WHAT IS AUDIT?
Auditing is the process by which a competent, independent person accumulates and evaluates evidence about quantifiable information related to a specific economic entity for the purpose of determining and reporting on the degree of correspondence between quantifiable information and established criteria. Internal audit is an independent, objective assurance and consulting activity designed to add value to and improve an organisation's operations. It helps an organisation accomplish its objective by bringing a systematic, displined approach to evaluate and improve the effectiveness of risk management, control and governance process. The result of the audit is some form of report.
WHAT IS THE FUNCTION OF INTERNAL AUDIT?
Internal Audit Unit is responsible for planning and performing internal audit at University. Our audit reviews can provide you with important and useful information. We can help you determine whether there are appropriate internal controls over your administrative processes and/or systems; we can show you ways to improve the efficiency and effectiveness of your administrative processes; and we can recommend improvements in these and other areas.
The Internal Audit staff does this by conducting independent and objective reviews of your department’s operations and procedures. Internal Audit is therefore a managerial control, and our goal is to assist you in the effective discharge of your responsibilities by furnishing you with analysis, appraisals, recommendations, and pertinent comments concerning the activities that we review. The attainment of this goal involves:
- Evaluating the soundness and adequacy of the internal control structure. Quality and continuous improvement are fostered in the organization’s control process.
- Assessing compliance with policies, plans, procedures, laws, and regulations.
- Verifying the existence of assets and ensuring that they are properly accounted for and safeguarded from losses of all kind.
- Reviewing the reliability and integrity of financial and operating information data by reviewing general controls and computer security procedures over data processing.
- Conducting special examinations and reviews requested by management including investigating reported occurrences of fraud, embezzlement, theft, waste, etc., and recommending controls to prevent or detect such occurrences.
- Appraising the economy and efficiency with which resources are employed, and recommending improvements in operations.
- Determining the extent to which established objectives and goals for operations or programs are being accomplished in effective, efficient an economical manner within the constraints of cost effectiveness and in accordance with established laws and regulations.
The internal audit staff is authorized by the Audit Committee of the University to conduct a comprehensive program of internal auditing. The Internal Audit Office is further authorized to have unrestricted access to University functions, records, properties and personnel in order to conduct reviews thoroughly and effectively.
The scope of internal auditing includes a wide range of activities ranging from the maintenance of accounting records, through compliance with policy, to the evaluation of functional and process efficiency and effectiveness. Common misconceptions about internal auditing are that:
- It is appraisals are confined to accounting functions;
- It is responsible for fraud detection; and
- It is reactive and bayonets the wounded after the battle has been fought.
The Office of Internal Audit seeks to dispel these notions by:
- Appraising a wide range of areas outside of financial functions;
- Providing advice to the university community on fraud and signs of potential fraud; and
- Providing assistance and advice to the university community on a wide variety of management related issues.
WHAT ARE CONTROLS AND WHY SHOULD I AS DEPARTMENTAL / UNIVERSITY MANAGEMENT CARE ABOUT CONTROLS?
Controls Are Simply Good Business Practices
Among other things, controls can provide reasonable assurance that:
- Management data is reliable
- Assets are accounted for and are safeguarded from losses
- Operating practices are sound and help ensure compliance with policies, laws and regulations
- Resources are used efficiently
Controls can be informal; for example, backing up important research or financial information on your computer, locking records in a file drawer, or using passwords to limit access to computerized information.
3 Types of Controls – Preventive, Detective, and Corrective
Controls can be designed for various functions. Some controls can be installed to prevent undesirable outcomes before they happen (preventive controls). Others controls can be installed to identify the undesirable outcomes when they do happen (detective). Still other controls can be installed to make sure that corrective action is taken to reverse undesirable outcomes or to see that they do not recur (corrective controls). All of these types of controls, in concert, function to ensure that some department/university objective or goal will be met.
Preventive Controls are more cost-effective than detective controls and are designed to discourage errors and irregularities from occurring. When built into a process, preventive controls forestall errors and thereby avoid the cost of correction.Examples of preventive controls include: trustworthy, competent staff, segregation of duties to prevent intentional wrongdoing; proper authorization to prevent improper use of university resources; adequate documentation and records as well as proper record-keeping procedures to deter improper transactions; and physical control over cash, equipment and other assets to prevent their improper conversion or use.
Detective Controls are usually more expensive than preventive controls, but are also essential, and are designed to find errors or irregularities after they have occurred. Detective controls measure the effectiveness of preventive controls. Also, some errors cannot be effectively controlled through a system of prevention; they must be detected when they occur.Examples include reviewing procurement card statements and phone charges for appropriateness, allow ability, and/or proper allocation. Detective controls also include such controls devices as bank reconciliations, independent checks on performance, confirmation of bank balances, cash counts, and systems of review like internal auditing.
Corrective controls come into play when improper outcomes occur and are detected. All the detective controls in the world are valueless if the identified deficiency remains uncorrected or is permitted to recur. Corrective controls such as documentation and reporting systems keep problems under management surveillance until they have been solved or the defect corrected. Corrective controls thus close the loop that starts with prevention and passes through detection to correction.
A System of Controls Reduces Business Risk
The University’s exposure to loss is limited when policies and procedures are clearly understood, and reporting mechanisms are reliable. Good control systems should include:
- Employees with the appropriate education and training for the duties assigned
- Individual Accountability
- Independent Monitoring
- Approval & Authorization
- Separation of Duties
Management’s RoleThese controls elements safeguard individual departments, and the university as a whole, from loss. Without a sound system of controls, errors and omissions can occur and go undetected. Also, existing controls can be circumvented by an inappropriate concentration of duties. It is the responsibility of management to maintain an adequate system of control within their areas of authority. Changes in condition can cause the effectiveness of a control to deteriorate, or the degree of compliance to change. In response to changes, management must create additional controls, or alter existing controls, to protect against loss.
WHAT ARE INTERNAL CONTROLS?
Internal Controls are:
- An integrated system put in place to keep your department on course to achieve its mission.
- An integrated system to promote efficiency, reduces risk of asset loss, and helps ensure the reliability of financial data.
- An integrated system to promote compliance with laws and regulations.
Control Activities include:
- Authorizing transactions * Approving transactions * Verifying
- Reconciling statements * Segregating duties * Reviewing operating performances
- Securing assets * Monitoring Accounts * Analyzing * Comparing
- Reporting * Observing * Communicating
WHO IS RESPONSIBLE FOR INTERNAL CONTROLS?
Every individual within University has some role in affecting internal control. Roles vary in responsibility and involvement. Managers are ultimately responsible for appropriate use and control of the funds entrusted to them. Top management is accountable to the Board of Director which provides governance and oversight. While the Audit Committee of the University is ultimately responsible for maintaining an adequate system of financial and administrative controls at the University, the department head is responsible for internal controls in the department and should take “ownership” of the internal control system. The department head sets the “tone” for the department by influencing the control consciousness of his/her staff and communicating an administrative philosophy that includes integrity, ethical values and competence. Everybody must understand that internal control must be taken seriously. Also, since all employees produce information that affects the internal control system, they should all be responsible for communicating upward problems in operations, noncompliance with the University policies, or other policy violations or illegal actions.
WHY MY DEPARTMENT IS SELECTED TO BE AUDIT?
The Internal Audit Unit establishes a comprehensive audit plan based on a three-year cycle and identifies which audits will be conducted during the upcoming fiscal year. The decision of what audits to include in the annual audit plan is based in part on this long-range plan and, in part, on input from the Audit Committee of the University, administration, departmental managers, external auditors, and the Internal Audit staff. The plan is reviewed and approved by Audit Committee and it may be amended at any time to include requested audits, special projects or changes in priorities. The audit committee meets quarterly to review the progress of the audit plan.
Not all audits are selected in the same way. An area can be selected for an audit if :
- risk assessment factors are deemed high;
- it has emerging compliance issues;
- it is a core business process;
- alleged irregular conduct has occurred; or
- there is a request from management.
Several risk factors are considered during the assessment, including the:Selection based on an assessment of risk.The most common method of selecting an area for an audit is the application of a risk assessment model. All components of the University are considered when preparing this model.
- quality of internal controls;
- financial materiality;
- external impact;
- complexity of operations; and
- length of time since the area's last audit.
When this model is applied, areas are ranked according to their risk. Areas with the greatest risk exposure become priority audits. The risk assessment results in various types of audits including financial, operational, compliance and information technology.
WHAT SHOULD I ASPECT WHEN MY DEPARTMENT BEEN AUDIT?
Unless our audit is to investigate a suspected fraud or a surprise cash count audit, you or the senior management of your area will be notified in writing when your department is selected for an audit. This letter will state the scope and objectives to be accomplished in the audit. Subsequently, a representative of the Internal Audit Department will contact you to schedule an entrance meeting to discuss the scope of the audit and the logistic of conducting the audit. At this initial meeting, you should take the opportunity to discuss any concerns or questions you may have about the audit, and to determine how you can facilitate the audit process. A typical audit has several stages, including preliminary research, data collection and analysis, review, report writing and distribution, and follow-up
WHAT PROCESS DOES ROUTINE AUDIT FOLLOWS?
Internal Audit notifies the client in writing when his or her area is selected for an audit. This document, which is referred to as an engagement letter, indicates the scope and objective of the audit, audit staff members assigned to the audit, the projected time frame of the audit and the information the auditors will need the client to supply.
An entrance conference is scheduled with the client to discuss the purpose, general scope and process of the audit. The Head of Internal Audit and the assigned auditor(s) attend the entrance conference with personnel deemed appropriate by the client. Clients are encouraged to present any questions or concerns they may have about the audit. Clients may request a specific function or area of their office be examined during the audit or in future work.
During this portion of the audit, the auditor(s) will gain an understanding of the client's procedures, objectives, size, etc. Written policies and procedures, organizational charts, related forms and job descriptions enable auditors to plan the audit tests to be performed and to become familiar with the client's operations. Internal controls are reviewed and documented during this portion of the audit.
During this phase, the auditors will be in the client's area. This phase of the audit includes testing the internal controls and performing other audit procedures necessary to accomplish the objectives of the audit. Internal Audit appreciates the value of each person's time and tries to use the time allotted to auditors carefully. However, please be aware the auditors need to ask questions and will try to work around scheduling conflicts.
Review Audit Work
Continuous review is performed from the planning phase, fieldwork and through the final report, by the Head of Internal Audit. The review process might require additional work be performed in some cases.
Draft Audit Report
Internal Audit's goal is to complete the audit and issue a draft audit report within 21 days after the completion of fieldwork. The draft is prepared with a background section, the scope of the audit, any recommendations that were made. An exit conference is scheduled and a copy of the draft report is sent to the client. Rector will chair the exit conference and the conference is an opportunity to discuss the audit recommendations, clarify any ambiguities and, if necessary, modify the draft report before the final version is issued.
Departmental management then has to respond in writing to our findings and recommendations. The response will be appended to our final report. Usually the the Rector and head of the department receive the report. Additionally, a copy may be sent to the following University administrators depending on the department or subject area reviewed. The final report then has to be reviewed and approved by the Audit Committee .
Audit Follow Up
We may perform a follow up review to verify that actions implemented had the intended results. This audit repeats the normal audit process, but is limited in scope based on the final report and corresponding formal response. Follow up actions are reported to the Audit Committee who considers the appropriateness or otherwise of actions taken.
HOW LONG WILL THE AUDIT TAKE?
Audits can last from several days to several months. The amount of time required depends on the audit scope, the ease in obtaining the required information, the number of auditors assigned to the audit and the quality of the client's records. The internal control audit may take a week or two, while other broad based audits may take six to eight weeks. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the audit.
ARE THERE DIFFERENT TYPE OF AUDIT?
Yes. There are five general categories of internal audit reviews:
FINANCIAL AUDITS address questions of accounting, recording, and reporting of financial transactions. Determine whether Financial Statements of the University present fairly the financial position and the results of financial operations in accordance with generally accepted accounting principles. Reviewing the adequacy of internal controls also falls within the scope of financial audits.
COMPLIANCE AUDITS seeks to determine if department are adhering to Federal, State, and University rules, regulations, policies and procedures. Recommendations in these areas typically call for improvements in processes and controls intended to ensure compliance with regulations. Many audits are a combination of financial and compliance issues.
OPERATIONAL AUDITS examine the use of department / university resources to evaluate whether those resources are being utilized in the most efficient and effective way to fulfill the department’s / university’s mission and objectives. The auditor is more concerned with whom, what, when, why, and how of running an efficient and effective operation than just accounting and financial aspects of the business function. An operational audit may include elements of a compliance audit, a financial audit, and an information systems audit.
INVESTIGATIVE AUDITS are initiated from requests by department personnel, administrative management, etc. These audits focus on alleged, irregular conduct to determine whether civil or criminal violations of State Law or Federal Constitutions and of University policies and regulations have occurred. This may result in prosecution or disciplinary action. Reasons for investigative audits include internal theft, misuse of University assets and/or conflicts of interest.
INFORMATION SYSTEMS (IS) AUDITS address the internal control environment of automated information processing systems and how these systems are used. Information system audits typically evaluated system input, output and processing controls, backup and recovery plans, and system security, as well as computer facility reviews.
HOW CAN I BEST WORK WITH AUDITORS UTHM?
Each audit engagement has a defined scope and objectives. Any auditor requesting information from you should be able to explain the audit’s purpose and objectives so you can understand the reasons for questions being asked and provide accurate answers. When you understand the audit's purpose, you can assist by either providing relevent information or, if you are not the best source or requested information, directing the auditor to the right person or office. If you have questions or concerns about information being requested, it is appropriate to discuss those concerns with the auditor or Head of Internal Audit Office.
WHO AUDIT THE INTERNAL AUDIT UNIT?
The Internal Audit Unit follows the Standards of the Institute of Internal Auditors Malaysia, International Audit Guidelines and Malaysia Auditing Standard. Accordingly, periodically Audit Committee performs a peer review and assesses the quality of our function and makes recommendations directly to the Board of Director of University on Audit and compliance.
HOW CAN I CONTACT INTERNAL AUDIT UNIT?
The Internal Audit Unit is organized with Head of Unit and auditors and may be reached by calling 07-4537860/7861, faxing 07-4536936 or by coming to its office located at Internal Audit Unit, Ground Floor of Registrar Building, Tun Hussein Onn University of Malaysia.