommendin" impro!ements in the internal of control en!ironment desi"n to safe"uard
Institute resources$ promote Institute "rowth$ and ensure compliance with "o!ernment
laws and re"ulations#
2# Re!iewin" procedures and records for their ade)uacy to accomplish intended o%&ecti!es$
and appraisin" policies and plans relatin" to the acti!ity or function under audit re!iew#
3# Authori4in" the pu%lication of reports on the results of audit e:aminations$ includin"
recommendations for impro!ement#
8# Appraisin" the ade)uacy of the action ta.en %y operatin" mana"ement to correct reported
deficient conditionsC acceptin" ade)uate correcti!e actionC continuin" re!iews with
appropriate mana"ement personnel on action he considers inade)uate until there has %een
a satisfactory resolution of the matter#
B# -reparin" a comprehensi!e$ lon"Dran"e pro"ram of audit co!era"e#
5# Identifyin" those acti!ities su%&ect to audit co!era"e$ e!aluatin" their si"nificance$ and
assessin" the de"ree of ris. inherent in the acti!ity in terms of cost$ schedule$ and )uality#
67# Esta%lishin" the departmental structure#
66# +%tainin" trainin" and maintainin" an audit staff capa%le of accomplishin" the internal
audit function#
69# Assi"nin" audit areas$ staff$ and %ud"et to auditors#
6=# De!elopin" a system of schedule control o!er audit pro&ects#
6<# Esta%lishin" and monitorin" accomplishment of o%&ecti!es directed toward increasin" his
department/s a%ility to ser!e mana"ement#
62# (oordinatin" internal and e:ternal audit efforts#
Due Pro(essiona% Care
Mem%ers of the Internal Audit Department are re)uired to e:ercise due professional care in
performin" auditsFassurance ser!ices# The auditors are e:pected to use reasona%le audit s.ill and
&ud"ment in performin" the audits and consider the followin",
E:tent of audit wor. needed to achie!e the audit o%&ecti!es#
Relati!e materiality or si"nificance of matters to which audit procedures are applied#
Ade)uacy and effecti!eness of ris. mana"ement$ control$ and "o!ernance processes#
Audit cost relati!e to potential %enefits#
-ro%a%ility of si"nificant errors$ irre"ularities$ or noncompliance#
The use of computerDassisted audit tools and other data analysis techni)ues#
The auditors are e:pected to e:ercise due professional care durin" a consultin" en"a"ement %y
considerin" the,
Needs and e:pectations of clients$ includin" the nature$ timin"$ and communication of
en"a"ement results#
Relati!e comple:ity and e:tent of wor. needed to achie!e the en"a"ement*s o%&ecti!es#
(ost of the consultin" en"a"ement in relation to potential %enefits#
The internal audit staffs are re)uired to %e alert to the possi%ility of errors andFor fraud and the
si"nificant ris.s that mi"ht affect operations# Eowe!er$ assurance procedures alone do not
"uarantee that all si"nificant ris.s will %e identified# The mem%ers of the internal audit
department document their assessment of atDris. areas in the plannin" memoFpreliminary sur!ey
and the audit pro"ram#
Continuing Pro(essiona% E#ucation
Mem%ers of the Internal Audit Department are responsi%le for continuin" their education in order
to maintain their professional proficiency# (ontinuin" education is o%tained throu"h
mem%ership and participation in professional or"ani4ations and attendance at conferences$
seminars$ colle"e courses$ and other trainin" pro"rams#
Certi(ication
Each auditor is encoura"ed to o%tain professional certification$ such as,
(ertified -u%lic Accountant ((-A
(ertified Internal Auditor ((IA
(ertified Information 0ystems Auditor ((I0A
(ertified ;raud E:aminer ((;E
(ertified Mana"ement Accountant ((MA
)ua%it" Progra* Assess*ents
The Internal Auditor has implemented and maintains a )uality assurance pro"ram that co!ers all
aspects of the internal audit acti!ity and continuously monitors its effecti!eness# The pro"ram
includes periodic internal and e:ternal )uality assessments and on"oin" internal monitorin"# The
process is desi"ned to help the internal auditin" acti!ity add !alue and impro!e the institute*s
operations and to pro!ide assurance that the internal audit acti!ity is in conformity with
applica%le standards and the internal audit charter#
E9terna% Assess*ents
E:ternal assessments include continuous o!ersi"ht of the department %y the 0ystem Director of
Internal Audit and the (ouncil and re!iews of the internal audit reports and wor.in" papers %y
e:ternal auditors# In addition$ the internal audit department will ha!e an e:ternal assessment
(self assessment with independent !alidation %y an independent re!iewer or re!iew team from
outside the or"ani4ation conducted %y >anuary 6$ 9778$ and at least once e!ery fi!e years
thereafter#
Reporting
The results of the e:ternal assessments will %e communicated to mana"ement and the (ouncil#
If full compliance is not achie!ed and the noncompliance impacts the o!erall scope or operation
of the internal audit acti!ity$ this will %e communicated to senior mana"ement and the (ouncil#
The internal audit department will report that their acti!ities are Hconducted in accordance with
the International Standards for the Professional Practice of Internal AuditingI only if the
assessments of the )uality impro!ement pro"ram demonstrate that the internal audit acti!ity is in
compliance with the Standards#
Au#it P%an
-rior to the %e"innin" of each fiscal year$ the Internal Auditor meets with the Director General
to discuss the internal audit plan for the upcomin" year#
To assist in preparin" the annual audit plan and assessin" ris.$ input is o%tained or re)uested
from prior e:ternal and internal audit findin"s$ Institute*s operations#
Co**unication an# Appro'a%
After the plan is prepared$ the Internal Auditor o%tains the Audit (ommittee appro!al of the plan#
The plan is then sent to the (ouncil for appro!al# 0i"nificant interim chan"es in the plan or
resource re)uirements are communicated to the Audit (ommittee and the council#
Resource Manage*ent
The internal auditin" department attempts to set measura%le "oals that are capa%le of %ein"
accomplished within specified operatin" plans#
E9a*p%e Annua% Au#it P%an
Mahatma Gandhi Institute
Audit Eours A!aila%le and Alloca%le
9766
Audit Eours A!aila%le
0tandard hours a!aila%le (9$7B7 hrs#Fauditor : 9
auditors 4,160
Less, Kacation Time 637
-aid Eolidays 99<
0ic. Lea!e B7 D<3<
A!aila%le Audit Eours =$353
Allocation of Audit Eours
Grade (han"e Audit =77
;ollowDup on 0in"le Audit ;indin"s 9B7
;ollowDup on Le"islati!e Auditor*s ;indin"s 9B7
0tudent Technolo"y ;ees 9B7
(ash (ollection -oints =77
Athletics 977
;inancial Aid =<7
(ontract (ompliance 9<7
Au:iliary Enterprise -rofitFLoss 977
GA0A =5 697
?uarterly (ertifications 6<7
Mana"ement Ad!isory ' 0pecial -ro&ects <27
0uper!ision 633
General Administration ' -lannin" 977
(-E ' +ther Trainin" 977
Total Alloca%le Eours =$353
Po%icies an# Proce#ures
Internal audit policies and procedures ha!e %een formali4ed in the Internal Audit Manual to
pro!ide "uidance to the employees of the Internal Audit Department# In addition$ audit staff are
directed and controlled throu"h daily$ close super!ision and written memoranda# The form and
content of the policies and procedures ha!e %een adapted to the relati!e small si4e and
uncomplicated structure of the department and the speciali4ation of its wor.# Due to the small
num%er of staff and uncomplicated structure of the department$ mana"ement is more informal
than in a lar"er audit department
Coor#ination
The e:ternal auditors "enerally re!iew the wor.in" papers of the department when performin"
their audit of the financial statements# To the e:tent the e:ternal auditors and professional and
or"ani4ational reportin" responsi%ilities allow$ the department shares information and
coordinates acti!ities with the other internal and e:ternal pro!iders of assurance and consultin"
ser!ices to ensure proper co!era"e and minimi4e duplication of efforts#
6# The Internal Audit Department and the e:ternal auditors periodically discuss matters of
mutual interest#
9# The e:ternal auditors are allowed access to the Internal Audit Departments*s audit
pro"rams$ wor.in" papers$ and reports# The Department of Internal Audit o%tains copies
of the e:ternal auditor*s reports and follows up on the findin"s contained therein# The
e:ternal auditor allows the Internal Audit Department access to selected wor.in" papers#
?uestions re"ardin" si"nificant control wea.nesses$ errors and irre"ularities$ ille"al acts$
disa"reements with mana"ement$ and any difficulties encountered in performin" the audit
are discussed with the e:ternal auditors#
=# The internal audit department may a"ree to perform wor. for e:ternal auditors in
connection with their annual audit of the financial statements#
Reporting to Manage*ent
All internal audit reports and e:ecuti!e summaries are su%mitted to the Audit (ommittee#
Nature o( +or,
As discussed in the audit charter$ the mission of the internal audit acti!ity is to pro!ide
independent$ o%&ecti!e assurance and consultin" ser!ices desi"ned to add !alue and impro!e the
Institute*s operations# Internal audit helps the Institute accomplish its o%&ecti!es %y %rin"in" a
systematic$ disciplined approach to e!aluate and impro!e the effecti!eness of ris. mana"ement$
control$ and "o!ernance processes# The internal audit acti!ity is "uided %y a !alueDdri!en
philosophy of partnerin" with other departmental units to continuously impro!e the operations of
the Institute# The scope of wor. of the internal audit acti!ity is to determine whether the
Institute*s networ. of ris. mana"ement$ control$ and "o!ernance processes$ as desi"ned and
represented %y mana"ement$ is ade)uate and functionin" in a manner to ensure,
Ris.s are appropriately identified and mana"ed#
Interaction with the !arious "o!ernance "roups occurs as needed#
0i"nificant financial$ mana"erial$ and operatin" information is accurate$ relia%le$ and
timely#
Employee*s actions are in compliance with policies$ standards$ procedures$ and
applica%le laws and re"ulations#
Resources are ac)uired economically$ used efficiently$ and ade)uately protected#
-ro"rams$ plans$ and o%&ecti!es are achie!ed#
?uality and continuous impro!ement are fostered in the Institute*s control process#
0i"nificant le"islati!e or re"ulatory issues impactin" the Institute are reco"ni4ed and
addressed properly#
The Institute*s internal audit acti!ity includes the followin" "eneral o%&ecti!es,
Determinin" that the Institute*s o!erall system of internal control and the controls in each
departmental unit or acti!ities under audit are ade)uate$ effecti!e$ efficient$ and
functionin" %y conductin" audits on a periodic %asis so that all ma&or systems are
re!iewed#
Determinin" the relia%ility and ade)uacy of the accountin"$ financial$ and reportin"
systems and procedures#
Determinin"$ on a test %asis$ that Institute acti!ities$ includin" the administration of
"rants and contracts recei!ed or made$ are in conformance with the Institute policies and
procedures$ state and federal laws and re"ulations$ contractual o%li"ations$ (ouncil Rules$
and "ood %usiness practices#
Determinin" the e:tent to which Institute assets are accounted for and safe"uarded from
losses of all .inds and$ as appropriate$ !erifyin"$ on a test %asis$ the e:istence of such
assets#
E!aluatin" operational procedures to determine whether results are consistent with
esta%lished o%&ecti!es and "oals and whether the procedures are %ein" carried out as
planned#
(onductin" in!esti"ations as re)uired or directed related to the "eneral o%&ecti!es
pre!iously stated#
The mana"ement process of plannin"$ or"ani4in"$ and directin" is e!aluated %y internal audit to
determine whether reasona%le assurance e:ists that o%&ecti!es and "oals will %e achie!ed# All
%usiness systems and processes within the Institute are su%&ect to e!aluation %y internal audit#
Ris, Manage*ent
The internal audit acti!ity assists the Institute %y identifyin" and e!aluatin" si"nificant e:posures
to ris. and contri%utin" to the impro!ement of ris. mana"ement and control systems# The .ey
o%&ecti!es of the Institute*s ris. mana"ement process are$ as follows,
6# Ris.s arisin" from %usiness strate"ies and acti!ities are identified and prioriti4ed#
9# Mana"ement and the (ouncil ha!e determined the le!el of ris.s accepta%le to the Institute$
includin" the acceptance of ris.s desi"ned to accomplish the Institute*s strate"ic plans#
=# Ris. miti"ation acti!ities are desi"ned and implemented to reduce$ or otherwise mana"e$ ris.
at le!els that were determined to %e accepta%le to mana"ement and the (ouncil#
<# +n"oin" monitorin" acti!ities are conducted to periodically reassess ris. and the
effecti!eness of controls to mana"e ris.#
2# The (ouncil and mana"ement recei!e periodic reports of the results of the ris. mana"ement
processes# The corporate "o!ernance processes of the Institute pro!ide periodic
communication of ris.s$ ris. strate"ies$ and controls to sta.eholders#
Mana"ement*s e:pectation of the internal audit acti!ity in relation to the Institute*s ris.
mana"ement process is documented in the internal audit charter# The internal audit acti!ity
monitors and e!aluates the effecti!eness of the Institute*s ris. mana"ement system# Ris.
e:posures relatin" to the Institute*s "o!ernance$ operations$ and information systems re"ardin"
the relia%ility and inte"rity of financial and operational informationC effecti!eness and efficiency
of operationsC safe"uardin" of assetsC and compliance with laws$ re"ulations$ and contracts are
su%&ect to e!aluation#
Durin" consultin" en"a"ements$ the Institute*s internal auditors are e:pected to address ris.
consistent with the en"a"ement*s o%&ecti!es and %e alert to the e:istence of other si"nificant
ris.s# Gnowled"e of ris.s "ained from consultin" en"a"ements may %e incorporated into the
process of identifyin" and e!aluatin" si"nificant ris. e:posures#
Interna% Contro%
The internal audit acti!ity assists the Institute in maintainin" effecti!e controls %y e!aluatin"
their effecti!eness and efficiency and %y promotin" continuous impro!ement# Internal audit
e!aluates the ade)uacy and effecti!eness of controls encompassin" the Institute*s "o!ernance$
operations$ and information systems re"ardin" the relia%ility and inte"rity of financial and
operational informationC effecti!eness and efficiency of operationsC safe"uardin" of assetsC and
compliance with laws$ re"ulations$ and contracts#
The internal audit acti!ity is responsi%le for ascertainin" the e:tent to which operatin" and
pro"ram "oals and o%&ecti!es ha!e %een esta%lished and conform to those of the Institute#
+perations and pro"rams are re!iewed to ascertain the e:tent to which results are consistent with
esta%lished "oals and o%&ecti!es to determine whether operations and pro"rams are %ein"
implemented or performed as intended# Internal audit ascertains the e:tent to which
mana"ement has esta%lished ade)uate criteria to determine whether o%&ecti!es and "oals ha!e
%een accomplished# If ade)uate$ internal audit uses such criteria in their e!aluation# If
inade)uate$ internal audit wor.s with mana"ement to de!elop appropriate e!aluation criteria#
Durin" consultin" en"a"ements$ the internal auditors are e:pected to address controls consistent
with the en"a"ement*s o%&ecti!es and %e alert to the e:istence of any si"nificant control
wea.nesses# Gnowled"e of controls "ained from consultin" en"a"ements is to %e incorporated
into the process of identifyin" and e!aluatin" si"nificant ris. e:posures of the Institute#
In(or*ation Securit"
Internal audit assesses the Institute*s information security practices# General and application
control re!iews may %e performed# Re!iews of disaster reco!ery$ %usiness continuity plans$ and
electronic funds transfers may also %e conducted# In most cases$ such assessments are inte"rated
into other en"a"ements conducted as part of the appro!ed audit plan# Eowe!er$ separate standD
alone en"a"ements may %e conducted#
@hen conductin" field wor.$ the auditors are alert for the .ey information technolo"y ris.s and
controls# Use of a!aila%le technolo"yD%ased audit techni)ues are considered in performin"
assi"ned wor.# The use of data e:traction software %y the internal auditors is not considered cost
%eneficial due to the small si4e of the Institute*s internal audit acti!ity and the related costs of
trainin" and software updates# If the internal audit staff lac.s the .nowled"e$ s.ills$ or other
competencies needed to perform information technolo"y tests the chief audit e:ecuti!e o%tains
competent ad!ice and assistance# Information technolo"y personnel in the computin" center are
often used to e:tract data throu"h use of ;+(U0$ EDprint$ and other pro"rams and reports# If ED
(ommerce processes are audited$ the o!erall audit o%&ecti!e will %e to ensure that all processes
ha!e effecti!e internal controls#
Ris, Manage*ent Processes
The internal audit department could %e as.ed to act in a consultin" role to assist the Institute in
identifyin"$ e!aluatin"$ and implementin" ris. mana"ement methodolo"ies and controls# The
Institute has an informal ris. mana"ement pro"ram that is appropriate "i!en the nature of the
Institute*s acti!ities and its relati!ely small si4e#
Re%ia$i%it" an# Integrit" o( In(or*ation
Mana"ement is responsi%le for esta%lishin" systems to ensure relia%ility and inte"rity of
information# The Department of Internal Audit is responsi%le for re!iewin" the processes to
determine whether financial and operatin" records and reports contain accurate and useful
information# Internal Audit is also responsi%le for determinin" whether controls o!er record
.eepin" and reportin" are ade)uate and effecti!e# These audits may include the followin",
Determinin" if transactions ha!e %een properly re!iewed and appro!ed#
Determinin" if information systems produced data that was useful$ accurate$ complete$
timely$ and rele!ant#
Identifyin" and documentin" .ey controls desi"ned to ensure the relia%ility and inte"rity
of information#
Testin" .ey controls#
Co*p%iance :it! La:s an# Regu%ations
Mana"ement is responsi%le for esta%lishin" systems to ensure compliance with policies$ plans$
procedures$ laws$ re"ulations$ and contracts# The Department of Internal Audit is responsi%le for
re!iewin" the systems to determine whether the Institute is in compliance with the policies$
plans$ procedures$ laws$ re"ulations$ and contracts# These audits may include the followin",
+%tainin" %ac."round information to identify and interpret the rele!ant policies$ plans$
procedures$ laws$ re"ulations$ and other items that could ha!e a si"nificant impact on
operations#
Identifyin" .ey controls desi"ned to ensure compliance with policies$ plans$ procedures$
laws$ re"ulations$ and contracts#
Testin" .ey controls#
Determinin" if the auditee is compliance with the rele!ant policies$ plans$ procedures$
laws$ re"ulations$ and contracts#
Sa(eguar#ing o( Assets
Mana"ement is responsi%le for safe"uardin" the Institute*s assets# The Department of Internal
Audit is responsi%le for performin" audits to test the means used %y mana"ement to safe"uard
assets from !arious types of losses such as theft$ fire$ improper or ille"al acti!ities$ and e:posure
to elements# These audits may include the followin",
Determinin" the ade)uacy of the separation of duties#
Testin" the rotation of sensiti!e duties amon" employees#
Ascertainin" that reconciliation procedures are timely$ thorou"h$ and appropriately
re!iewed#
Kerifyin" the ade)uacy of mana"ement*s periodic surprise re!iews#
Testin" the re!iew and appro!al of transactions %y authori4ed indi!iduals#
Determinin" the ade)uacy of the physical protection of assets and records#
Identifyin" .ey controls desi"ned to pre!ent or detect errors and fraud#
Testin" .ey controls#
Kerifyin" the physical e:istence of Institute assets#
Econo*ica% an# E((icient Use o( Resources
Mana"ement is responsi%le for settin" operatin" standards to measure an acti!ity/s economical
and efficient use of resources# The Department of Internal Audit may perform economy and
efficiency audits to determine whether,
+peratin" standards ha!e %een esta%lished for measurin" economy and efficiency#
Esta%lished operatin" standards are understood and are %ein" met#
De!iations from operatin" standards are identified$ analy4ed$ and communicated to those
responsi%le for correcti!e action#
(orrecti!e action has %een ta.en#
These audits may include the followin",
Identifyin" the operatin" standards#
Determinin" whether the standards are appropriate in .eepin" with the auditee*s "oals
and o%&ecti!es#
Determinin" if the information used %y mana"ement to measure its success is accurate$
current and rele!ant#
Ascertainin" whether mana"ement has procedures to ensure that they met their standards#
Determinin" whether mana"ement identified and analy4ed de!iations from the standards#
Determinin" whether mana"ement discussed de!iations with the appropriate indi!iduals#
Identifyin" any inefficient or uneconomic use of resources#
Identifyin" .ey controls desi"ned to ensure compliance with the auditee*s "oals$
measures$ or tar"ets#
Testin" .ey controls desi"ned to ensure compliance with the auditee*s "oals$ measures$ or
tar"ets#
Acco*p%is!*ent o( Esta$%is!e# O$&ecti'es an# /oa%s (or Operations or Progra*s
Mana"ement is responsi%le for esta%lishin" operatin" or pro"ram o%&ecti!es and "oals$
de!elopin" and implementin" control procedures$ and accomplishin" the desired operatin" or
pro"ram results# The Department of Internal Audit is responsi%le for the followin",
Ascertainin" if mana"ement identified rele!ant o%&ecti!es and "oals and de!eloped a
system for measurin" their accomplishment#
Appraisin" whether mana"ement esta%lished criteria for e!aluatin" their pro"ram*s
effecti!eness#
Assessin" whether mana"ement determined if their o%&ecti!es and "oals were met#
Determinin" if the techni)ues and data used %y mana"ement to measure effecti!eness is
appropriate#
Re!iewin" for e!idence that the auditee was loo.in" for cost effecti!e ways to
accomplish o%&ecti!es and "oals#
Determinin" whether mana"ement has estimated the costs and %enefits of not meetin"
"oals#
The Department of Internal Audit re!iews operations (purchasin"$ human resources$ finance$
"o!ernmental assistance$ etc# or pro"rams (fundDraisin" campai"ns$ capital e:penditures$ etc# to
determine whether results are consistent with esta%lished o%&ecti!es and "oals and whether the
operations or pro"rams are %ein" carried out as planned# These audits may include the
followin",
Identifyin" .ey controls desi"ned to ensure compliance with esta%lished o%&ecti!es and
"oals#
Testin" the effecti!eness of the .ey controls#
E9a*ining < E'a%uating In(or*ation
@hen performin" en"a"ements$ the internal audit staff will analy4e sufficient$ relia%le$ rele!ant$
and useful information to achie!e the en"a"ement*s o%&ecti!es# (onclusions and en"a"ement
results will %e %ased on appropriate analyses and e!aluations and documented in the wor.in"
papers# The procedures performed durin" most en"a"ements may include re!iewin" applica%le
laws$ re"ulations$ policies and proceduresC inter!iewin" selected employees and othersC
e:aminin" selected documents and recordsC comparin" relationships amon" financial and nonD
financial informationC and performin" o%ser!ations#
+or,ing Papers
@or.in" papers (Audit E!idence are the connectin" lin. %etween the o%&ecti!es and the
auditor*s report# All pertinent information o%tained %y internal audit must %e documented#
En"a"ement wor.in" papers ser!e the followin" purposes,
-ro!ide a systematic record of wor. performedC
-ro!ide a record of the information and e!idence o%tained and de!eloped to support findin"s$
conclusions$ and recommendationsC
-ro!ide information to the Audit Director to ena%le him to super!ise and mana"e
assi"nments and to e!aluate auditor performanceC and
-ro!ide a record of information for future use in plannin" and carryin" out su%se)uent
assi"nments#
The wor.in" papers document !arious aspects of the en"a"ement process to include plannin"$
ris. assessment$ e!aluation of the system of internal control$ en"a"ement procedures performed$
information o%tained$ conclusions reached$ super!isory re!iew$ communication of results$ and
followDup
@or.in" papers must %e neat$ competent$ rele!ant$ useful$ and accurate# Anyone usin" the
wor.in" papers should %e a%le to readily determine their source$ purpose$ procedures performed$
findin"s$ conclusions and the auditor/s recommendations#
At the top ri"ht section of the wor.in" paper$ the auditor completin" the wor. will initial and
date the wor.in" paper# The re!iewer will initial and date$ directly %eneath the auditor/s initials
on the wor.in" paper$ indicatin" that the wor.in" paper has %een re!iewed#
Per*anent Fi%es
This file will contain information necessary to "ain an understandin" of (a the function of the
departmentFarea to %e auditedC (% its or"ani4ation and resourcesC (c how it relates to other
departmentsC (do internal control ade)uacy and effecti!enessC and (e "eneral information a%out
rele!ant policies and procedures# The file "enerally contains the followin" types of information,
+r"ani4ational charts#
Applica%le statutes$ re"ulations$ policies$ and procedures
;raud letter#
(opy of audit plan#
Monitorin" reports#
(ontracts#
Description of the accountin" records$ mana"ement reports$ department %ud"et$ and ;R0
0creens#
Departmental mission statement#
Aac."roundFhistory on the department andFor area to %e e:amined#
Important permanent correspondence (other than that pertainin" to the current audit#
Data contained in the permanent file should %e updated whene!er a new en"a"ement of the
department or area is started# An inde: should %e maintained of the dataFmaterial contained in
the permanent file#
Co**unicating < Disse*inating Engage*ent Resu%ts
At the completion of each pro&ect$ the Internal Auditor will issue a written report$ addressed to
the Institute -resident$ to communicate the en"a"ement*s results# E!ery attempt will %e made to
ma.e the report accurate$ o%&ecti!e$ clear$ concise$ constructi!e$ timely$ and complete# The
report will include the en"a"ement o%&ecti!es and scope as well as applica%le conclusions$
recommendations$ and responses and correcti!e action plans# In "eneral$ the layout for assurance
related reports will %e as follows,
1. (o!er pa"e
2. E:ecuti!e summary
3. Aac."round information
4. +%&ecti!e (-urpose, E:planation of why the audit was performed#
5. 0cope and methodolo"y, The audit scope is a description of the depth and co!era"e of
wor. conducted (period and num%er of locations co!ered# The audit methodolo"y is an
e:planation of the nature and e:tent of the e!idence "atherin" and analysis techni)ues
used to meet the o%&ecti!es#
6. Noteworthy accomplishments
7. +!erall opinion$ results$ or conclusions
8. 0pecific o%ser!ations (findin"s and recommendations
9. General section, Ac.nowled"e appreciation and includes limitations on use of the results#
10. Responses and correcti!e action plans
Description o( Reporta$%e Con#itions
Reporta%le (onditions or (omments, Matters comin" to the auditor*s attention that$ in his
&ud"ment$ represent si"nificant or material deficiencies in the system of internal control or
noncompliance with applica%le laws and re"ulations# (omments andFor recommendations
desi"ned to enhance Institute operations may also %e reported to mana"ement#
NonDreporta%le or Discussion +nly (omments, Matters the auditor chooses to communicate$
!er%ally or in writin"$ for the %enefit of mana"ement or others that do not represent si"nificant or
material deficiencies in the system of internal control or noncompliance with applica%le laws and
re"ulations# These are normally communicated in a correspondence separate from the internal
audit report# 0ometimes insi"nificant items may %e !er%ally discussed and documented in the
auditor*s wor.in" papers#
Monitoring Progress
A system has %een esta%lished and is maintained to monitor the disposition of en"a"ement results
communicated to mana"ement# As re)uested %y the audit committee of appro:imately si:
months after an internal audit report is issued and presented to the audit committee$ the
Department of Internal Audit follows up on the reported findin"s# The purpose of the follow up
is to ascertain that correcti!e action has %een ta.en and is achie!in" the desired results$ or that
senior mana"ement or the (ouncil has assumed the ris. of not ta.in" correcti!e action on the
reported findin"s#
The department considers the followin" factors in determinin" the procedures to %e employed in
the followDup,
a# The si"nificance of the reported findin"#
%# The de"ree of effort and cost needed to correct the reported condition#
c# The ris.s that may occur should the correcti!e action fail#
d# The comple:ity of the correcti!e action#
e# The time period in!ol!ed#
The Internal Auditor conducts the followin" functions relatin" to followin" up,
a# A time frame within which mana"ement/s response to the audit findin"s is re)uired#
%# An e!aluation of mana"ement/s response#
c# A !erification of the response (if appropriate#
d# A followDup audit (if appropriate#
e# A reportin" procedure that escalates unsatisfactory responsesFactions$ includin" the
assumption of ris.$ to the appropriate le!els of mana"ement#
Reso%ution o( Manage*ent-s Acceptance o( Ris,s
If mana"ement*s response indicates they will not ta.e correcti!e action$ the Internal Auditor will
determine if the le!el of ris. is accepta%le# If the Internal Auditor %elie!es that senior
mana"ement has accepted a le!el of residual ris. that may %e unaccepta%le to the or"ani4ation$
the Internal Auditor will discuss the matter with senior mana"ement and o%tain an e:planation#
If the decision re"ardin" residual ris. is not resol!ed$ the Internal Auditor and senior
mana"ement should report the matter to the (ouncil for resolution

Ta$%e o( contents
Introduction
POLIC3
Internal Audit (harter
MissionDKision 0tatement
0tate of Illinois Fiscal Control and Internal Auditing Act
-olicy on Internal Auditin"
(onfidentiality
Independence
+r"ani4ation
Institute of Illinois Nondiscrimination 0tatementF0tatement on 0e:ual Earassment
?uality Assurance
AUDIT PLANNIN/
Annual Audit -lannin"
AUDIT PROCESS
+!er!iew
Audit Assi"nment
Ris. Assessment -rocess
Audit -rocedures
+penin" (onference
;ieldwor.
@or.papers
Audit +%ser!ations
Auditor Time.eepin"
REPORTIN/ AND FOLLO+=UP
Reportin" +!er!iew
E:it (onference
;ollowDup
Annual Report
PERSONNEL
-erformance Appraisal -rocess
Trainin" and -rofessional De!elopment
Employment +rientation
-ersonnel Mana"ement
Telecommutin" -olicy
ADMINISTRATI>E PROCEDURES
(omputers
General -olicies
Dess (ode


POLIC3
INTERNAL AUDIT C.ARTER
Mission
The mission of the +ffice of Institute Audits (Institute Audits is to pro!ide independent and
o%&ecti!e ser!ices to protect and stren"then the Institute and its related or"ani4ations#
De(inition o( Interna% Au#iting
Internal auditin" is an independent$ o%&ecti!e assurance$ and consultin" acti!ity desi"ned to add
!alue and impro!e an or"ani4ation*s operations# It helps an or"ani4ation accomplish its
o%&ecti!es %y %rin"in" a systematic$ disciplined approach to e!aluate and impro!e the
effecti!eness of ris. mana"ement$ control$ and "o!ernance processes#
Purpose
The purpose of Institute Audits is to determine whether the Institute*s control$ ris. mana"ement$
and "o!ernance processes$ as desi"ned and implemented %y mana"ement$ are ade)uate and
functionin" to ensure,
L Ris.s are appropriately identified and mana"ed#
L Interaction with the !arious "o!ernance "roups occurs as needed#
L ;inancial$ mana"erial$ and operatin" information is accurate$ relia%le$ and timely#
L Employee actions are in compliance with Institute policies and procedures$ and applica%le laws
and re"ulations#
L Resources are ac)uired economically$ used efficiently$ and ade)uately protected#
L -lans and o%&ecti!es are achie!ed#
L ?uality and continuous impro!ement are fostered in the Institute*s control processes#
L 0i"nificant le"islati!e or re"ulatory issues impactin" the Institute are reco"ni4ed and addressed
appropriately#
Institute Audits reports functionally to the -resident of the Institute (-resident and The (ouncil
of Trustees (A+T of the Institute of Illinois throu"h its Audit$ Aud"et$ ;inance$ and ;acilities
(ommittee (AA;;($ and administrati!ely to the (omptroller of the (ouncil of Trustees$ who is
also the Kice -resident and (hief ;inancial +fficer#
Interna% Au#iting Responsi$i%ities
Institute Audits responsi%ilities include,
L De!elop a fle:i%le twoDyear plan identifyin" audits scheduled for the pendin" fiscal year$ usin"
an appropriate ris.D%ased methodolo"y$ includin" any ris.s or control concerns identified %y
mana"ement$ and su%mit the plan to the -resident for appro!al %y >une =7 of each year#
L Implement the audit plan$ as appro!ed %y the -resident$ includin" as appropriate any special
tas.s or pro&ects re)uested %y mana"ement and the AA;;(#
L Issue periodic reports to the -resident and (hairman of the AA;;( summari4in" results of
audit acti!ities#
Report annually to the AA;;( re"ardin" audit plans$ acti!ities$ staffin"$ and the or"ani4ational
structure#
L Report to the AA;;( and A+T %y 0eptem%er =7 of each year the scope and results of audits
and the ade)uacy of mana"ement*s correcti!e actions#
L Maintain sufficient .nowled"e$ s.ills$ and e:perience to meet the re)uirements of this (harter#
L Assist Institute mana"ement %y conductin" special ser!ices to assist mana"ement in meetin" its
o%&ecti!es$ where appropriate$ the nature of which is a"reed to with mana"ement$ and for which
Institute Audits assumes no mana"ement responsi%ility#
L Assist in the in!esti"ation of si"nificant suspected fraudulent acti!ities within the institution
and notify mana"ement and the AA;;( of the results#
L Esta%lish a followDup process to monitor and identify whether mana"ement actions ha!e %een
effecti!ely implemented$ or senior mana"ement has accepted the ris. of not ta.in" action#
L (onsider the scope of wor. of the e:ternal auditors and re"ulators as appropriate for the
purpose of pro!idin" optimal audit co!era"e to the institution#
L -eriodically pro!ide the Internal Audit (harter to the AA;;( for re!iew and appro!al#
Aut!orit"
The "eneral scope of audit co!era"e is InstituteDwide and no function$ acti!ity$ or unit of the
Institute or a related or"ani4ation is e:empt from audit and re!iew# No officer$ administrator$ or
staff mem%er may interfere with or prohi%it internal auditors from e:aminin" any Institute or
related or"ani4ation*s record or inter!iewin" any employee or student that the auditors %elie!e
necessary to carry out their duties# Additionally$ the E:ecuti!e Director has the authority to audit
the accounts of all or"ani4ations re)uired to su%mit financial statements to the Institute#
In performin" their wor.$ internal auditors ha!e neither direct authority o!er$ nor responsi%ility
for$ any of the acti!ities re!iewed# Internal auditors do not de!elop and install procedures$
prepare records$ ma.e mana"ement decisions$ or en"a"e in any other acti!ity that could %e
reasona%ly construed to compromise their independence or impair their o%&ecti!ity# Therefore$
internal audit re!iews do not$ in any way$ su%stitute for or relie!e other Institute personnel from
their assi"ned responsi%ilities#
Pro(essiona% Stan#ar#s
Institute Audits has the responsi%ility to carry out its duties as defined %y the 0tate of Illinois
Fiscal Control and Internal Auditing Act (Illinois (ompiled 0tatutes$ =7 IL(0 67F6776# Those
responsi%ilities include performin" audits in accordance with The Institute of Internal Auditor*s
International Professional Practices Framework (IPPF)$ which the 0tate of Illinois Internal
Audit Ad!isory (ouncil has adopted as the standard of performance for all state internal auditors#
The I--; re)uires mandatory adherence to the Definition of Internal Auditin"$ the (ode of
Ethics$ and the 0tandards#
STATE OF ILLINOIS FISCAL CONTROL AND INTERNAL AUDITING ACT
The ;iscal (ontrol and Internal Auditin" Act (Illinois (ompiled 0tatues$ =7 IL(0 67F6776
(;(IAA is the state le"islation which pro!ides "uidance for internal audit acti!ities of state
a"encies#
The 0tate Internal Audit Ad!isory (ouncil$ esta%lished %y ;(IAA$ has appro!ed the Internal
Audit Ad!isory (ouncil 0tandards with their Aylaws# E:cerpts from each section are included
%elow#
0ection III$ 0tandards$ states that MAll audits performed %y the internal audit staffs of 0tate
a"encies shall %e conducted in accordance with the /0tandards for the -rofessional -ractice of
Internal Auditin"/ pu%lished %y the Institute of Internal Auditors$ or where re)uired$ in
accordance with "o!ernment auditin" standards pu%lished %y the U#0# General Accountin"
+ffice# All audit reports issued %y the internal audit staffs of 0tate a"encies shall include a
statement that the audit was conducted pursuant to the appropriate standards#M
0ection IK$ (ode of Ethics$ states that state auditors shall adhere to standards of conduct which
were deri!ed from the (ode of Ethics pu%lished %y the Institute of Internal Auditors#
0ections K$ KI$ and KII address continuin" professional education ((-E$ and the )ualifyin" and
recordin" of (-E acti!ities# The re)uirement for (-E is that MEffecti!e %e"innin" >anuary 6$
977=$ all internal auditors must complete a total of B7 hours of accepta%le continuin"
professional education durin" two successi!e calendar years$ with a minimum of 97 hours
completed each year#
POLIC3 ON INTERNAL AUDITIN/
T!e Institute-s po%ic" on Interna% Au#iting is state# in Section ?.2 o( t!e O((ice o( Business
an# Financia% Ser'ices @OBFSA Business an# Financia% Po%icies an# Proce#ures :!ic! is
inc%u#e# $e%o:.
The +ffice of Institute Audits is a staff function in the Institute of Illinois administration# The
office assists all le!els of the administration in achie!in" Institute o%&ecti!es %y stri!in" to
pro!ide a positi!e impact on the efficiency and effecti!eness of administrati!e functions# The
office achie!es this impact throu"h independent appraisals$ analyses$ and counsel related to,
L Assessment of %usiness ris.#
L Identification and implementation of internal control impro!ements#
L Enhancements to the efficiency and effecti!eness of %usiness functions#
L (ompliance with federal and state re"ulations and Institute policies and procedures#
The E:ecuti!e Director of the +ffice of Institute Audits reports functionally to the -resident of
the Institute and the Aud"et and Audit (ommittee of the (ouncil of Trustees and administrati!ely
to the Kice -resident and (hief ;inancial +fficer# The Aud"et and Audit (ommittee of the
Institute/s (ouncil of Trustees maintains o!ersi"ht of the auditin" function#
O$&ecti'es o( Au#its an# Re'ie:s
Internal auditors carry out their wor. in order to,
L Determine whether the Institute/s o!erall internal control system and unit administrati!e
controls are ade)uate$ effecti!e$ and efficient#
L Determine the relia%ility and ade)uacy of the accountin"$ financial$ and reportin" systems and
procedures#
L Determine that Institute acti!ities conform to Institute policies and procedures$ state and federal
laws and re"ulations$ contractual o%li"ations$ and "ood %usiness practices#
L Determine the e:tent to which Institute assets are accounted for and safe"uarded from losses of
all .inds$ and !erify the e:istence of assets#
L E!aluate operational procedures to determine whether results are consistent with esta%lished
o%&ecti!es and "oals$ and whether the procedures are carried out as planned#
L E!aluate the desi"n of ma&or new electronic data processin" systems and ma&or modifications
to e:istin" systems %efore installation to determine whether the system of internal control is
ade)uate$ effecti!e$ and efficient#
In addition$ internal auditors conduct or support in!esti"ations$ as re)uired or directed#
Scope o( Au#it Co'erage
The "eneral scope of audit co!era"e is InstituteDwide and no function$ acti!ity$ or unit of the
Institute is e:empt from audit and re!iew# No officer$ administrator$ or staff mem%er may
prohi%it internal auditors from e:aminin" any Institute record or inter!iewin" any employee or
student that the auditors thin. rele!ant to their audits and re!iews# Additionally$ the E:ecuti!e
Director of the +ffice of Institute Audits has authority to audit the accounts of all or"ani4ations
re)uired to su%mit financial statements to the Institute#
Operationa% Li*itation o( Aut!orit" an# Responsi$i%it"
In performin" their wor.$ the E:ecuti!e Director of the +ffice of Institute Audits and other
internal auditors ha!e neither direct authority o!er$ nor responsi%ility for$ any of the acti!ities
re!iewed# Internal auditors do not de!elop and install procedures$ prepare records$ ma.e
mana"ement decisions$ or en"a"e in any other acti!ity that could %e reasona%ly construed to
compromise their independence# Therefore$ internal audit re!iews and appraisals do not$ in any
way$ su%stitute for or relie!e other Institute personnel from their assi"ned responsi%ilities#
Au#iting Proce#ures
The internal auditors conduct audits and re!iews in accordance with the Standards for the
Professional Practice of Internal Auditing (The Institute of Internal Auditors# The internal audit
function is carried out in compliance with re)uirements of the Fiscal Control and Internal
Auditing Act of the 0tate Internal Audit Ad!isory (ouncil#
-erformance standards for the audit function are defined in the Audit Manual of the Office of
Institute Audits$ and are de!eloped from the Standards for the Professional Practice of Internal
Auditing, eneral Standards for Information S!stems Auditing (Information 0ystems Audit and
(ontrol Association$ Statement on Auditing Standards "o# $ (American Institute of (ertified
-u%lic Accountants$ the Audit uide for Performing Com%liance Audits of Illinois State
Agencies (Auditor General$ 0tate of Illinois$ and the Standards for Audit of overnmental
Organi&ations, Programs, Activities, and Functions ((omptroller General of the United 0tates#
FOUNDATION /ENERAL POLIC3 AND /UIDELINESMANUAL
Institute o( I%%inois Foun#ation
The followin" policy and "uidelines concernin" internal auditin" are included in the Institute of
Illinois ;oundation General -olicy and Guidelines and represent the ;oundation/s M(harterM for
the +ffice of Institute Audits#
/enera% Po%ic"
The (ouncil of Directors of the Institute of Illinois ;oundation is committed to a !i"orous
pro"ram of internal auditin" desi"ned to test the effecti!eness of internal control#
/ui#e%ines
The internal audit pro"ram is conducted %y the E:ecuti!e Director of Institute Audits in
accordance with the 65B= policy statement MInstitute of Illinois ;oundation Internal Audit
;unctionM which follows#
Po%ic" State*ent
It is the policy of the (ouncil of Directors of the Institute of Illinois ;oundation to esta%lish and
maintain an internal audit function that, pro!ides all le!els of mana"ement with information
a%out the mana"erial control of the operations for which it is responsi%leC pro!ides the Audit
(ommittee of the (ouncil of Directors with necessary information to dischar"e its
responsi%ilitiesC and assists mana"ement and Audit (ommittee mem%ers in decidin" how
effecti!e the total system of internal control is in achie!in" its %road o%&ecti!es for the
"o!ernance and operation of the ;oundation#
ALUMNI ASSOCIATION /ENERAL POLIC3 AND /UIDELINESMANUAL
Institute o( I%%inois A%u*ni Association
The followin" policy and "uidelines concernin" internal auditin" are included in the Institute of
Illinois Alumni Association General -olicy and Guidelines and represent the Alumni
Association*s M(harterM for the +ffice of Institute Audits#
/enera% Po%ic"
The (ouncil is committed to a pro"ram of internal auditin" desi"ned to test the effecti!eness of
internal control#
/ui#e%ines
The internal audit pro"ram is conducted %y the +ffice of Institute Audits#
CONFIDENTIALIT3
De(inition
(onfidential information is information of a proprietary or sensiti!e nature a%out the Institute of
Illinois$ its students$ contracted a"ents$ and employees#
Po%ic"
Internal auditors respect the !alue and ownership of information they recei!e and do not discuss
information without appropriate authority unless there is a le"al or professional o%li"ation to do
so#
(onfidential information ac)uired %y audit staff throu"h their employment is considered to %e
pri!ile"ed and must %e held in strictest confidence# Audit staff shall %e prudent in the use and
protection of information ac)uired in the course of their duties# It is to %e used solely for Institute
purposes and not as a %asis for personal "ain %y the audit staff$ or in any manner that would %e
contrary to the law or detrimental to the le"itimate and ethical o%&ecti!es of the Institute#
(onfidential information is transmitted only to those persons who need the information to
dischar"e their duties as Institute employees or audit staff# Any other dissemination of wor.paper
or correspondence contents must %e appro!ed %y the appropriate Director# Any dissemination
without authori4ation will %e considered serious misconduct and could result in suspension or
dismissal#
-rior to disposal$ all paper documents "enerated in the course of performin" audit wor. must %e
shredded#
The followin" standard eDmail disclaimer must %e used for all messa"es distri%uted outside of the
audit office,
This electronic mail messa"e and any attached files contain information intended for the
e:clusi!e use of the indi!idual or entity to which it is addressed and may contain information
that is proprietary$ pri!ile"ed$ confidential andFor e:empt from disclosure under applica%le law#
If you are not the intended recipient$ you are here%y notified that any !iewin"$ copyin"$
disclosure or distri%ution of this information may %e su%&ect to le"al restriction or sanction#
-lease notify the sender$ %y electronic mail or telephone$ of any unintended recipients and delete
the ori"inal messa"e without ma.in" any copies#
Report Securit" an# Contro%
Access to audit reports and mana"ement communications is restricted to authori4ed audit staff#
Audit reports are a!aila%le to all audit staff from the electronic copies maintained on the +ffice
of Institute Audits computer networ.#
Illinois statute e:empts certain audit information from %ein" a!aila%le for pu%lic inspection and
copyin"#
I%%inois Co*pi%e# Statutes C!apter 5 /enera% Pro'isions
04B. ILLINOIS FREEDOM OF INFORMATION ACT
8# E:emptions from inspection and copyin" (effecti!e >uly 6$ 65B<#
(6# The followin" shall %e e:empt from inspection and copyin",
###
(n Co**unications $et:een a pu$%ic $o#" an# an attorne" or au#itor representing t!e
pu$%ic $o#" t!at :ou%# not $e su$&ect to #isco'er" in %itigation an# *ateria%s prepare# or
co*pi%e# $" or (or a pu$%ic $o#" in anticipation o( a cri*ina% ci'i% or a#*inistrati'e
procee#ing upon t!e reCuest o( an attorne" a#'ising t!e pu$%ic $o#" an# *ateria%s
prepare# or co*pi%e# :it! respect to interna% au#its o( pu$%ic $o#ies# NEmphasis added1
Due to the sensiti!e and confidential nature of our audit reports$ all efforts should %e made to
.eep reports protected from pu%lic disclosure# Audit reports should not %e !oluntarily disclosed
outside of the Institute and should only %e released at the e:press direction of the -resident or
upon presentation of a !alid court order# The followin" restriction on distri%ution is to appear in
all audit reports,
This report is for the use of (UR+ and the (Institute, Foundation, Alumni Association)
administrators only and should not %e distri%uted outside the (UR+ or the (Institute,
Foundation, Alumni Association) without permission of the (-resident of the NUR+1 or the
-resident of the Institute#
If the -resident directs release of an audit report$ we should encoura"e the release of an
HE:ecuti!e 0ummaryI of the audit report rather than the report itself in order to help maintain the
nonDdisclosure shield afforded %y statute# The HE:ecuti!e 0ummaryI should not reference the
specific audit as to preser!e the intent of the law# In addition$ when presented a !alid court order$
audit mana"ement should see. an a"reement %etween parties in liti"ation to .eep our wor.
product confidential prior to and su%se)uent to any court action# This a"reement should %e
sou"ht with the assistance of Institute (ounsel# Koluntary distri%ution of an audit report outside
the Institute ne"ates our ;reedom of Information Act (;+IA e:emption#
To ensure our e:emption pro!ided under ;+IA$ Institute Audits will re)uire authori4ed re!iew of
reports or wor.papers %y an outside party to %e performed in our office$ under our control as to
access$ re!iew$ and notes ta.en %y the outside party# It is our policy to not permit remo!al of
documents$ or copies thereof$ from our office#
0ome audits may %e performed under the direction of Institute (ounsel as a matter of attorneyD
client pri!ile"e# Audits are performed this way solely for the purpose of assistin" Institute
(ounsel in assessin" issues# As a result$ all information learned$ documents or notes created$ and
communications prepared may %e entitled to le"al protection from disclosure# In!esti"ations and
other sensiti!e audits may %enefit from this pri!ile"e$ and audit mana"ement should ma.e
re)uests of Institute (ounsel when appropriate#
+ffice staff is prohi%ited from pro!idin" pu%lic comment on Institute matters# Any media contact
should %e referred to -u%lic Affairs (UIU( D +ffice of -u%lic Affairs$ UI( D +ffice of -u%lic
Affairs$ UI0 D (ampus Relations# The +ffice staff should immediately inform their Director
who shall inform the E:ecuti!e Director#
Con(i#entia%it" State*ent
+n the first day of employment staff must si"n the followin" statement# (Statement should 'e on
office letterhead in memo format#
TOD
FROMD (Audit Mana"ement
DATED
SUB;ECTD (onfidentiality
Durin" the course of any &o% duties$ employees of the +ffice of Institute Audits may ha!e access
to information that is sensiti!e$ nonpu%lic$ or protected %y ;ederal or 0tate pri!acy statutes# All
information contained in audit wor.papers and audit reports or disclosed to audit staff is
confidential#
It is the policy of the +ffice of Institute Audits not to disclose to anyone outside the Institute the
contents of any audit wor.papers$ audit reports$ or other information made a!aila%le %y the
Institute of Illinois# Disclosure within the Institute will %e only for &o%Drelated purposes and only
to those who$ in the audit staff*s &ud"ment$ ha!e a need to .now#
I ha!e recei!ed$ read$ and understand the +ffice of Institute Audits* confidentiality policy# I
understand that it is a condition of my employment to adhere to the confidentiality policy$ and
that !iolation of this wor. rule may result in disciplinary action includin" dismissal#
OOOOOOOOOOOOOOOOOOOOOOO OOOOOOOOOOOOOOOOOOOO 0i"nature Date
R
INDEPENCENCE
Internal auditin" is an independent$ o%&ecti!e assurance and consultin" acti!ity desi"ned to add
!alue and impro!e an or"ani4ation*s operations# The o%&ecti!e of internal auditin" is to assist
mem%ers of the or"ani4ation in the achie!ement of the or"ani4ation*s "oals and o%&ecti!es# To
this end$ internal auditin" furnishes them with independent appraisals$ analyses$ and counsel
concernin" the acti!ities re!iewed#
In order for the desired results to %e reali4ed$ internal auditin" must perform their wor. fully and
o%&ecti!ely$ that is$ %e independent of the acti!ities they audit# They must ha!e no authority o!er
or responsi%ility for the acti!ities they audit#
In order to maintain independence and o%&ecti!ity$ staff mem%ers will not %e assi"ned audits
in!ol!in" the followin" instances,
6# Any situation in which a conflict of interest or %ias is present or may reasona%ly %e inferred#
9# Any situation that in!ol!es a mem%er of the auditor/s immediate family#
=# Any acti!ity that the auditor pre!iously performed or super!ised unless a reasona%le period of
time has elapsed#
If throu"h your actions or state of mind your audit o%&ecti!ity is or can %e inferred to %e
impaired$ notify audit mana"ement immediately# To assist in reco"ni4in" potential or percei!ed
areas of conflict of interest$ an Auditor Independence form will %e completed %y auditors on the
first day of employment and annually thereafter# (0tatement should %e on office letterhead in
memo form#
(ouncil of Trustees Audit$ Aud"et$ ;inance$ and ;acilities (ommittee
Presi#ent
>ice Presi#ent an# C!ie( Financia% O((icer
;u%ie A. 8e*aitis E:ecuti!e Director CPA
Microco*puter Support Specia%ist II Eduardo R# Mascorro
Data Ana%"st Au#itor Maureen L# 0orensen (82P$ CPA, CIA, MAS
The +ffice of Institute Audits reports functionally to the -resident of the Institute and the
Institute of Illinois (ouncil of Trustees throu"h its Audit$ Aud"et$ ;inance$ and ;acilities
(ommittee#
The +ffice of Institute Audits reports administrati!ely to the (omptroller of the (ouncil of
Trustees$ who is also the Kice -resident and (hief ;inancial +fficer
Ur$ana=C!a*paign Spring(ie%# Institute o( I%%inois Foun#ation an# Institute o( I%%inois
A%u*ni Association
C!icago
In(or*ation Tec!no%og"
Nea% F. Cro:%e" Director M(A, CPA, CIA, CF)
Dar%a ;. .i%% Director CPA, CIA, CF)
/ene >. Fruit Director CISA, CIA, M(A
.ea%t!care Au#itors -ela"i&a (Gia Milen.o!ic +pen -osition +pen -osition
Enterprise=:i#e Au#itors Lea ;o: Lataunia Green$ M(A >effrey N# Mina$ (-A
Enterprise=:i#e Au#itors Ryan -# Eolmes$ CPA >essica L# Eoppe$ CIPA, CIA (arla N# >ones$
CIA, )d#M# Ge!in G# >ones$ CPA, CIA 0andra G# Gin" (B7P$ CIA, M(A Teri A# Tra!is$ CPA,
CIA >ill M# Kerdeyen$ CPA
In(or*ation Tec!no%og" Au#itors Andrew M# Mosio$ CISA
>ared E Ross$ CISA, CIA
+;;I(E +; IN0TITUTE AUDIT0 +RGANIQATI+N (EART
Continuous Au#iting Progra* (ertifications and Ad!anced De"rees held %y
Mem%ers of the +ffice of Institute Audits
Pro(essiona% Certi(ications A#'ance# Degrees
67 (IA R (ertified
Internal Auditor
< MAA R Master of
Ausiness
Administration
67 (-A R (ertified
-u%lic Accountant
6 MA0 R Master of
Accountin" 0cience
= (I0A R (ertified
Information
0ystems Auditor
6 Ed#M# R Master of
Education
9 (;E R (ertified ;raud E:aminer
)UALIT3 ASSURANCE
/enera%
The esta%lishment and implementation of a )uality assurance and impro!ement pro"ram for the
+ffice is re)uired %y the Standards# The o%&ecti!e of the pro"ram is to ensure achie!ement of
audit o%&ecti!es$ performance of audits in accordance with applica%le standards$ and
de!elopment of staff#
Interna% Assess*ents
Internal assessments can pro!ide %oth )uality assurance to audit mana"ement and trainin" for the
staff# The assessments can %e done re"ularly or intermittently# The assessments are appraisals of
how well auditors and super!isors ha!e complied with the Standards and +ffice policy# They
encompass the wor. of %oth staff and audit mana"ement and are an e!aluation of a sample of
audit wor.in" papers and reports# The assessments should also pro!ide recommendations for
impro!ement# The internal assessments should typically %e performed %y an e:perienced auditor$
audit mana"ement$ or com%ination thereof#
E9terna% Assess*ents
The purpose of the e:ternal assessments is to pro!ide an independent assurance of )uality to the
+ffice mana"ement and staff$ Institute mana"ement$ the (ouncil of Trustees$ and others such as
e:ternal auditors who may rely on the wor. of the +ffice#
In compliance with The IIA Standards and the State of Illinois Internal Audit Advisor! Council
Peer *eview Program (!laws, an e:ternal assessment of the +ffice will %e performed e!ery fi!e
years to appraise the )uality of the +ffice/s operation# Upon completion$ the +ffice will recei!e a
formal$ written report e:pressin" an opinion as to the +ffice/s compliance with the Standards and
will include recommendations for impro!ement as appropriate#
AUDIT -LANNING
ANNUAL AUDIT PLANNIN/
O'er'ie:
The E:ecuti!e Director has the responsi%ility to de!elop a fle:i%le annual audit plan usin" an
appropriate ris.D%ased methodolo"y$ includin" any ris.s or control concerns identified %y
mana"ement# In accordance with IIA 0tandards$ the annual audit plan is %ased on an annual ris.
assessment$ and includes the input of senior mana"ement and the (ouncil of Trustees throu"h its
Audit$ Aud"et$ ;inance$ and ;acilities (ommittee#
The ;iscal (ontrol and Internal Auditin" Act re)uires the plan to co!er two years and %e
appro!ed %y the -resident %y >une =7 of each year#
Ee" E%e*ents o( t!e Ris, Assess*ent Process
Ris, Categories
(ate"ories of ris. we assess include the followin",
L ;inancial D ;inancial ris.s deal with the accountin" for internal controls o!er and reportin" of
financial transactions$ includin" assets$ lia%ilities$ re!enues$ and e:penditures#
L (ompliance D (ompliance ris.s deal with the ade)uacy of a unit*s system to ensure compliance
with applica%le laws$ re"ulations$ and policies#
+perational D +perational ris.s deal with deficiencies in a unit*s effecti!e and efficient use of
resources#
L Reputational D Reputational ris.s deal with issues that may not %e si"nificant from a financial$
compliance$ or operational perspecti!e$ %ut could ha!e a potentially ne"ati!e pu%lic perception
impact#
L 0afety D 0afety ris.s include e!ents$ situations$ or other circumstances that ha!e the potential to
cause harm to indi!idual(s$ includin" employees andFor the pu%lic#
Ee" E%e*ents o( t!e Ris, Assess*ent Process
L Define the Audit Uni!erse
L Identify Ma&or Ris.s
o Data Analytics
o Gey 0ta.eholder Inter!iews
L (onsider +ther ;actors
o E:ternal Audit ;indin"s
o 0tate 0tatutorily D Re)uired Elements of -lan
o Ei"her Education Industry Issues
L De!elop Audit -lan Aased on Assessed Ris.s
AUDIT -R+(E00
O>ER>IE+
T"pes o( Au#its
Internal control audits determine whether the unit is conductin" its financial and %usiness
processes under an ade)uate system of internal control$ as re)uired %y Institute policy and
"uidelines and "ood %usiness practice#
Compliance audits determine the ade)uacy of a unit/s system(s desi"ned to ensure compliance
with Institute policies and procedures and e:ternal re)uirements# E:amples of e:ternal
re)uirements include donor intent$ federal and state laws and re"ulations$ National (olle"iate
Athletic Association le"islation$ and Ai" Ten (onference le"islation# Audit recommendations
typically address the need for impro!ements in procedures and controls intended to ensure
compliance with applica%le re"ulations#
Financial audits address the accountin" for$ and reportin" of$ financial transactions$ includin"
commitments$ authori4ations$ and receipt and dis%ursement of funds# The purpose of this type of
audit is to !erify that sufficient controls e:ist o!er assets$ lia%ilities$ re!enues$ and e:penditures
and that there are ade)uate controls o!er the ac)uisition and use of resources#
Information technolo! "IT# audits address the internal control en!ironment of automated
information processin" systems and how people use those systems# IT audits typically e!aluate
system input$ output$ and processin" controlsC %ac.up and reco!ery plansC system securityC and
computer facilities#
Operational audits e:amine the use of unit resources to e!aluate whether those resources are
%ein" used in the most efficient and effecti!e ways to fulfill the unit/s mission and o%&ecti!es# An
operational audit can include elements of a compliance audit$ a financial audit$ and an IT audit#
In$estiati$e audits focus on alle"ed ci!il or criminal !iolations of state or federal laws or
!iolations of Institute policies and procedures that may result in prosecution or disciplinary
action# Alle"ations of theft or misuse of Institute assets$ whiteDcollar crime$ and conflicts of
interest are e:amples of issues addressed %y in!esti"ati!e audits#
Consultin pro%ects may ran"e from formal en"a"ements$ defined %y written a"reements$ to
ad!isory acti!ities$ such as participatin" in standin" or temporary mana"ement committees or
pro&ect teams#
This section of the manual e:plains the steps for conductin" an audit from the initial assi"nment
throu"h fieldwor.# 0imilarly$ the reportin" and followDup processes are co!ered in a separate
section of the Manual# A flowchart of the audit process follows#
Annual Audit -lanDirector Initiates AuditRis. Assessment %y Auditor(sAudit
-rocedures(includin" audit o%&ecti!e and scope+penin" (onference-erform ;ieldwor.6Audit
+%ser!ation ;orm(sDiscuss with Director and Auditee0end Letter of Intent (!ia ED
mail6(omplete @or.paper(%y 0ectionDirector Re!iews @or.papers(ompleteS9
AUDIT ASSI/NMENT
Each year$ a twoDyear audit plan of Institute audits is su%mitted %y the E:ecuti!e Director of
Institute Audits to the -resident of the Institute and the (hairman of the Aud"et and Audit
(ommittee of the (ouncil of Trustees for appro!al# 0imilar twoDyear audit plans are also
prepared for the -residents and (hief E:ecuti!e +fficers of the Institute of Illinois ;oundation
and Institute of Illinois Alumni Association#
Assigning t!e Au#it
Each Director assi"ns audits to each indi!idual auditor on their staff# The (ompletion Ta%le
within AutoAudit is completed %y the auditor and any plannin" comments are noted# Information
is pro!ided to the auditor includin" the preliminary o%&ecti!es$ "eneral scope of the audit$ and
any additional information that is needed (reference material a!aila%le$ what to watch for in
certain tests$ pro%lems noted durin" other audits$ information a%out who re)uested the audit and
why$ the area of responsi%ility$ etc#$ so the auditor can %e"in the ris. assessment process#
Au#itee Noti(ication
The Director will notify the auditee !ia eDmail$ prepared %y the auditor$ that an audit of their unit
has %een scheduled# The messa"e should e:plain that the auditor will contact the auditee to
arran"e an openin" conference#
The auditor will draft the email usin" the template M;ormat for Letter of Intent EDmailM in
AutoAudit/s 0tandard Li%rary (Maintenance Menu$ 0tandard Li%rary Menu$ Audit ;ormats
!iew#
The template of the Letter of Intent Memorandum is in the 0tandard Li%rary section of Auto
Audit#
RISE ASSESSMENT PROCESS
The ris. assessment process is our identification and analysis of ris. for an audit# It %e"ins with
the draft audit o%&ecti!e(s$ the hours %ud"eted for the pro&ect (included in the TwoDJear -lan$
and any other information pro!ided %y audit mana"ement#
Research is performed durin" the plannin" process to increase the auditor/s efficiency#
The followin" sources of information are considered durin" the ris. assessment process to
increase audit efficiency,
L Re!iew (ontrols Assessment Tool ((AT results DD ;rom the most recent ris. assessment
sur!ey of the unit (performed %y the +ffice of Institute Audits on a fourDyear cycle#
L -erform an analytical re!iew of all the AANNER accounts (%alances and acti!ity for the unit
under re!iew#
L If the unit has selfDsupportin" funds$ o%tain and re!iew copies of the ;act 0heets$ the LA(D6
(LA( stands for Le"islati!e Audit (ommission schedules or the deferred re!enue information
sheets (UI0 only$ and only if deferred re!enue is in!ol!ed sent to the Accountin" Di!ision %y
the unit at yearDend#
L If the unit has 0er!ice -lan accounts$ o%tain and re!iew copies of the LA(D9 schedules
(Aalance 0heet ?uestionnaires (UI( only sent to the Accountin" Di!ision %y the unit at yearD
end#
L (ontinuous Auditin" Issues Identified (located in the Red Ta% of Auto Audit$ (ontinuous
Auditin" section#
L The Unit/s most recent 0trate"ic -lan$ if applica%le#
@hen applica%le$ the followin" documentation should %e re!iewed or considered#
L Re!iew pre!ious internal audit reports and audit wor.papers# These wor.papers can assist in
further de!elopin" the audit scope and procedures# The pre!ious audits/ wor.papers also
facilitate followDup durin" the current audit#
L Re!iew pre!ious reports from the E:ternal Auditors/ (ompliance andFor ;inancial audits#
L (onsult with other audit staff that ha!e %een in!ol!ed in similar audits or are familiar with this
unit or su%&ect matter#
L (onsult with auditors from other Uni!ersitiesF+r"ani4ations DD +thers who ha!e audited or are
familiar with a Institute operationFsystem or speciali4ed su%&ect matter may %e consulted for
technical assistance$ answers$ and ideas#
L (onsult with technical e:perts to learn a%out a technical su%&ect or to re)uest technical
assistanceF"uidance in a new or speciali4ed su%&ect matter or area#
L Re!iew Li%rary Data%ase 0earches DD 0earches are a!aila%le from Institute and other local
li%raries and can %e useful in audits of speciali4ed or technical areasFsu%&ects#
L Re!iew the +A;0 (usiness and Financial Policies and Procedures manual DD This manual
contains policies and "uidelines in the area of %usiness and finance#
L Re!iew Cam%us Administrative Manual (UIU( only DD This manual supplements Institute and
campus policy for administrati!e staff#
L Re!iew E:ecuti!e Notices (e#"#$ -ro!ost (ommunications
L Re!iew A(UA Internal (ontrol ?uestionnaires and Audit Guides DD A!aila%le for !arious
colle"e and Institute operations and systems#
L Re!iew ;ederal and 0tate Re"ulations DD Re"ulations "o!ernin" the Institute of Illinois/
operations are contained in the Code of Federal *egulations and the Illinois Com%iled Statutes#
L Re!iew accountin"Fauditin" technical "uidance (e#"#$ GAR0#
Re!iew applica%le campus Academic 0taff Eand%oo.s$
http,FFwww#ahr#illinois#eduFahrhand%oo.Fdefault#html DD UIU($
http,FFwww#uic#eduFdeptsFoaaFpoliciesOproced#html DD UI($
http,FFwww#uis#eduFacademicstaffhand%oo.F DD UI0
L Re!iew applica%le (ourse (atalo"s (for re!iews of academic units#
L Re!iew AICPA uide to Audits of State and +ocal overnment#
L Re!iew Institute Statutes, (!laws, and eneral *ules, DD (oncernin" Institute +r"ani4ation and
-rocedures#
L Re!iew State ,niversities Civil Service S!stem Statutes and *ules DD 0ections of the Illinois
Com%iled Statutes, and the Illinois Administrati!e (ode pertainin" to the 0tate Uni!ersities (i!il
0er!ice 0ystem#
L Re!iew -olicy and Rules for (i!il 0er!ice 0taff DD -ro!ides uniform "uidelines for the
mana"ement of the (i!il 0er!ice staff of the Institute#
L Re!iew (ouncil of Trustees a"enda itemsFminutes (for UR+s$ re!iew UR+ (ouncil meetin"
minutes#
L Re!iew (omptroller/s 0tatewide Accountin" Mana"ement 0ystems (0AM0 DDThis manual
documents the fiscal policies$ accountin" principles$ controls$ operatin" procedures$ and
reportin" re)uirements for the Uniform 0tatewide Accountin" 0ystem#
L Re!iew (ampus Telephone Directory DD The telephone directory pro!ides "eneral information
and is useful in determinin" the reportin" structure (for e:ample$ the M+fficial ListsM section of
the UIU( 0tudentF0taff Directory includes AllDInstitute +r"ani4ation$ Institute +fficers$ (ouncil
of Trustees$ UIU( +r"ani4ation$ (ampus +fficers$ and a%%re!iated information for UI( and
UI0#
L Re!iew +egislative Audit Commission Institute uidelines#
L +ther rele!ant materials as deemed necessary#
A flowchart of the ris. assessment process is pro!ided to further illustrate the process#
Usin" professional &ud"ment and a!aila%le information$ determine the most appropriate audit
o%&ecti!e(s and scope (e#"#$ statement of audit %oundaries#
(onsider,
L The unit/s mission and o%&ecti!es#
L The or"ani4ational structure of the unit and the related campus or Institute Administration
structure from re!iewin" the unit/s or"ani4ation chart#
L The pro%a%ility of si"nificant errors$ irre"ularities$ noncompliance$ and other e:posures that
would ad!ersely affect the unit/s operations andFor their a%ility to efficiently and effecti!ely
accomplish their o%&ecti!e or would ad!ersely affect the Institute/s o!erall missionFo%&ecti!e#
L Gey financial and administrati!e data rele!ant to the audit from AANNER or other unit reports#
L Unit$ campusFInstitute$ and other applica%le standards (e#"#$ N(AA Le"islation$ >(AE+
standards for measurin" critical functions#
L (ontrol processes to monitor critical functions for compliance with esta%lished standards#
L Issues and concerns raised in prior audits of the unit#
Determine the audit procedures needed to "ather sufficient$ competent$ rele!ant$ and useful
e!idence to accomplish the esta%lished o%&ecti!e(s#
Aased on the information "athered a%o!e$ select the appropriate audit approach# (onsider,
L The e!idence necessary to reach conclusions on audit o%&ecti!es#
L The tests and other procedures to %e performed to "ather the re)uired e!idence#
L The o%&ecti!es$ steps$ and procedures so that the hi"h ris. processes are performed first# This
will assist the auditor in .eepin" focused on completin" the audit %y de!elopin" sufficient
information to report on the audit early in the process# If necessary$ the audit can %e ended (e#"#$
as a result of re!ised o%&ecti!es$ %ud"et chan"es$ new audit re)uests$ %efore all of the ori"inally
anticipated procedures are performed#
-repare audit procedures and su%mit for audit mana"ement/s appro!al# If the o%&ecti!e and scope
warrants a chan"e in the %ud"eted hours$ the auditor should su%mit to audit mana"ement a
&ustification for the chan"e# Appro!ed chan"es would %e reflected in the +!er!iew#
The appro!ed audit o%&ecti!e(s$ scope$ and %ud"et should %e constantly reassessed throu"hout
the audit process to ensure efficient use of audit resources (e#"#$ should the remainin" audit steps
%e eliminated$ should the o%&ecti!e or scope %e limited or e:panded$ ha!e more efficient
procedures %een identified$ or should additional hours %e allocated# If$ throu"h this constant
reassessment$ si"nificant chan"es are made to the o%&ecti!e andFor scope communicated in the
openin" conference$ the chan"es should %e communicated to the auditee# In addition$ ideas for
future audits identified durin" the audit should %e documented in AutoAudit in Audit
+%ser!ation forms with the disposition of future audit concern#
ANNUAL PROCEDURES
Au#it Proce#ures
The purpose of audit procedures is to pro!ide detailed audit steps to %e performed durin" the
audit fieldwor. that will achie!e the specific audit o%&ecti!es# In con&unction with the ris.
assessment$ audit procedures will %e de!eloped %y the auditor and appro!ed %y audit
mana"ement prior to performance of the audit procedures# If$ su%se)uent to the appro!al of audit
mana"ement$ a decision is made not to perform one or more of the procedures$ a note
documentin" the reasons for the decision should %e included in the audit procedures#
The specific o%&ecti!es of any audit will address one or more of the followin" "eneral
mana"ement o%&ecti!es,
L Ris.s are appropriately identified and mana"ed#
L Interaction with the !arious "o!ernance "roups occurs as needed#
L ;inancial$ mana"erial$ and operatin" information is accurate$ relia%le$ and timely#
L Employees* actions are in compliance with Institute policies and procedures$ and applica%le
laws and re"ulations#
L Resources are ac)uired economically$ used efficiently$ and ade)uately protected#
L -lans and o%&ecti!es are achie!ed#
L ?uality and continuous impro!ement are fostered in the Institute*s control process#
L 0i"nificant le"islati!e or re"ulatory issues impactin" the Institute are reco"ni4ed and addressed
appropriately#
Durin" the course of the audit$ conditions may arise which warrant re!isin" the audit procedures$
scope$ or %ud"eted hours# The auditor should e!aluate the situation$ ma.e timely
recommendations to audit mana"ement$ and o%tain appro!al %efore incorporatin" any chan"es#
Audit procedures
should %e or"ani4ed in
the followin" manner,
Au#it Proce#ures
Resu%tsFDocLin, Initia%s
Audit +%&ecti!e,
0cope,
Audit 0tep 6, (onclusion,
-rocedures -erformed
Audit 0tep 9, (onclusion,
-rocedures -erformed
Audit 0tep =, (onclusion,
-rocedures -erformed
Interna% Contro% Au#its
0tandard procedures ha!e %een de!ised for internal control audits and can %e found in the
Maintenance Menu$ 0tandard Li%rary of AutoAudit#
Auditors may access these standard procedures throu"h the M(ompletion Ta%leM wor.paper in
AutoAudit# (Under the MAudit -roceduresM section$ choose MKiew 0tandardM to access a list of
these standard procedures#
OPENIN/ CONFERENCE
The openin" conference should %e held to "ather information a%out the mission$ critical
processes$ and control procedures of the unit# The auditor uses this information in the ris.
assessment process to determine an appropriate o%&ecti!e and scope for the audit# Under some
conditions$ the o%&ecti!e and scope may %e predetermined# The auditor should prepare an
openin" conference eDmail confirmin" the appointment# The eDmail should %riefly state the
announcement of the auditC the date$ time$ and place of the openin" conferenceC the purpose of
the openin" conferenceC and the desire to resol!e any )uestions re"ardin" the tentati!e draft
o%&ecti!e and scope#
Audits with a surprise component$ such as in!esti"ati!e audits$ cash counts$ etc#$ may not ha!e
an openin" conference#
The openin" conference is an important step in a re"ular audit# It is an opportunity to esta%lish
the proper tone and to %e"in %uildin" "ood relationships# E:plain the Mwho$ what$ where$ when$
why$ and howM for those who ha!e not %een e:posed to the audit process#
Durin" the openin" conference,
6# -ro!ide and discuss the +ffice %rochure (firstDtime auditee$ optional afterward#
9# E:plain the audit focus#
=# Emphasi4e that the purpose of an audit is to help impro!e Institute of Illinois controls and
operations#
<# Re!iew the o%&ecti!e(s and scope of the audit$ encoura"in" mana"ement to discuss any aspect
of the audit#
2# As. for su""estions of potential auditee pro%lem areas within the audit scope# This
communicates an intention of %ein" helpful rather than critical#
3# Determine what assistance from personnel other than those attendin" the openin" conference
is needed to answer detailed )uestions concernin" the functions to %e performed# (ontact should
%e made !ia the M(hain of (ommandM until an understandin" with the appropriate mana"er is
esta%lished#
8# E:plain how audit concerns (o%ser!ations are handled# E:plain that concerns will %e
re!iewed with the desi"nated auditee at the time they arise and identify who will %e responsi%le
for re!iewin" the audit concerns# E:plain the purpose of discussin" each audit concern is to
!erify that %oth the facts defined in the concern and the impact of the concern is accurate# 0ome
findin"s may %e resol!ed !er%ally#
B# Esta%lish how fre)uently the department headFdirector wants to %e updated on audit pro"ress
and findin"s#
5# E:plain we will re!iew the draft audit report in detail at the e:it conference#
67# E:plain that a copy of the final audit report will %e sent to their reportin" line up to and
includin" the (hief ;inancial +fficer and the -resident#
66# In)uire a%out wor.in" hours$ wor.in" area$ access to records$ and any other information that
details the office routines# This information may ha!e considera%le influence on the cooperation
e:tended to the audit staff#
69# Identify information needed to complete the audit procedures#
6=# Esta%lish a tentati!e schedule for the audit process#
6<# As. if there are any )uestions concernin" anythin" discussed at the openin" conference or
any )uestions in "eneral a%out the auditor or audit approach that will assist the auditees in their
understandin" of the audit pro&ect#
62# In)uire as to any areas within their operations that they feel are more suscepti%le to fraud or
o!er which they ha!e concerns#
63# As. a%out any fraudulent acti!ity that has occurred in the unit within the last two years#
E((ecti'e co**unication at t!e $eginning o( t!e au#it can *ateria%%" in(%uence t!e tone in
:!ic! t!e entire au#it is con#ucte#.
OPENIN/ CONFERENCE MINUTES
The +penin" (onference/s date$ attendees$ and su%stanti!e items discussed which are directly
related to audit scope$ o%&ecti!es$ timin"$ or confidentiality should %e documented in the
wor.papers and DocLin.ed to the Gey Acti!ities document# 0uch items may include possi%le
reor"ani4ations of the unit$ auditee re)uests for delayin" the audit due to poor timin" or unusual
circumstances$ special concerns of the auditee$ etc# If such items were not part of the openin"
conference$ nothin" more than the date and attendees is re)uired#
The template of the +penin" (onference Email and +penin" (onference Discussion Items are in
the 0tandard Li%rary section of Auto Audit#
FIELD+ORE
De(inition an# Purpose
;ieldwor. is the process of "atherin" e!idence and analy4in" and e!aluatin" that e!idence as
directed %y the appro!ed Audit -rocedures# The audit o%&ecti!es and procedures should %e
performed so that the most important and si"nificant audit steps are completed first# (onclusions
on audit o%&ecti!es will form the %asis for an audit opinion# @or.papers$ includin" Audit
+%ser!ation ;orms$ should %e forwarded for re!iew %y audit mana"ement upon completion of a
meanin"ful section of the audit rather than waitin" until all fieldwor. is completed#
Throu"hout fieldwor.$ professional &ud"ment should %e used to, a determine whether e!idence
"athered is sufficient$ rele!ant$ competent$ and useful to conclude on the esta%lished o%&ecti!esC
and % %ased on the information a!aila%le$ reassess the audit o%&ecti!es$ scope$ and procedures to
ensure efficient use of audit resources (e#"#$ should the remainin" audit steps %e eliminated$
should the o%&ecti!e or scope %e modified$ ha!e more efficient procedures %een identified$ or
should additional hours %e allocated to achie!e an e:panded audit o%&ecti!e# Document chan"es
in audit o%&ecti!es$ scope$ and procedures in the wor.papers#
;ieldwor. includes,
6# Gainin" an understandin" of the acti!ity$ system$ or process under re!iew and the prescri%ed
policies and procedures$ supplementin" and continuin" to %uild upon the information already
o%tained in the ris. assessment process#
9# +%ser!in" conditions or operations#
=# Inter!iewin" people#
<# E:aminin" assets and accountin"$ %usiness$ and other operational records#
2# Analy4in" data and information#
3# Re!iewin" systems of internal control and identifyin" internal control points#
8# E!aluatin" and concludin" on the ade)uacy (effecti!eness and efficiency of internal controls#
B# (onductin" compliance testin"#
5# (onductin" su%stanti!e testin"#
67# Determinin" if appropriate action has %een ta.en in re"ard to si"nificant audit concerns and
correcti!e actions reported in prior audits#
0tandards for documentin" fieldwor. (e#"#$ the e!idence "athered$ the analyses made$ the tests
performed$ to support the findin"s and conclusions are presented in the sections @or.papers and
Audit +%ser!ations# In "eneral$ all audit wor. performed should %e documented# Each audit
procedure should %e supported %y and ha!e DocLin.s to wor.papers (schedules$ memos$
spreadsheets on which testin" performed and results achie!ed are documented#
;ieldwor. should %e performed at the auditee/s location to facilitate communication with the
auditee# The auditor should maintain contact with auditee mana"ement and .eep them informed
of the audit o%ser!ations and other de!elopments throu"hout the audit# They may %e a%le to
pro!ide additional information or may wish to adopt procedures )uic.ly to rectify deficiencies#
FIELD+ORE
De(inition an# Purpose
;ieldwor. is the process of "atherin" e!idence and analy4in" and e!aluatin" that e!idence as
directed %y the appro!ed Audit -rocedures# The audit o%&ecti!es and procedures should %e
performed so that the most important and si"nificant audit steps are completed first# (onclusions
on audit o%&ecti!es will form the %asis for an audit opinion# @or.papers$ includin" Audit
+%ser!ation ;orms$ should %e forwarded for re!iew %y audit mana"ement upon completion of a
meanin"ful section of the audit rather than waitin" until all fieldwor. is completed#
Throu"hout fieldwor.$ professional &ud"ment should %e used to, a determine whether e!idence
"athered is sufficient$ rele!ant$ competent$ and useful to conclude on the esta%lished o%&ecti!esC
and % %ased on the information a!aila%le$ reassess the audit o%&ecti!es$ scope$ and procedures to
ensure efficient use of audit resources (e#"#$ should the remainin" audit steps %e eliminated$
should the o%&ecti!e or scope %e modified$ ha!e more efficient procedures %een identified$ or
should additional hours %e allocated to achie!e an e:panded audit o%&ecti!e# Document chan"es
in audit o%&ecti!es$ scope$ and procedures in the wor.papers#
;ieldwor. includes,
+OREPAPERS
Intro#uction
The auditor documents the wor. performed in AutoAudit# The wor.papers ser!e as the
connectin" lin. %etween the audit assi"nment$ the auditor/s fieldwor.$ and the final report#
@or.papers contain the records of the plannin" and ris. assessment process$ audit procedures$
fieldwor.$ and other documents relatin" to the audit# Most importantly$ the wor.papers
document the auditor/s conclusions and the reasons those conclusions were reached# The
disposition of each audit o%ser!ation identified durin" the audit and its related correcti!e action
should %e documented on an Audit +%ser!ation ;orm within AutoAudit# @or.papers should %e
completed throu"hout the audit# As each meanin"ful section is completed$ the auditor should
su%mit the related wor.papers for re!iew# The wor.papers pro!ide a %asis for e!aluatin" the
+ffice/s )uality assurance pro"ram and demonstrate the +ffice/s compliance with the The
Institute of Internal Auditors/ International Standards for the Professional Practice of Internal
Auditing#
@or.papers should %e economical to prepare and to re!iew# It is easy to include e!ery scrap of
information and e!ery form in the wor.papers# Eowe!er$ the wor.papers then %ecome a
confused mi:ture of data that is difficult to assimilate and use# @or.papers should %e complete
%ut conciseDDa usa%le record of wor. performed# Auditors should include in their wor.papers
only what is essentialC and they should ensure that each wor.paper included ser!es a purpose that
relates to an audit procedure# @or.papers that are created and later determined to %e unnecessary
may %e deleted#
Amon" other thin"s$ wor.papers may include,
L -lannin" documents and audit procedures#
L (ontrols )uestionnaires$ flowcharts$ chec.lists$ and narrati!es#
L Notes and minutes resultin" from inter!iews#
L +r"ani4ational data$ such as charts and &o% descriptions#
L (opies of important documents#
L Information a%out operatin" and financial policies#
L Results of control e!aluations#
L Letters of confirmation and representation#
L Analysis and test of transactions$ processes$ and account %alances#
L Results of analytical re!iew procedures#
L Audit reports and mana"ement responses#
L Audit correspondence that documents the audit conclusions reached#
@or.papers should %e clear and understanda%le# The auditor should .eep in mind that other
people will e:amine and refer to the wor.papers# The wor.papers should not need any
supplementary information and should stand alone# An e:perienced auditor re!iewin" the
wor.papers$ without referrin" to documents outside of those included in the wor.papers and
without as.in" )uestions$ should %e a%le to identify what the auditor set out to do$ what they did$
what they found$ and what they concluded# (onciseness is importantC %ut clarity should not %e
sacrificed &ust to sa!e time and space#
SCANNED DOCUMENTS
0canned documents should include a reference to the source and the purpose of the document
when rele!ant to understandin" or appreciatin" the actual audit wor. performed# 0uch
information needs to %e included only when it is not pro!ided elsewhere in the wor.papers or
apparent %y the actual document#
0. +EBLINES
@hen usin" references to we%sites in auto wor.papers$ to help ensure the site can %e readily
accessed in the future$ %oth the name of the site and a hotlin. to the we%site should %e included#
If specific information from a we%site was referenced (e#"#$ ;ederal Re"ister$ IR0 pu%lications$
!arious "uidelines$ the we%pa"e should %e sa!ed to a file and attached to the wor.papers#
TICEMARES
Tic.mar.s do not need to %e standardi4ed throu"hout the set of wor.papers$ %ut must %e
consistent throu"hout a particular wor.paper# Tic.mar. e:planations must %e a part of the
wor.paper#
DOCLINES @CROSS=REFERENCIN/A
@or.papers should %e prepared usin" the appropriate DocLin.s (crossDreferencin"# A DocLin.
from the Audit -rocedures to the primary wor.paper pro!ides a reference to where the wor. was
performed# It is not necessary to DocLin. all wor.papers to the Audit -rocedures D only the
primary wor.paper# The primary wor.paper will then contain DocLin.s to other$ supportin"
wor.papers$ which pro!ide additional information re"ardin" the audit procedures performed$
results$ conclusions reached$ and audit o%ser!ations#
DocLin.s should %e used to reference information useful in more than one place or to other
rele!ant information includin" the source of information$ composition of summary totals$ or
other documents or e:amples of transactions# DocumentsFinformation should %e in the
wor.papers only once#
STANDARD +OREPAPERS
Au#itor
The auditor should conduct a re!iew of the wor.papers prior to su%mission to the appropriate
mem%er of audit mana"ement to determine whether they are rele!ant and ha!e a useful purpose$
e!idence the audit wor. performed$ and sufficiently support the audit findin"s# In addition$ the
auditor should ensure the conclusions reached were reasona%le and !alid$ and that +ffice
wor.paper standards were followed# The auditor should re!iew all comment forms to %e certain
that all issues ha!e %een resol!ed within the wor.papers since the comment forms will not %e
retained# All other information o%tained durin" the audit should %e re!iewed to determine
whether all documentation rele!ant to the audit has %een included in the audit wor.papers#
Documentation o%tained and not rele!ant to the audit should %e returnedFdestroyed upon the
completion of the audit#
Au#it Manage*ent
Appro!al should %e documented at the time the ris. assessment process$ audit procedures$ and
wor.papers are re!iewed# This appro!al is recorded %y usin" the appro!al function within
AutoAudit# It is important to document appropriate and timely mana"ement super!ision# All
wor.papers should %e independently re!iewed to ensure there is sufficient e!idence to support
conclusions and all audit o%&ecti!es ha!e %een met# A comprehensi!e re!iew will %e conducted
%y audit mana"ement %efore appro!in" the draft audit report#
Audit mana"ement will,
L Determine compliance with wor.paper "uidelines#
L Re!iew the ris. assessment process to ensure that o%&ecti!es are defined#
L Re!iew the audit procedures to ensure that they are ade)uate to accomplish the o%&ecti!es#
L Re!iew the referenced wor.papers to ensure they support the procedures performed and all
procedures ha!e %een completed#
L Determine that the wor.papers ade)uately document the conclusions reached in the report#
L (onfirm that all o%ser!ation forms prepared ha!e %een discussed with the appropriate mem%er
of mana"ement$ and that the disposition of the audit concern is documented#
Document re!iew comments %y usin" the comment form within AutoAudit# @hen re!iew
comments ha!e %een satisfactorily cleared in the audit wor.papers$ audit mana"ement will
remo!e the comments from the wor.papers#
Upon completion of the Audit Report (hec.list audit mana"ement will close the audit in the
AutoAudit +!er!iew document usin" the current date#
FILIN/ AND PROTECTION OF +OREPAPERS
All wor.papers are the property of the +ffice of Institute Audits and are considered confidential#
@or.papers often contain sensiti!e information or data that must %e protected from unauthori4ed
use or re!iew# (0ee section on (onfidentiality#
+OREPAPERS RETENTION POLIC3
All electronic wor.papers are to %e retained %y the +ffice of Institute Audits su%&ect to the
retention re)uirements %elow,
6# Audit wor.papers are maintained on the production file until audit mana"ement deems no
pendin" items related to the audit remain# Audit wor.papers are then mo!ed to an AutoAudit
archi!e file for the year the audit was esta%lished# @or.papers on the AutoAudit archi!e file are
retained 67 years# @or.paper retention should %e destroyed after 67 years unless wor.papers
related to a lawsuit inacti!e less than 67 years are included on the electronic media#
9# Each annual AutoAudit archi!e file of audit reports will %e mo!ed to electronic media (tape$
(DDRom 67 years after the end of the fiscal year of report pu%lication# This media will %e "i!en
to the Archi!ist 67 years after reports are mo!ed to this media and 97 years after the year of
report pu%lication#
=# Audit mana"ement must ensure any in!esti"ati!e audit reports on the tape or (DDRom media
to %e "i!en to the Archi!ist ha!e had no acti!e lawsuits in the past 67 years#
AUDIT OBSER>ATIONS
O'er'ie:
The auditor should complete an Audit +%ser!ation ;orm (A+ whene!er the auditor identifies a
possi%le (a opportunity for operational impro!ement$ (% discrepancy$ (c error$ (d irre"ularity$
(e wea.ness or (f de!iation from internal control standards$ re"ulations$ or policies# -rior audit
reports and lin.ed A+s should %e re!iewed and used to the e:tent possi%le to a!oid reDcreatin"
an A+ already de!eloped#
At the time the auditor reali4es they ha!e an audit concern$ they should %e"in to complete the A+
and discuss the o%ser!ation with the auditee# This discussion should %e documented in the
applica%le fields of the A+# The A+ should standDalone and should document the auditor/s
analysis (criteria$ condition$ cause$ conse)uence$ and correcti!e action related to the findin"C
this information should not %e located elsewhere in the wor.papers# The wor.paper where the
wor. was performed which resulted in the o%ser!ation and supportin" wor.paper references
should %e DocLin.ed to the A+ in the space pro!ided# Documentin" the analysis assists the
auditor in preparin" to discuss the o%ser!ation with the auditee#
The A+ should document the results of the pro%lem analysisFresolution process# The form is not
a stepD%yDstep recipe for doin" the wor. itself$ %ecause pro%lem analysisFresolution is not a linear
process# 0imply completin" the form is not a su%stitute for critical analysis of the situation# The
auditor should answer such )uestions as the followin",
L @hat is the pro%lem that e:istsS
L Eow e:tensi!e is the pro%lemS
L @hat is the ris. associated with the pro%lem$ or lac. of controlsS
L Do we ha!e our facts correctS Does the auditee a"ree that the pro%lem e:istsS
L Are there other controls to compensate for the pro%lemS
L Are there practical solutions to the pro%lemS
L Eas mana"ement a"reed with our recommended correcti!e action or formulated their own
correcti!e actionS
Since t!e AOs contain t!e au#itorGs pro(essiona% ana%"sis o( au#it concerns t!e" are a*ong
t!e *ost i*portant :or,papers create#.
Aspects o( t!e Au#it O$ser'ation For*
Fin#ing = Description o( O$ser'ation HCon#itionI
This section of the A+ should contain a clear and concise statement of the condition# This
sentence will %e the only e:planation of the pro%lem in the final report# The statement should %e
concise %ut pro!ide enou"h detail to support the reader/s understandin" of the pro%lem#
-er the IIA 0tandards$ M(ondition, The factual e!idence that the internal auditor found in the
course of the e:amination (what does e:ist#M
Discussion an# Bac,groun# = Ana%"sis o( t!e Au#it Fin#ing HCriteria an# CauseI
The auditor should document the analysis of the pro%lem in this section# References to applica%le
standards andFor "ood %usiness practice should %e included# If possi%le$ the auditor should
FOLLO+=UP
Fo%%o:=up
(orrecti!e action is su%&ect to followDup in accordance with the Standards for the Professional
Practice of Internal Auditing of the IIA# All correcti!e action with e:pected implementation
dates past due or due within =7 days appear in Auto Audit#
Fo%%o:=up Process
O$&ecti'e
The o%&ecti!e of the followDup process is to determine whether the audit concern has %een
ade)uately addressed# @hen followDup is performed$ the auditor will find one of the followin"
situations,
L ImplementedDDthe concern has %een ade)uately addressed %y implementin" the ori"inal
correcti!e action or the concern has %een ade)uately addressed %y implementin" an alternate
correcti!e action#
L @ithdrawnDDthe concern no lon"er e:ists %ecause of chan"es in the unit*s processes#
L +penDDthe correcti!e action has %een initiated %ut is not completeC or the concern has not %een
addressed (if the auditor %elie!es that the unit fully intends to address the concern$ a new
e:pected completion date should %e entered#
L Not ImplementedDDif the auditor concludes that mana"ement does not intend to implement the
recommendation$ notify audit mana"ement#
Per(or*ance
Audit e!idence in accordance with the IIA Standards is to %e applied to followDup wor.# Internal
auditors should ascertain that actions ta.en on audit findin"s remedy the underlyin" conditions#
The auditor/s recommendation re"ardin" the status (i#e#$ Implemented$ @ithdrawn$ Not
Implemented should %e documented in the ;ollowDup field on the +%ser!ation form#
The auditor must send the A+ to audit mana"ement for re!iew usin" the Re)uest Re!iew
function#
Co**unication o( Fo%%o:=up Resu%ts
Unit
;ollowDup results should %e communicated %y the auditor to the mana"ement team associated
with the concern# If the audit concerns ha!e %een ade)uately addressed$ a !er%al or eDmail
notification to the unit head is sufficient# If the concerns ha!e not %een ade)uately addressed$ a
meetin" or more formal communication may %e re)uired#
Reporting JNot I*p%e*ente#J Correcti'e Action
+n a )uarterly %asis$ the E:ecuti!e Director reports to Institute mana"ement the correcti!e action
items where followDup was performed and the MDispositionM remains M+pen#M +n an annual
%asis$ Institute mana"ement is notified of all M+penM correcti!e action# ;ollowDup$ and
discussions with Institute mana"ement$ will continue until the correcti!e action is resol!ed$ or
the ris. of continuin" the current practice is accepted %y Institute mana"ement#
0tatistics of the followDup process for all Institute audits are pro!ided to the followin" (ouncils
in the Annual Reports to their or"ani4ations,
L Aud"et and Audit (ommittee of the Institute of Illinois (ouncil of Trustees
L Audit (ommittee of the Institute of Illinois ;oundation
L Audit (ommittee of the Institute of Illinois Alumni Association