Policies Index Comptroller Home UVA Documents Search

Policy: I.C.1

Issued: April 14, 1992

Owner: Director of Audits

Latest Revision:

INTERNAL AUDIT


**INACTIVE POLICY**

For Current Policies:
Policy Table of Contents

 

1.0 Purpose

This policy describes the general purpose and functions of the Audit Department.

2.0 Policy [Top]

2.1 General

It is the policy of the University to establish and support the Audit Department for the purpose of assisting management in the effective discharge of its responsibilities for the control of University resources. The mission and objectives of the Audit Department are as follows:

The Audit Department will perform financial audits for the purpose of ensuring that:

The following policies identify the responsibilities of the Audit Department and provide guidelines for its interaction with all University departments and activities.


2.2 Organizational Responsibilities

The Director of Audits reports to the President and to the Audit Committee of the Board of Visitors. The Director is responsible for establishing an effective internal audit program and for ensuring that the results of examinations and actions taken are communicated to the appropriate levels of University management.

The Director of Audits is responsible for drafting an annual audit schedule and a five-year audit plan based on a risk analysis of all University departments and activities. The schedule and plan will be submitted to the President and the Audit Committee of the Board of Visitors for review and approval.

The Audit Department will give full consideration to scheduling special audit requests made by any department or activity. All requests should be in writing to the Director of Audits and state the purpose and scope of the audit.

All internal audit activities are to be conducted in compliance with University policies and procedures as well as the Code of Ethics and the Standards for the Professional Practice of Internal Auditing which are promulgated by the Institute of Internal Auditors, Inc.


2.3 Independence

The Audit Department will be organizationally and functionally independent from all University operations and will have no responsibility for the departments and activities being audited while being responsive to their needs and requirements.

Because the Audit Department must be independent in carrying out its responsibility to monitor and evaluate control procedures instituted by management, the extent of audit work to be performed with respect to those procedures is limited to the assessment of such procedures.

The Audit Department normally performs tests of transactions and reviews the supporting documentation for transactions. Accordingly, objectivity would be lost if the Audit Department participated in or was responsible for initiating or recording transactions.


2.4 Authorities and Limitations

Audit Department personnel will have complete, free, and unrestricted access to all University departments, activities, records, properties, and personnel, and are not to be restricted in their activities. Where appropriate, special arrangements will be made for the examination of confidential information.


2.5 System Planning and Development

The Audit Department will participate in the planning, development, implementation, and modification of major computer-based and manual systems to ensure that:

The Audit Department will conduct post-installation evaluations of major data processing systems to ensure that these systems meet the intended purpose and objectives. The Department will also review computer operations supporting such systems to ensure that generally accepted standards for systems integrity and security, as well as system-specific controls, are being observed.


2.6 Security Investigations

The Audit Department, University Police Department, and the Office of Risk Management are to be notified if assets have been lost through misappropriation or other security breaches. The Audit Department will perform sufficient tests and investigations to identify the weaknesses in procedures which permitted the misappropriation to occur. However, the investigation of the specific event with the objective of recovery and/or prosecution is the responsbility of the University Police Department, with the decision to prosecute being the responsibility of the appropriate Commonwealth's Attorney.


2.7 Coordination with External Auditing Agencies

The Director of Audits will coordinate the Department's audit efforts with the Auditor of Public Accounts or other external auditors by participating in the planning and definition of the scope of proposed audits so the work of all auditing groups is complementary, and their combined efforts provide comprehensive, cost effective audit coverage for the University. Duplication of work will be avoided as much as possible.


2.8 Reporting

At the conclusion of each audit, a formal report or memorandum will be issued which will present a concise, clear, and factual review of the conditions found, followed by recommendations for improvement.

Prior to the issurance of a formal report, a draft report will be provided to the department or activity along with an opportunity for an exit conference. The exit conference will be a review of all findings, conclusions, and recommendations.

A response to the audit report shall be issued to the Director of Audits within 30 days, responding to each finding and recommendation. This response will include the department's or activity's plan for implementing the recommendations or, if the recommendations cannot be implemented, alternate solutions for the issue. If a decision is made not to implement a recommendation, the justification for this decision will be provided to the Audit Department.

For major projects, a follow-up review will be made by the Audit Department to establish that recommendations which were agreed upon have been adopted. A memorandum will be issued on the follow-up review to the President and the Vice President responsible for that area.


2.9 Distribution of Reports

Audit reports will be issued to the Vice President responsible for the department or activity involved. In addition, copies of all such reports will be distributed to the President and the senior administrator responsible for the department or activity audited. The Executive Vice President and Chief Operating Officer will receive copies of all reports containing issues which could potentially affect the University's financial statements.

All audit reports and accompanying management responses will be provided to the Audit Committee of the Board of Visitors for review.

A summary of significant audit findings will be prepared for each Board meeting and submitted to the Audit Committee of the Board of Visitors, the President, and other appropriate members of University management.

3.0 Definitions [Top]

For this policy, "University" is defined as all University divisions, departments and activities as well as all Health Science Center Operations.

4.0 References [Top]

5.0 Approvals and Revisions [Top]


Maintained by University Comptroller
© 2000 by the Rector and Visitors of the University of Virginia