Internal Audit is an independent, objective, assurance and consulting activity, assisting the university in meeting its objectives and improving the effectiveness of risk management, control and governance processes.
The Internal Audit department complies with professional standards and brings a systematic, disciplined approach to each audit assignment.
Generally, a routine internal audit is an independent review of the control systems inherent in a unit's operating policies and procedures. Internal auditing can be thought of as a control that functions by reviewing other controls. Internal audit reviews can provide you with important and useful information. They can help you determine whether there are appropriate internal controls over your activities and show you ways to improve the efficiency and effectiveness of your operations.
Our audits examine controls over:
Depending on its specific purpose, an audit may concentrate on one or all of these areas.
Understanding the audit process is made easier if we know how an audit is selected, what are the phases of an audit, and the types of audits that could be performed. With this information, we may better understand the age old question — Why would I request audit services?
Annually, the Director of Internal Audit prepares an audit plan. The goal of the annual planning process is to identify what units can most benefit from assurance services and ensure that Internal Audit resources are being focused to best meet the needs of the university. Typically, a risk assessment is performed of the major functional areas using industry trends, past audit experience and campus input. In addition, random selection ensures periodic service to all units. Some factors considered in the assessment of risk include:
An audit begins with an initial meeting between the auditor and management from all interested offices and units. The entrance conference provides an opportunity for discussion of the audit process, the scope and objectives of the audit, the estimated completion date, and on-site work space requirements. It also provides management with an opportunity to discuss any questions or concerns they may have. Management's input at this stage will help us to establish a work plan to minimize audit time and avoid disruption of ongoing activities to the greatest extent possible.
The first step of the actual audit consists of interviews with managers and staff, and a review of documents and data to gain a better understanding of the unit's operations. Transactions and records are then tested to determine if controls are operating as intended. Informal communication between the audit and unit management is maintained to avoid misunderstandings, and to ensure that there are no surprises in later stages of the audit.
After all fieldwork is completed, a draft report is prepared by the auditor. The report documents our objectives, procedures performed, our conclusions as to the adequacy of controls, and specific observations and recommendations for improvement if necessary. Internal Audit management reviews the draft thoroughly before it is presented to the unit's management. This draft report is prepared only for the unit's operating management and it provides the basis for discussions at the exit conference.
A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, the report draft is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions. This meeting is also an opportunity to ensure any misunderstandings, possible misstatements or factual errors contained in the report are identified and resolved. Any issues identified during the engagement which were not significant enough to be included in the report, but still represent a potential risk, are also presented and discussed.
After the exit conference the draft report is finalized including any agreed upon changes from the exit conference. In addition, the unit head will be responsible for formulating management's response to the recommendations and forwarding them to Internal Audit. The management response is a critical element of the feedback loop. The response serves to reinforce the proactive nature of the audit process by demonstrating to the reader that improvements are being made. The response should contain three elements:
Once any changes and managements responses have been incorporated the draft is now considered final. Final reports are distributed to the appropriate managers involved in the audit and to senior executives. Audit reports are considered confidential documents.
There will be a follow-up review of all audit recommendations approximately six to twelve months after the engagement. The purpose of the follow-up is to verify that you have implemented the agreed-upon activities. The auditor may send a request for status, interview staff, perform additional tests or review new procedures.
An audit can usually be classified into one of the following four categories:
An operational audit examines an operating process to determine if resources are being used in the most efficient and effective ways to meet the unit's mission and objectives. Internal control reviews are a major portion of an operational review. Activities such as human resources services, cash handling, procurement, and equipment inventories are generally subject to this type of audit.
A financial audit reviews the recording and reporting of financial transactions. The purpose of this type of audit is to provide management with assurance that financial information is accurately recorded in the University's financial records and that these records support the information shown in the financial reports.
A compliance audit evaluates the University's adherence to laws, regulations, and internal and external policies governing the activity being reviewed. Examples of these requirements include Federal and State laws, NCAA and OSHA regulations, and SUNY and UB policies and procedures.
An information system (IS) audit reviews the internal control environment and the use of an automated information and transaction processing system. These audits typically evaluate system input, processing, and output; system development, security and privacy; backup and recovery plans; and governance.
Investigations evaluate allegations of irregularities, abuse, and fraud to determine whether the allegations are substantiated and to prevent future occurrences. Internal Audit will coordinate investigations with university management and SUNY Office of Audits, as appropriate.
Besides performing routine audits, we are available for consulting. This encompasses a wide variety of services that allows the University community to utilize our financial, operational, and IT controls expertise. This may be participation in committees, reviews of changes to operations or processes, or evaluation of draft policies and procedures. This may be a simple phone call for advice or a request for training. Where possible, we work in collaboration with other units, such as Procurement Card Administration, on consulting engagements.
Internal Audit may be engaged in miscellaneous special projects at the request of The President and Executive Management. These may include but are not limited to, special committee membership, membership in teams, and performing research.
The university is committed to the highest standards of moral, legal and ethical behavior, but we need your help to reach that goal. By “doing what’s right” every day, you’ll help us build a reputation for excellence and integrity.
If you suspect waste, abuse, irregularities or fraud resulting in inappropriate use of funds or other university resources, you are required to report it. All reports are handled in confidence and with extreme discretion. All reports are taken seriously and are assessed. If you report anonymously an examination will occur, but we will not be able to provide you with the results.
Fraud encompasses an array of acts characterized by intentional deception or theft which produces a loss or misuse of resources or property. Fraud can be perpetrated for the benefit of individuals or the organization or may be detrimental to the organization. Fraud may be committed by persons outside as well as inside the organization.
Fraud and irregularities include, but are not limited to:
If what you suspect is dishonest or criminal, do not try to
question anyone or otherwise investigate the matter yourself.
|Your supervisor||As appropriate|
|UB provost, vice president, dean||As appropriate|
|Chief of Staff to the VPFA||Phone: 716-645-5144|
|UB Police, Investigative Division||Phone: 716-645-2222|
|University at Buffalo Police Silent Witness Reporting||www.public-safety.buffalo.edu/silentwitness.shtml|
|State University of New York Report Fraud Hotline||
|Research Foundation Ethics Hotline||
|University at Buffalo Foundation Executive Director||Phone: 716-645-3013|