Audit and Consulting Services provides an independent and objective review service to the University by examining activities for compliance with applicable policies, regulations, procedures and laws. We issue reports of planned engagements to communicate the effectiveness of accounting, financial, security and other controls.
The staff at Audit and Consulting Services are happy to assist with concerns, questions or requests for reviews of new or revised processes, systems, ethics and compliance issues, and risk assessments. If you have questions on policies, procedures, or best practices we will be glad to help. In some cases we will know the answer to your question, but if we don’t we will be glad to research the answer to your question.
Once an audit has been scheduled, the audited unit can prepare by organizing some information pertinent to their unit. Some standard information that we will request include: current organization chart with staff names and positions, contact information for the key audit contacts, chart of accounts, written procedures and other authoritative guidance, reports or other resulting documentation from prior reviews and the most results from the unit’s most recent risk assessment.
Not for audits that are on our annual audit plan. You will be contacted during the planning stage for the audit so that we can gather your input on risks that are relevant to the audit and schedule fieldwork. The exception to this would be surprise cash counts of petty cash or change funds. If this happens, please verify the auditor’s legitimacy by viewing their photo identification and University business card. If there are any doubts, contact Audit and Consulting Services at 450-8094.
We have a professional responsibility per Standard 1220 of the International Standards for the Professional Practice of Internal Auditing “to exercise due professional care in performing audit work to the degree that fraud may be present in activities covered in the normal course of audit work.” Auditors watch for potential fraud risks during the course of our audit activities. However, it is management’s responsibility to identify areas of risk and potential fraud opportunities and take proper action.
The auditor will prepare an exit meeting document that describes each finding (aka issue) in a five-part format: issue, criterion, effect, cause and recommendation. The exit meeting is held with the audited unit to review the exit document. We seek the audited unit’s agreement or disagreement to each recommendation and are willing to work with the audited unit on revisions to the recommendations if they are congruent with mitigating the identified risk. The draft report is then issued to the audited unit for their review and comment on the report’s accuracy, tone and reasonableness of recommendations. There should not be any surprises at this point since the content has simply a formalization of the exit meeting document, taking into account the audited unit’s input. See The Audit Process Walkthrough and Audit Reports for more information on the reporting process.
The length of each audit will depend on the nature and scope of the review. Small audits might be completed within 20 hours while more complex reviews can last several months. The lead auditor will communicate the expected timeline and milestones with you during the entrance meeting and periodically throughout the audit and reporting process.
The length of a consulting engagement will also vary accordingly. This is especially true with system development projects where an auditor participates on the steering committee and prepares periodic feedback that consists of risks identified and potential mitigation strategies. Since system development projects can be lengthy, the auditor might be working on this type of engagement for a year or longer.
All final audit reports are distributed to the relevant administrators of the area audited, the Associate Vice Chancellor for Administrative Services, the Chancellor, the President and the Board of Regents Audit Committee. The final audit report includes the formal response submitted by the Chancellor or Vice President. Final reports are discussed with the Board of Regents Audit Committee at their next regularly scheduled meeting.See The Audit Process Walkthrough and Audit Reports for more information on the reporting process.
The Audit Committee consists of three regents from the Board of Regents, plus the board Chair. The primary function, as stated in the Bylaws of the Board of Regents, is to assist the board in fulfilling its oversight responsibilities relating to: the university's financial statements, systems of internal control, compliance with legal and regulatory requirements, and the independence and performance of the external and internal audit functions
The Chief Audit Executive reports functionally to the Audit Committee chair to facilitate independence of the audit function. The Committee provides oversight of internal and external audits, makes recommendations to the full board for the selection of external auditors, and reviews the findings of all external and internal audits. The Board also reviews and approves the annual audit plan from Audit and Consulting Services, as well as any significant proposed changes to the plan throughout the year.
There are three kinds of audit reports:
Draft report: The audited unit is requested to respond with comments on the accuracy, tone and reasonableness of the report. There are generally 10 business days provided for review and comments.
Preliminary report: The audited unit is requested to submit their formal response (through the appropriate MAU channels) clearly stating their agreement or disagreement with each recommendation AND with an action plan and implementation date for each recommendation.
Final report: The audited unit is responsible for implementing the action plans as stated in their formal response to the audit. They are also responsible for cooperating with the auditors during follow-up activities.
We have an obligation to the University management, Board of Regents and the professional practice of internal auditing to report progress on implement of recommendations. We schedule these to activities to occur shortly after the implementation deadline for each action plan provided by executive management in the formal response to the audit. On occasion we need to wait for a longer duration of time to pass so that there is sufficient data or transactions to test. There are two objectives for follow-up auditing:
• Verify that the action plan was implemented as stated in the formal response.
• Verify that the action plan is operating as intended, meaning that has the intended effect of mitigating the identified risk.
Each year Audit and Consulting Services begins this process by performing an enterprise-wide risk assessment. This assessment includes gathering input from a variety of sources including senior management, our knowledge of internal audit results and emerging industry risks, the external auditors and the Board of Regents. We strive to direct our audit resources to the areas and processes determined to be high risk. Our goal is to evaluate and recommend improvements to assist senior administration with managing the risk within these areas and processes.
Audit and Consulting Services schedules audit and consulting projects according to its annual plan, which is reviewed by the President, Chancellors, Vice Chancellors, Vice Presidents and the Chief Information Technology Officer. The plan is presented to the Board of Regents Audit Committee for their feedback and approval each year.
The Board of Regents, as well as senior management, can also recommend areas to be reviewed as these needs arise throughout the year.
We perform a variety of services. Generally speaking, here are the most common:
• Traditional Audits — we examine internal controls, test documents for compliance with state and federal law, and look for ways to improve operational efficiencies.
• Departmental Audits — we examine a broad range of risks and determine how they are being managed currently.
• Investigations — we attempt to learn the validity of allegations received.
• Consulting Engagements — we are typically providing advice on some specific problem that management has asked for our assistance in solving.
Management may contact the Chief Audit Executive (CAE) via telephone or email to request audit or consulting services. If it’s a brief question requiring no more than a few hours of research for us to respond, we can almost always work it in quickly. If the request is of a more complicated nature and planned to require more than a few hours, the CAE will determine how we can coordinate existing audit plan commitments while also accommodating your request.
If you suspect fraud, waste, abuse or unethical activities, you may report the information to any of the following:
Your direct supervisor
Anyone in your chain of command
A law enforcement official of the University
Office of General Counsel
System Office of Risk Services or MAU Risk Management
Office of Audit and Consulting Services (see contact information below)
Internal auditors have access to all records and assets of the University, and we understand we have an obligation to maintain the confidentiality of that information. Each internal auditor receives specific instruction on confidentiality requirements.
Departments are responsible for retaining and disposing of University records in accordance with their retention periods. All records and copies of records made or received in the conduct of university business, regardless of physical form, are considered public records for purposes of retention and disposition. Departments are responsible for securely maintaining the records for the retention period indicated on the retention schedule.
If an audit, legal action, or public records request is in progress, do not dispose of related records even if disposition is authorized by the retention schedule. Special care must be taken with the maintenance and disposition of confidential records. If you have records that are not on the retention schedule, contact the Chief Records Officer.
Good internal controls safeguard or make more efficient and effective use of University assets. They are good business practices that assist you in achieving your departmental goals and objectives and the University’s mission. Good internal controls are cost effective, timely and flexible. They are best placed where they are most effective and identify both the problem and the cause. If you do not have a preventive control, evaluate the process to determine if you have a mitigating control such as an after-the-fact review or other detective control that is performed on a regular basis. See Internal Controls for more information.
Senior management is responsible for developing a system of internal controls. Audit and Consulting Services is responsible for assessing and reporting on the effectiveness of the controls implemented by senior management. See Internal Controls for more information.
Each employee has an important role in risk identification and management of risk. This is a critical concept because risks can either help to achieve or reduce the ability to achieve the University’s goals and objectives. Therefore, all employees should be concerned about maintaining good internal controls because they reduce and mitigate negative risks to an acceptable level.
Negative business risks are those circumstances, events or activities that can adversely affect the achievement of the University's objectives. Some examples include: misappropriation or unauthorized use of funds or assets, receipt of substandard or excess supplies, purchases made from suppliers related to buyers, system-wide IT disruptions, or negative publicity from confidentiality breaches.
Positive business risks are similar but they have a favorable affect on the achievement of the University’s objectives. Some examples include:
• A higher increase in student enrollment than expected
• Receipt of a grant that requires a change to administrative infrastructure
• Implementation of a new software system
It can often be difficult for small departments to properly segregate specific functions that they perform. For example, if a department has one employee to perform cash receipting and accounts receivable processes, it can be a challenge to ensure proper controls exist over these procedures. In situations such as these, management oversight becomes even more important.
Managerial oversight is a strong control in any system. However, in small departments, management will be required to provide more intense, direct oversight than in the larger, well-segregated departments. Management should review all payroll records, receipts, and thoroughly review monthly financial reports and reconciliations. We would also recommend management indicates their review with dated signature. See Internal Controls for more information.
Yes. The University engages an external auditor, currently Moss Adams, LLP, to perform the annual financial statement audit and the federally mandated A-133 audit. In addition, the State of Alaska Division of Legislative Audit performs audits of units and processes at the University. On occasion, auditors from federal (or state) agencies may be on campus reviewing sponsored programs or research activities.
Any auditor working on campus should be able to appropriately identify themselves. Our suggestion is not to provide any documentation, records, or access to assets until the individual provides proper identification. No auditor should be offended by such a request.
Per Board of Regents policy P05.03 the Chief Audit Executive (CAE) is a liaison for all external audit activities. The CAE is responsible for updating the Board of Regents Audit Committee on all audit activities, both internal and external. Therefore, please notify the CAE when you are notified of an external audit in your unit. It is strongly preferred that an internal auditor attends the entrance and exit meetings for external audits.
Sometimes we are well aware of the external audit because it is one that we contracted for, but other times the audited unit is the first to be notified, such as with audits by granting agencies.
Yes. All employees of Audit and Consulting Services are UA employees. Periodically we employ a student from the University of Alaska Fairbanks School of Management. The intern also works as an employee, but in the student employee classification.
The Board of Regents Audit Committee evaluates the performance of Audit and Consulting Services and receives regular reports on the progress and results of our plan. Every five years (minimum) we complete a self-assessment that is followed by an external validation, similar to a peer review, where we are reviewed against the standards promulgated by the Institute of Internal Auditors International Professional Practices Framework (IIA IPPF). These results are reported to the Board of Regents Audit Committee and reviewed with them at their next meeting. This is commonly referred to as our quality assurance review and remediation process and is a major component of our quality assurance and improvement plan.