Frequently Asked Questions

What does the Office of Internal Audit do?

The Office of Internal Audit provides an independent and objective review service to the Institution by examining activities for compliance with applicable policies, regulations, procedures and laws.  We issue reports of planned engagements to communicate the effectiveness of accounting, financial, security and other controls.

  

I’ve been notified of an upcoming audit, now what?

Once an audit has been scheduled, the "auditee" (for ex., individual or department) can prepare by organizing some information pertinent to the objective of the audit.  Some standard information that we will request include: current organization chart with staff names and positions, contact information for the key audit contacts, chart of accounts, written procedures and other authoritative guidance, reports or other resulting documentation from prior reviews and the most results from the auditee's most recent risk assessment.

    

Will an auditor show up at my department unannounced?

Not for audits that are on our annual audit plan.  You will be contacted during the planning stage for the audit so that we can gather your input on risks that are relevant to the audit and schedule fieldwork.  The exception to this would be surprise cash counts of petty cash or change funds.  If this happens, please verify the auditor’s legitimacy by viewing their photo identification and Institution business card.  If there are any doubts, contact the Office of Internal Audit at 446-6137.

    

Are auditors looking for fraud when performing audits?

We have a professional responsibility per Standard 1220 of the International Standards for the Professional Practice of Internal Auditing “to exercise due professional care in performing audit work to the degree that fraud may be present in activities covered in the normal course of audit work.”  Auditors watch for potential fraud risks during the course of our audit activities.  However, it is management’s responsibility to identify areas of risk and potential fraud opportunities and take proper action.

    

How long do audits engagements take?

The length of each audit will depend on the nature and scope of the review.  Small audits might be completed within 20 hours while more complex reviews can last several months.  The lead auditor will communicate the expected timeline and milestones with you during the entrance meeting and periodically throughout the audit and reporting process.

  

What is the auditee's responsibility once the audit report is issued?

There are two kinds of audit reports:

  • Draft report: The auditee is requested to respond with comments on the accuracy, tone and reasonableness of the report.  The auditee is also requested to submit their formal response clearly stating their agreement or disagreement with each recommendation AND with an action plan and implementation date for each recommendation.  There are generally 10 business days provided for review and comments.
  • Final report: The auditee is responsible for implementing the action plans as stated in their formal response to the audit.  They are also responsible for cooperating with the auditors during follow-up activities.

 

Why am I contacted about follow-up activities when less than a year ago you were conducting the audit?

We have an obligation to Senior Management, the Audit & Compliance Committee of the Board of Visitors, and the professional practice of internal auditing to report progress on implementation of recommendations.  When follow-up testwork is deemed necessary, we schedule these to activities to occur shortly after the implementation deadline for each action plan provided by executive management in the formal response to the audit.  On occasion we need to wait for a longer duration of time to pass so that there is sufficient data or transactions to test.  There are two objectives for follow-up auditing:

  • Verify that the action plan was implemented as stated in the formal response.
  • Verify that the action plan is operating as intended, meaning that it has the intended effect of mitigating the identified risk.

      

What kinds of audits do you do?

We perform a variety of services. Generally speaking, here are the most common:

  • Operational Audits - Examine the use of auditee resources to evaluate whether those resources are being used in the most effective and efficient manner to fulfill the Institution's mission and objectives.  An operational audit may include elements of the other audit types listed below.
  • Financial Audits - Focus on accounting and reporting of financial transactions, including commitments, authorizations, and receipt and disbursement of funds.  The purpose of this type of audit is to verify that there are sufficient controls over cash and cash-like assets, and that there are adequate process controls over the acquisition and use of resources.  Unlike external financial audits, internal financial audits do not prepare or express professional opinions on the fairness of the presentation of financial statements.
  • Compliance Audits - Review adherence to laws, regulations, policies, and procedures.  Examples include federal and state law.  Recommendations typically call for improvements in processes and controls intended to ensure compliance with regulations.
  • Investigations - Investigations include alleged instances of fraud, waste and abuse, and other improper activities.   We attempt to determine the validity of the reported allegation(s) based on obtainable information.

     

What if I suspect fraud, waste or abuse, or need to report an allegation of such?

If you suspect fraud, waste, abuse or unethical activities, you may report the information to any of the following:

  • Your direct supervisor
  • Anyone in your chain of command
  • A law enforcement official of the Institution
  • Office of the General Counsel
  • Office of Compliance
  • Office of Internal Audit (see contact information below) 

Barrett Wood, Director of Internal Audit: 757-446-6137; Email Address: woodrb@evms.edu

Jennifer Williams, Associate Director of Internal Audit: 757-446-7924; Email Address:  williajl@evms.edu

 

What about confidentiality?

Internal auditors have access to all records and assets of the Institution, and we understand that we have an obligation to maintain the confidentiality of that information.  Each internal auditor receives specific instruction on confidentiality requirements, and id required to sign a Confidentiality and Independence Statement.

   

Why do we need effective internal controls?

Good internal controls safeguard or make more efficient and effective use of Institution assets.  They are good business practices that assist you in achieving your departmental goals and objectives and the Institution’s mission.  Good internal controls are cost effective, timely and flexible.  They are best placed where they are most effective and identify both the problem and the cause.  If you do not have a preventive control, evaluate the process to determine if you have a mitigating control such as an after-the-fact review or other detective control that is performed on a regular basis.

   

Who is responsible for internal controls?

Senior management is responsible for developing a system of internal controls.  The Office of Internal Audit is responsible for assessing and reporting on the effectiveness of the controls implemented by senior management.

  

Why should I be concerned about risk and internal controls?

Each employee has an important role in risk identification and management of risk.  This is a critical concept because risks can either help to achieve or reduce the ability to achieve the Institution’s goals and objectives.  Therefore, all employees should be concerned about maintaining good internal controls because they reduce and mitigate negative risks to an acceptable level.

   

What are business risks?

Negative business risks are those circumstances, events or activities that can adversely affect the achievement of the Institution’s objectives.  Risk can be limited to a critical process to cover an entire functional area, and can involve financial risk, compliance risk, or operational risk.  Some examples include: misappropriation or unauthorized use of funds or assets, receipt of substandard or excess supplies, purchases made from suppliers related to buyers, system-wide IT disruptions, or negative publicity from confidentiality breaches.