Department of Audit and
Consulting
Services
Frequently Asked Questions
How
Are Departments Selected For Review?
Perhaps this is the most
often
asked question when we call an area to inform them they will be
audited.
This is likely out of fear of the unknown or perhaps fear that someone
is
"out to get them." However, the process of selecting areas for review
is
not nearly as fearful as one might think nor do political agendas enter
into
the picture as we operate independently. Areas are selected for review
in
three ways: from our annual Audit Risk Analysis, the UT System
Coordinated
Audit, and from administrative requests.
1. Annual Risk Analysis
Each year the auditing staff will prepare a Risk Analysis of all UTC
Departments
or auditable areas to determine the next year's auditing schedule.
Various
risk factors are considered, such as, the time since the last audit,
the
size of operations (by budget or by transactions), recent
management/staff
changes, does the department handle cash, etc. These factors are then
weighted
by importance in order to assign a numerical risk value. The results
are
then used in developing our Annual Audit Schedule.
2. UT System Coordinated Audit
A number of hours are budgeted in our Annual Audit Schedule for the UT
System
Coordinated Audit. This audit involves an auditable area that has been
identified
by UT System Auditors for review at all campuses of the University.
Some
examples of recent coordinated audit are: employee contributions to
United
Way, Hazardous Materials, Vending Operations, etc.
3. Administrative Requests
A number of hours are budgeted in our annual audit schedule for
administrative
requests. An administrative request is generated when the department
itself
requests an audit (or occasionally higher level management). One common
reason
for an administrative request is the retirement of the unit or
department
head. Requesting a review in this case protects the out-going and
in-coming
employees.
What
Occurs On An Audit?
Generally the following
process
will occur once a unit is selected for review.
1. Audit Planning
During this phase your unit will not be affected and probably won't
even
be aware it is occurring. The auditor assigned to the audit will review
the
files of prior audits in your area (if any), review applicable
professional
literature, research any applicable policies or statutes, and finally
prepare
an audit program which is basically a list of steps we will perform on
the
audit.
2. Entrance Conference
This is a meeting between the manager(s) of the area being audited and
the
Internal Auditor(s). This meeting introduces you to what will occur on
the
audit and allows you the opportunity to share any concerns you have.
For
example, if there is a particular process or procedure in your unit you
would
like us to review, let us know at this meeting and we can include it in
our
audit.
3. Fieldwork
During this process the auditor will test documents such as vouchers,
collections
reports and other departmental reports. The auditor will likely
interview
employees in the department to inquire about their duties. We may
flowchart
the process we are reviewing to better understand the controls in
place.
Some of this work will be performed in our office and some in the unit
being
audited.
4. Report Writing
Throughout our review we will attempt to be open regarding what we find
and
plan to recommend in our report. Once we've completed our fieldwork,
the
auditor in charge will write a report which states what we did, what we
found
and any recommendations for improvement. After this report is
completed,
a rough draft will be mailed to the department head for his or her
review.
At this point only the department head and the audit staff will have
seen
the report.
5. Exit Conference
The exit conference is a meeting between departmental management and
personnel
from Internal Auditing (usually the same people that were in the
entrance
conference). At this meeting we will review the report and our
findings.
If we have misinterpreted anything in our report, this provides you the
opportunity
to let us know before the report is seen by anyone else. It also allows
us
the opportunity to discuss our recommendations. Occasionally, we will
make
oral recommendations on items we don't include in the report. We will
discuss
any oral recommendations in this meeting.
6. Reporting Process
After the exit conference, we will make any changes agreed upon in the
exit
conference. The revised report is forwarded to our Knoxville
Office
for review an editorial and technical review and their suggestions are
then
incorporated in the report. We will then request your written
comments regarding the recommendation(s) made and your planned
corrective action(s)
and your comments will be included in the audit report. The report will be sent to all
levels
of management involved in the area audited and an executive summary is
sent
to the President and the Finance/Audit Committee of the Board of
Trustees.
7. Follow Up Process
Approximately six months after the final audit report is issued, we
will
follow up to determine whether the recommendations have been
implemented
and assess their effectiveness. If the recommendations have not been
implemented,
we will inquire why they have not been implemented.
What
Should I Do If A Theft Occurs?
University Fiscal
Policy
130 governs what actions you should take when you discover or
suspect
University assets/funds have been stolen. Whenever a shortage of moneys
or
other University property is known or suspected, the immediate
Supervisor
or Department Head must be contacted as soon as possible.
In the event of any mysterious loss of equipment or supplies,
vandalism,
loss of cash due to robbery or breaking and entering, etc., contact
Campus
Law Enforcement at 425-4357. In these circumstances, try to avoid
touching
anything in the area where the assets/funds were located, seal the
area,
don't attempt to examine records or any remaining funds. In the
event
of a loss of cash for reasons other than robbery or breaking and
entering
or suspected fraudulent activity of an employee contact Audit and
Management
Services at 425-4715.
The UTC Campus Law Enforcement normally conducts investigations
involving
the mysterious loss of equipment or supplies, vandalism, loss of cash
receipts
resulting from robbery or breaking and entering. Campus Internal
Auditors
assist as needed to verify the amount of the cash loss and other
pertinent
facts.
The Campus Internal Auditors normally conducts investigations involving
the
loss of cash as well as fraudulent activity whenever employee
involvement
is known or suspected. Campus Law Enforcement assist as needed in
conducting
interviews and performing other investigation measures.
Often, Campus Law Enforcement and Audit and Management Services work
together
on the investigation. At the conclusion of an investigation we are
likely
issue a report which will include recommendations to strengthen
internal
controls.
Three basic things we need to know:
1. What (or what
amount
of cash) is missing?
2. How did the situation
occur?
3. How can we prevent a
similar
situation from happening again?
What
Are Internal Controls?
First a text book definition:
Internal
control comprises the plan of organization and all of the coordinate
methods
adopted within a business to safeguard its assets, check the accuracy
and
reliability of its accounting data, promote operational efficiency, and
encourage
adherence to prescribed managerial policies. This
definition...recognizes
that a system of internal control extends beyond those matters which
relate
directly to the functions of the accounting and financial departments.
Now in layman's terms: Everyone has developed their own "personal
internal
control system". Consider the following:
When you came to work today, did you lock the doors to your house?
If you did, that's your own "internal control" to safeguard the assets
you
own. Congratulations, you are an internal control user.
Do you keep the PIN number for your ATM card in a safe place? (i.e.
away
from the card itself.)
If you do, that's an internal control the bank recommends to protect
your
funds from being stolen.
Do you balance your bank statements each month? (You really should,
you
know.)
If you do, then you are ensuring the accuracy of the transactions
entered
on the account statement. Once again you are performing your own
personal
internal control.
At UTC, internal controls serve the same purpose:
- Protecting the
university's assets
- Ensure records are
accurate
- Promote operational
efficiency
- Encourage adherence to
policies
Generally, controls are of
two types:
1. Preventative and 2. Detective
Preventative Controls --- are designed to discourage
errors
or irregularities from occurring.
Example: Processing vouchers only after signatures have been obtained
from
appropriate personnel.
Detective Controls --- are designed to find errors or
irregularities
after they have occurred.
Example: Reviewing departmental phone bills for personal calls.
Who is responsible for internal
controls?
The auditors, right? Wrong. Everyone plays a part in UTC's internal
control
system. Ultimately, it is management's responsibility to ensure that
controls
are in place. That responsibility is delegated to each area of
operation.
Every employee has some responsibility for making this internal control
system
function. Therefore, all employees need to be aware of the concept and
purpose
of internal controls. Internal Auditing is here to help you achieve
that
goal.
How should I prepare for a Procurement Card Audit?
1. Make sure the
monthly
statements
have all receipts and/or other supporting documents attached in order.
2. Make sure you have filled out the appropriate forms if you don't
have
a receipt or the receipt is not sufficiently detailed.
3. Make sure the monthly statements have been signed by the purchaser
and
the verifier.
4. Make sure the approver has approved the monthly statement through
the
electronic approval process.
Return to
UTC Audit and Consulting
Services
Home Page
The University of Tennessee at Chattanooga is an EEO/AA/Title
VI/TitleIX/Section
504/ADA institution.