Internal Audit provides an independent and objective review service to the institution by examining activities for compliance with applicable policies, regulations, procedures and laws. We issue reports of planned engagements to communicate the effectiveness of accounting, financial, security and other controls.

Once an audit has been scheduled, the "auditee" (for ex., individual or department) can prepare by organizing some information pertinent to the objective of the audit. Some standard information that we will request includes: current organization chart with staff names and positions, contact information for the key audit contacts, chart of accounts, written procedures and other authoritative guidance, reports or other resulting documentation from prior reviews and the results from the auditee's most recent risk assessment.

Not for audits that are on our annual audit plan. You will be contacted during the planning stage for the audit so that we can gather your input on risks that are relevant to the audit and schedule fieldwork.  The exception to this would be surprise cash counts of petty cash or change funds. If this happens, please verify the auditor’s legitimacy by viewing their photo identification and Institution business card. If there are any doubts, contact Internal Audit at 757.446.6137.

We have a professional responsibility per Standard 1220 of the International Standards for the Professional Practice of Internal Auditing “to exercise due professional care in performing audit work to the degree that fraud may be present in activities covered in the normal course of audit work.” Auditors watch for potential fraud risks during the course of our audit activities. However, it is management’s responsibility to identify areas of risk and potential fraud opportunities and take proper action.

The length of each audit will depend on the nature and scope of the review. Small audits might be completed within 20 hours while more complex reviews can last several months. The lead auditor will communicate the expected timeline and milestones with you during the entrance meeting and periodically throughout the audit and reporting process.

There are two kinds of audit reports:

  • Draft report: The auditee is requested to respond with comments on the accuracy, tone and reasonableness of the report. The auditee is also requested to submit their formal response clearly stating their agreement or disagreement with each recommendation and with an action plan and implementation date for each recommendation. There are generally 10 business days provided for review and comments.
  • Final report: The auditee is responsible for implementing the action plans as stated in their formal response to the audit. They are also responsible for cooperating with the auditors during follow-up activities.

We have an obligation to Senior Management, the Audit and Compliance Committee of the Board of Visitors, and the professional practice of internal auditing to report progress on implementation of recommendations. When follow-up test work is deemed necessary, we schedule these activities to occur shortly after the implementation deadline for each action plan provided by executive management in the formal response to the audit. On occasion, we need to wait for a longer duration of time to pass so that there is sufficient data or transactions to test. There are two objectives for follow-up auditing:

  • Verify that the action plan was implemented as stated in the formal response.
  • Verify that the action plan is operating as intended, meaning that it has the intended effect of mitigating the identified risk.

We perform a variety of services. Generally speaking, here are the most common:

  • Operational audits examine the use of auditee resources to evaluate whether those resources are being used in the most effective and efficient manner to fulfill the institution's mission and objectives.  An operational audit may include elements of the other audit types listed below.
  • Financial audits focus on accounting and reporting of financial transactions, including commitments, authorizations, and receipt and disbursement of funds. The purpose of this type of audit is to verify that there are sufficient controls over cash and cash-like assets, and that there are adequate process controls over the acquisition and use of resources. Unlike external financial audits, internal financial audits do not prepare or express professional opinions on the fairness of the presentation of financial statements.
  • Compliance audits review adherence to laws, regulations, policies, and procedures. Examples include federal and state law. Recommendations typically call for improvements in processes and controls intended to ensure compliance with regulations.
  • Investigations include alleged instances of fraud, waste and abuse, and other improper activities.   We attempt to determine the validity of the reported allegation(s) based on obtainable information.

If you suspect fraud, waste, abuse or unethical activities, you may report the information to any of the following:

  • Your direct supervisor
  • Anyone in your chain of command
  • A law enforcement official of the Institution
  • Office of the General Counsel
  • EVMS Institutional Compliance
  • Internal Audit (see contact information below) 

Barrett Wood, Executive Director of Internal Audit:

Jennifer Williams, Associate Director of Internal Audit:


Internal auditors have access to all records and assets of the institution, and we understand that we have an obligation to maintain the confidentiality of that information. Each internal auditor receives specific instruction on confidentiality requirements, and is required to sign a confidentiality and independence statement.

Good internal controls safeguard or make more efficient and effective use of institution assets. They are good business practices that assist you in achieving your departmental goals and objectives and the Institution’s mission. Good internal controls are cost effective, timely and flexible. They are best placed where they are most effective and identify both the problem and the cause. If you do not have a preventive control, evaluate the process to determine if you have a mitigating control such as an after-the-fact review or other detective control that is performed on a regular basis.

Senior management is responsible for developing a system of internal controls. Internal Audit is responsible for assessing and reporting on the effectiveness of the controls implemented by senior management.

Each employee has an important role in risk identification and management of risk. This is a critical concept because risks can either help to achieve or reduce the ability to achieve the institution’s goals and objectives. Therefore, all employees should be concerned about maintaining good internal controls because they reduce and mitigate negative risks to an acceptable level.


Negative business risks are those circumstances, events or activities that can adversely affect the achievement of the Institution’s objectives. Risk can be limited to a critical process to cover an entire functional area, and can involve financial risk, compliance risk, or operational risk. Some examples include: misappropriation or unauthorized use of funds or assets, receipt of substandard or excess supplies, purchases made from suppliers related to buyers, system-wide IT disruptions, or negative publicity from confidentiality breaches.