Frequently Asked Questions
The Office of Internal Audit provides an independent and objective review to the University by examining activities for compliance with applicable policies, regulations, procedures, and laws. The office issues reports to communicate the effectiveness of accounting, financial, security, and other controls.
Once an audit has been scheduled, the audited unit can prepare by organizing some information pertinent to their unit. Standard information that is requested includes:
- Current organization chart with staff names and positions
- Contact information for the key audit contacts
- Written procedures and other authoritative guidance
- Reports or other resulting documentation from prior reviews
- The results from the unit’s most recent risk assessment.
The auditor will contact you during the planning stage of the audit in order to gather your input on risks that are relevant to the audit and schedule fieldwork. The exception to this would be surprise cash counts of petty cash or change funds.
The length of each audit will depend on the nature and scope of the review. Small audits might be completed within a month, while more complex reviews can last several months. The auditor will communicate the expected timeline with you during the entrance meeting and periodically throughout the audit and reporting process.
Internal Auditors have a professional responsibility per Standard 1220 of the International Standards for the Professional Practice of Internal Auditing “to exercise due professional care in performing audit work to the degree that fraud may be present in activities covered in the normal course of audit work.” Internal Audit will watch for potential fraud risks during the course of the audit activities. However, it is management’s responsibility to identify areas of risk and potential fraud opportunities and take proper action.
The auditor will hold an exit meeting with the audited unit to discuss issues found during the audit. The auditor will seek the audited unit’s agreement or disagreement with each recommendation and is willing to work with the audited unit on revisions to the recommendations if they are compatible in mitigating the identified risk. The draft report is then issued to the audited unit for their response within 10 days. The response will be included in the final report and should contain a corrective action plan and a time estimate for completion of the action plan for each finding.
The final audit report is distributed to the area audited, the area's Vice President, the Vice President for Finance and Administrative Services, the President, and the Board of Regents Audit and Compliance Committee.
The audited united is responsible for implementing the action plans as stated in their formal response to the audit. They are also responsible for cooperating with the auditor during follow-up activities.
Internal Audit has an obligation to University management and the Board of Regents to report progress on implementation of recommendations. The follow-up is scheduled shortly after the implementation deadline for each action plan provided by management in the formal response to the audit. On occasion, the auditor will need to wait for a longer duration of time to pass so that there is sufficient data or transactions to test.
There are two objectives for a follow-up audit:
- Verify that the action plan was implemented as stated in the formal response.
- Verify that the action plan is operating as intended and is mitigating the identified risk.
Each year, Internal Audit begins the process by performing an enterprise-wide risk assessment. This assessment includes gathering input from a variety of sources including senior management, prior internal audit results, and emerging industry risks. Internal Audit strives to direct audit resources to the areas and processes determined to be high risk. The goal is to evaluate and recommend improvements to assist senior administration with managing the risk within these areas and processes.
Audits are scheduled according to the annual plan which is reviewed by the President and approved by the Audit and Compliance Committee of the Board of Regents.
The Board of Regents, the President, and senior management can also recommend areas to be reviewed if a need arises throughout the year.
Internal Audit performs a variety of services. Here are the most common:
- Departmental Audits – The auditor examines a broad range of risks and determines how they are being managed.
- Financial Audits – The auditor verifies that there are sufficient controls over cash and the use of resources.
- Compliance Audits – The auditor tests documents for adherence to laws, regulations, policies, and procedures.
- Investigations – The auditor attempts to learn the validity of allegations received.
- Consulting Engagements – The auditor provides advice on a specific problem that management has asked for assistance in solving.
If you suspect fraud, waste, abuse, or unethical activities, you can report the information to any of the following:
- Your direct supervisor
- Anyone in your chain of command
- Murray State Police Department
- Office of General Counsel
- Human Resources
- Office of Internal Audit
Instructions for filing a whistleblower claim are found here.
The Internal Auditor has access to all records and assets of the University and understands that there is an obligation to maintain the confidentiality of that information.
Good internal controls safeguard or make more efficient and effective use of University assets. They are a good business practice to assist you in achieving your departmental goals and objectives and the University’s mission. Good internal controls are cost effective, timely, and flexible. They are best placed where they are most effective and identify both the problem and the cause. If you do not have a preventive control, evaluate the process to determine if you have a mitigating control such as an after-the-fact review or other detective control that is performed on a regular basis. See the Internal Controls tab on the left for more information.
Senior management is responsible for developing a system of internal controls that all employees should follow. Internal Audit is responsible for assessing and reporting on the effectiveness of the controls implemented by senior management. See the Internal Controls tab on the left for more information.
Each employee has an important role in risk identification and management of risk. This is a critical concept because risks can either help to achieve or reduce the ability to achieve the University’s goals and objectives. Therefore, all employees should be concerned about maintaining good internal controls because they reduce and mitigate negative risks to an acceptable level.
Negative business risks are those circumstances, events, or activities that can adversely affect the achievement of the University’s objectives. Some examples include:
- Misappropriation or unauthorized use of funds or assets
- Receipt of substandard or excess supplies
- Purchases made from suppliers related to buyers
- System-wide IT disruptions
- Negative publicity from confidentiality breaches
Positive business risks are similar, but they have a favorable effect on the achievement of the University’s objectives. Some examples include:
- A higher increase in student enrollment than expected
- Receipt of a grant that requires a change to administrative infrastructure
- Implementation of a new software system
It can often be difficult for small departments to properly segregate specific functions that they perform. For example, if a department has one employee to perform cash receiving and accounts receivable process, it can be a challenge to endure that proper controls exist over these procedures. In situations such as these, management oversight becomes even more important.
Managerial oversight is a strong control in any system. However, in small departments, management will be required to provide more intense, direct oversight than in the larger, well-segregated departments. Management should review all payroll records, receipts, and thoroughly review monthly financial reports and reconciliations. It is also recommended that management indicate their review with a dated signature. See the Internal Controls tab on the left for more information.
Yes. The University engages an external auditor, currently RubinBrown, LLP, to perform the annual financial statement audit and the federally mandated A-133 audit. On occasion, auditors from federal or state agencies may be on campus reviewing sponsored programs or research activities.
Any auditor working on campus should be able to appropriately identify themselves. If in doubt of an auditor, do not provide any documentation, records, or access to assets until the individual provides proper identification. No auditor should be offended by such a request.
The President evaluates the performance of Internal Audit. Additionally, the Audit and Compliance Committee of the Board of Regents receives reports on the progress and results of the audit plan. Every five years, the Office of Internal Audit completes a self-assessment that is followed by an external validation, similar to a peer review, where the office is reviewed against the standards promulgated by the Institute of Internal Auditors International Professional Practices Framework (IIA IPPF). These results are reported to the Audit and Compliance Committee. This is commonly referred to as a Quality Assurance Review and is a major component of the Quality Assurance and Improvement Plan.