Issued: April 14, 1992
Owner: Director of Audits
This policy describes the general purpose and functions of the Audit Department.
2.0 Policy [Top]
It is the policy of the University to establish and support the Audit Department for the purpose of assisting management in the effective discharge of its responsibilities for the control of University resources. The mission and objectives of the Audit Department are as follows:
The Audit Department will perform financial audits for the purpose of ensuring that:
- Cash, accounts receivable, and other assets of the University are promptly and completely recorded, accounted for, authorized and adequately safeguarded against loss and misappropriation.
- Liabilities of the University have been properly incurred and are properly recorded and discharged.
- Such audits directed to financial accountability will include a review of all records, source data, fiscal procedures, and control.
- The Audit Department will perform operational audits for the purpose of ensuring that University operations are conducted efficiently and in accordance with appropriate and adequately documented policies, plans, and procedures. Operational audits will encompass a review of the policies, plans, procedures, organizational structure, staffing, and output of the audited unit.
- The Audit Department will provide senior management with an independent, fair and objective appraisal of the effectiveness of the University's financial accountability systems and operational performance in accordance with the priorities established by the Director of Audits and approved by the President and the Audit Committee of the Board of Visitors.
- The Audit Department will provide management with constructive criticism and positive recommendations designed to strengthen and improve performance results and cost effectiveness of their operations.
The following policies identify the responsibilities of the Audit Department and provide guidelines for its interaction with all University departments and activities.
2.2 Organizational Responsibilities
The Director of Audits reports to the President and to the Audit Committee of the Board of Visitors. The Director is responsible for establishing an effective internal audit program and for ensuring that the results of examinations and actions taken are communicated to the appropriate levels of University management.
The Director of Audits is responsible for drafting an annual audit schedule and a five-year audit plan based on a risk analysis of all University departments and activities. The schedule and plan will be submitted to the President and the Audit Committee of the Board of Visitors for review and approval.
The Audit Department will give full consideration to scheduling special audit requests made by any department or activity. All requests should be in writing to the Director of Audits and state the purpose and scope of the audit.
All internal audit activities are to be conducted in compliance with University policies and procedures as well as the Code of Ethics and the Standards for the Professional Practice of Internal Auditing which are promulgated by the Institute of Internal Auditors, Inc.
The Audit Department will be organizationally and functionally independent from all University operations and will have no responsibility for the departments and activities being audited while being responsive to their needs and requirements.
Because the Audit Department must be independent in carrying out its responsibility to monitor and evaluate control procedures instituted by management, the extent of audit work to be performed with respect to those procedures is limited to the assessment of such procedures.
The Audit Department normally performs tests of transactions and reviews the supporting documentation for transactions. Accordingly, objectivity would be lost if the Audit Department participated in or was responsible for initiating or recording transactions.
2.4 Authorities and Limitations
Audit Department personnel will have complete, free, and unrestricted access to all University departments, activities, records, properties, and personnel, and are not to be restricted in their activities. Where appropriate, special arrangements will be made for the examination of confidential information.
2.5 System Planning and Development
The Audit Department will participate in the planning, development, implementation, and modification of major computer-based and manual systems to ensure that:
- Adequate controls are incorporated to the system,
- Thorough system testing is performed at appropriate stages,
- System documentation is complete and accurate, and
- The resultant system is a complete and accurate implementation of the system specifications.
The Audit Department will conduct post-installation evaluations of major data processing systems to ensure that these systems meet the intended purpose and objectives. The Department will also review computer operations supporting such systems to ensure that generally accepted standards for systems integrity and security, as well as system-specific controls, are being observed.
2.6 Security Investigations
The Audit Department, University Police Department, and the Office of Risk Management are to be notified if assets have been lost through misappropriation or other security breaches. The Audit Department will perform sufficient tests and investigations to identify the weaknesses in procedures which permitted the misappropriation to occur. However, the investigation of the specific event with the objective of recovery and/or prosecution is the responsbility of the University Police Department, with the decision to prosecute being the responsibility of the appropriate Commonwealth's Attorney.
2.7 Coordination with External Auditing Agencies
The Director of Audits will coordinate the Department's audit efforts with the Auditor of Public Accounts or other external auditors by participating in the planning and definition of the scope of proposed audits so the work of all auditing groups is complementary, and their combined efforts provide comprehensive, cost effective audit coverage for the University. Duplication of work will be avoided as much as possible.
At the conclusion of each audit, a formal report or memorandum will be issued which will present a concise, clear, and factual review of the conditions found, followed by recommendations for improvement.
Prior to the issurance of a formal report, a draft report will be provided to the department or activity along with an opportunity for an exit conference. The exit conference will be a review of all findings, conclusions, and recommendations.
A response to the audit report shall be issued to the Director of Audits within 30 days, responding to each finding and recommendation. This response will include the department's or activity's plan for implementing the recommendations or, if the recommendations cannot be implemented, alternate solutions for the issue. If a decision is made not to implement a recommendation, the justification for this decision will be provided to the Audit Department.
For major projects, a follow-up review will be made by the Audit Department to establish that recommendations which were agreed upon have been adopted. A memorandum will be issued on the follow-up review to the President and the Vice President responsible for that area.
2.9 Distribution of Reports
Audit reports will be issued to the Vice President responsible for the department or activity involved. In addition, copies of all such reports will be distributed to the President and the senior administrator responsible for the department or activity audited. The Executive Vice President and Chief Operating Officer will receive copies of all reports containing issues which could potentially affect the University's financial statements.
All audit reports and accompanying management responses will be provided to the Audit Committee of the Board of Visitors for review.
A summary of significant audit findings will be prepared for each Board meeting and submitted to the Audit Committee of the Board of Visitors, the President, and other appropriate members of University management.
3.0 Definitions [Top]
For this policy, "University" is defined as all University divisions, departments and activities as well as all Health Science Center Operations.
4.0 References [Top]
5.0 Approvals and Revisions [Top]