Frequently Asked Questions

Internal auditors provide an independent and objective review service to the University by examining activities for compliance with applicable policies, regulations, procedures and laws.  We issue reports of planned engagements to communicate the effectiveness of accounting, financial, security and other controls.

Internal auditors are happy to assist with concerns, questions or requests for reviews of new or revised processes, systems, ethics and compliance issues, and risk assessments.  If you have questions on policies, procedures, or best practices we will be glad to help. In some cases we will know the answer to your question, but if we don’t we will be glad to research the answer to your question.

Per Board of Regents policy P05.03 the chief audit executive is a liaison for all external audit activities.  The chief audit executive is responsible for updating the Board of Regents Audit and Finance Committee on all audit activities, both internal and external.  Therefore, please notify the chief audit executive when you are notified of an external audit in your unit. It is advised that an internal auditor attends the entrance and exit meetings for external audits.

Sometime we are well aware of the external audit because it is one that we contracted for, but other times the audited unit is the first to be notified, such as with audits by granting agencies.

Each year the Office of Audit and Compliance Services begins this process by performing an enterprise-wide risk assessment.  This assessment includes gathering input from a variety of sources including senior management, our knowledge of internal audit results and emerging industry risks, the external auditors and the Board of Regents.  We strive to direct our audit resources to the areas and processes determined to be high risk.  Our goal is to evaluate and recommend improvements to assist senior administration with managing the risk within these areas and processes.

Audit and Compliance Services schedules audit and compliance projects according to its annual plan, which is reviewed by the President, Chancellors, Vice Chancellors, Vice Presidents and the Chief Information Technology Officer.  The plan is presented to the Board of Regents Audit Committee for their feedback and approval each year.

The Board of Regents, as well as senior management, can also recommend areas to be reviewed as these needs arise throughout the year.

See Annual Risk Assessments and  Audit Plan Development for more information.

Management may contact the director via telephone or email the request  to Audit and Compliance Services. If it’s a brief question requiring no more than a few hours of research for us to respond, we can almost always work it in quickly.  If the request is of a more complicated nature and planned to require more than a few hours, the director will determine how we can coordinate existing audit plan commitments while also accommodating your request.

The length of each audit will depend on the nature and scope of the review. Small audits might be completed within 20 hours while more complex reviews can last several months. The lead auditor will communicate the expected timeline and milestones with you during the entrance meeting and periodically throughout the audit and reporting process.

The length of a consulting engagement will also vary accordingly. This is especially true with system development projects where an auditor participates on the steering committee and prepares periodic feedback that consists of risks identified and potential mitigation strategies. Since system development projects can be lengthy, the auditor might be working on this type of engagement for a year or longer.

Not for internal audits that are on our annual audit plan.  You will be contacted during the planning stage for the audit so that we can gather your input on risks that are relevant to the audit and schedule fieldwork. The exception to this would be surprise cash counts of petty cash or change funds. If this happens, please verify the auditor’s legitimacy by viewing their photo identification and University business card. If there are any doubts, contact the Audit and Compliance Services at 907-450-8094.

Once an audit has been scheduled, the audited unit can prepare by organizing some information pertinent to their unit. Some standard information that we will request include:  current organization chart with staff names and positions, contact information for the key audit contacts, chart of accounts, written procedures and other authoritative guidance, reports or other resulting documentation from prior reviews and the most results from the unit’s most recent risk assessment.

There are three kinds of audit reports:
Draft report: The audited unit is requested to respond with comments on the accuracy, tone and reasonableness of the report. There are generally 10 business days provided for review and comments.

Preliminary report: The audited unit is requested to submit their formal response (through the appropriate MAU channels) clearly stating their agreement or disagreement with each recommendation AND with an action plan and implementation date for each recommendation.

Final report: The audited unit is responsible for implementing the action plans as stated in their formal response to the audit. They are also responsible for cooperating with the auditors during follow-up activities.

Adequate internal controls safeguard or make more efficient and effective use of University assets. They are good business practices that assist you in achieving your departmental goals and objectives and the University’s mission. Good internal controls are cost effective, timely and flexible. They are best placed where they are most effective and identify both the problem and the cause. If you do not have a preventive control, evaluate the process to determine if you have a mitigating control such as an after-the-fact review or other detective control that is performed on a regular basis.  See Internal Controls for more information.

Senior management is responsible for developing a system of internal controls. Audit and Compliance Services is responsible for assessing and reporting on the effectiveness of the controls implemented by senior management.

Each employee has an important role in risk identification and management of risk.  This is a critical concept because risks can either help to achieve or reduce the ability to achieve the University’s goals and objectives.  Therefore, all employees should be concerned about maintaining good internal controls because they reduce and mitigate negative risks to an acceptable level.

Negative business risks are those circumstances, events or activities that can adversely affect the achievement of the University's objectives. Some examples include: misappropriation or unauthorized use of funds or assets, receipt of substandard or excess supplies, purchases made from suppliers related to buyers, system-wide IT disruptions, or negative publicity from confidentiality breaches.

Positive business risks are similar but they have a favorable affect on the achievement of the University’s objectives.  Some examples include:

  • A higher increase in student enrollment than expected
  • Receipt of a grant that requires a change to administrative infrastructure
  • Implementation of a new software system

The Board of Regents Audit and Finance Committee evaluates Audit and Compliance Services’ performance and receives regular reports on the progress and results of our plan. Every five years (minimum) we complete a self-assessment that is followed by an external validation, similar to a peer review, where we are reviewed against the standards promulgated by the Institute of Internal Auditors International Professional Practices Framework (IIA IPPF). These results are reported to the Board of Regents Audit and Finance Committee and reviewed with them at their next meeting. This is commonly referred to as our quality assurance review and remediation process and is a major component of our quality assurance and improvement plan.

The auditor will prepare an exit meeting document that describes each observation in a five-part format: issue, criterion, effect, cause and recommendation. The exit meeting is held with the audited unit to review the exit document. We seek the audited unit’s agreement or disagreement to each recommendation and are willing to work with the audited unit on revisions to the recommendations if they are congruent with mitigating the identified risk. The draft report is then issued to the audited unit for their review and comment on the report’s accuracy, tone and reasonableness of recommendations. There should not be any surprises at this point since the content has simply a formalization of the exit meeting document, taking into account the audited unit’s input. See Audit Reporting for more information on the reporting process.

All final audit reports are distributed to the relevant administrators of the area audited, the Vice Chancellor for Administrative Services, Chancellor, General Counsel, Vice President (as relevant to the audit topic), President, and the Board of Regents Audit and Finance Committee. The final audit report includes the formal response submitted by the Chancellor or Vice President. Final reports are discussed with the Board of Regents Audit and Finance Committee at their next regularly scheduled meeting. See Audit Reporting for more information on the reporting process.

We have an obligation to the University management, Board of Regents and the professional practice of internal auditing to report progress on implement of recommendations. We aim to schedule these to activities to occur shortly after the implementation deadline for each action plan provided by executive management in the formal response to the audit. On occasion we need to wait for a longer duration of time to pass so that there is sufficient data or transactions to test. There are two objectives for follow-up auditing:

  • Verify that the action plan was implemented as stated in the formal response.
  • Verify that the action plan is operating as intended, meaning that has the intended effect of mitigating the identified risk.

Internal auditors have access to all records and assets of the University, and we understand we have an obligation to maintain the confidentiality of that information. Each internal auditor receives specific instruction on confidentiality requirements.

We have a professional responsibility per Standard 1220 of the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing to “exercise due professional care in performing audit work to the degree that fraud may be present in activities covered in the normal course of audit work.” Auditors remain alert for potential fraud risks during the course of our audit activities. However, it is management’s responsibility to identify areas of risk and potential fraud opportunities and take proper action

If you suspect fraud, waste, abuse or unethical activities, you may report the information to any of the following:

Your direct supervisor

Anyone in your chain of command

A law enforcement official of the University

Labor Relations            

Office of General Counsel

System Office of Risk Services or University Risk Management

Audit and Compliance Services (see contact information below)

Chief Audit Executive:  907-450-8094

Departmental email address:

Departments are responsible for retaining and disposing of University records in accordance with their retention periods. All records and copies of records made or received in the conduct of university business, regardless of physical form, are considered public records for purposes of retention and disposition. Departments are responsible for securely maintaining the records for the retention period indicated on the retention schedule.

If an audit, legal action, or public records request is in progress, do not dispose of related records even if disposition is authorized by the retention schedule; if in doubt, contact the System Office of Records and Information Management or the System Office of General Counsel. Special care must be taken with the maintenance and disposition of confidential records. If you have records that are not on the retention schedule, contact the System Office of Records and Information Management.

It can often be difficult for small departments to properly segregate specific functions that they perform. For example, if a department has one employee to perform cash receipt functions and accounts receivable processes, it can be a challenge to ensure proper controls exist over these procedures. In situations such as these, management oversight and mitigating controls becomes even more important.

Managerial oversight is a strong control in any system. However, in small departments, management will be required to provide a greater level of oversight than in the larger, well-segregated departments. Management should review all payroll records, receipts, and thoroughly review monthly financial reports and reconciliations. We would also recommend management indicates their review with dated signature.  See internal controls for more information.

Yes. All employees of Audit and Compliance Services are UA employees.

Yes. The University engages an external auditor to perform the annual financial statement audit and the federally mandated Single Audit (also known as the Uniform Guidance or Compliance Audit). In addition, the State of Alaska Division of Legislative Audit performs audits of units and processes at the University. On occasion, auditors from federal (or state) agencies may be on campus reviewing sponsored programs or research activities.

Any auditor working on campus should be able to appropriately identify themselves. Our suggestion is not to provide any documentation, records, or access to assets until the individual provides proper identification. No auditor should be offended by such a request.

The Audit and Finance Committee consists of five regents from the Board of Regents, plus the board Chair.  The primary function, as stated in the Bylaws of the Board of Regents, is to assist the board in fulfilling its oversight responsibilities relating to: the university's financial statements, systems of internal control, compliance with legal and regulatory requirements, and the independence and performance of the external and internal audit functions

The chief audit executive reports functionally to the Audit and Finance Committee Chair to facilitate independence of the audit function.  The Committee provides oversight of internal and external audits, makes recommendations to the full board for the selection of external auditors, and reviews the findings of external and internal audits.  The Committee also reviews and approves the annual audit plan from Audit and Compilance Services, as well as any significant proposed changes to the plan throughout the year.