The first time that many clients are aware of an impending engagement is when they receive a memo from the audit director informing the client the auditor in charge will contact them in order to schedule an opening meeting. This introduction to the engagement may leave the client wondering, "Why me?" or "What did I do wrong?" These questions are often followed by confusion of the engagement process and how to prepare for the review. Some clients are even confused as to what an internal auditor does and the role the internal audit department plays in the organization.
In order for the engagement process to be successful it is important that the audit client understand its role in the review and is familiar with the internal audit function at East Carolina University.
When most people think of auditing the first thing that comes to mind is financial auditing. While this is an important aspect of auditing, it is only one small facet. The Institute of Internal Auditors defines internal auditing as "an independent, objective assurance and consulting activity designed to add value and improve an organization's operations". It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Audit at East Carolina University follows the professional standards that have been established by the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), and the Association of Certified Fraud Examiners (ACFE).
Every five years, the Office of Internal Audit undergoes an external quality assessment to measure its compliance with IIA standards. The office received the highest possible rating from the external review teams during our 2016, 2011, and 2006 assessments.
The IIA serves over 70,000 members and provides the internal auditing profession with standards, guidance, and information on internal auditing best practices. ISACA has over 23,000 members and is recognized as a global leader in IT governance, control, and assurance. The ACFE has over 25,000 members and provides guidance on the detection and prevention of fraud. Each of these organizations has a Code of Ethics, which has been adopted by Internal Audit. One of the standards requires that the purpose, authority, and responsibility of the internal audit function be defined in a charter.
East Carolina University is required by NCGS §143-746 to maintain an internal audit function. In accordance with the East Carolina University Internal Audit charter, Internal Audit operates as an independent appraisal function within East Carolina University and reports functionally to the Audit Committee of the ECU Board of Trustees and administratively to the Chancellor.
The primary purpose of Internal Audit is to function as a service unit to assist all levels of management in the effective discharge of their responsibilities. Through consulting and performing independent audits, reviews, and investigations, the office seeks to provide reasonable assurance to management that effective stewardship is maintained over the University's resources. Internal Audit also serves as a liaison between management and all external auditors.
In general, the objectives of Internal Audit are to:
Internal Audit develops an annual audit plan that is reviewed and approved by the Audit Committee of the ECU Board of Trustees and the Chancellor. This plan identifies the engagement projects to be conducted during the upcoming fiscal year; however, it can be amended to include requested reviews, special projects, or changes in priority.
Not all reviews are selected in the same way. An area can be selected for a review if:
Selection based on assessment of risk: The most common method of selecting an area for an engagement is through the application of a risk assessment. Several factors that are considered in the assessment are:
When this model is applied, areas are ranked according to their risk. Areas with the greatest risk become priority engagements and can result in three types of engagements: compliance, operational, or information systems.
Cyclical engagements: Some engagements are performed on a regular basis. Examples are: petty cash reviews, inventory counts, security reviews, and disaster recovery testing.
Investigative engagements: These engagements are normally requested by management and/or anonymous tips and focus on alleged, irregular conduct. Reasons for investigative engagements include: internal theft, misuse of State property, and/or conflicts of interest.
Requests from management: Management requests these engagements through the Office of Internal Audit. The scope of the engagement depends on the request.
The scope of the engagement and/or review is determined from one or more of the following:
Sometimes discoveries or events that occur during a project can change the scope of an engagement. If this should happen, the client is notified if the scope changes significantly.
Engagements and reviews vary in length. The amount of time required depends on the objectives of the engagement, the cooperation and availability of the client, and the complexity of the operation. An internal control review may take one to two weeks, while a broad-based engagement may take months. A positive working relationship between the client and the auditors is an important factor in the accuracy of information gathered and the timely completion of the engagement.
1 - The engagement or review is announced through an engagement letter.
Internal Audit notifies the client in writing when their area is selected for an audit. An engagement letter is sent to the client that describes the general objectives of the engagement, the auditor in charge, the projected time frame of the engagement, and information the auditor may need the client to supply.
2 - An entrance conference is scheduled.
An entrance conference is scheduled by the auditor in charge with the client to discuss the purpose, scope, and process of the engagement. The director and auditor in charge attend the entrance conference along with personnel deemed appropriate by the client. Clients are encouraged to present any questions or concerns they have about the engagement. Clients are also given the opportunity to request that a specific function or area of their office be examined during the engagement or in future work.
3 - A preliminary survey is performed.
During this portion of the engagement, the auditor will gain an understanding of the client's operation or area being reviewed. The auditor may request written policies and procedures, organizational charts, job descriptions, and other information in order to become familiar with the client's operation. Internal controls may be reviewed and documented during this portion of the engagement through an internal control questionnaire.
4 - Fieldwork is conducted.
This phase of the engagement includes testing the internal controls and performing other procedures necessary to accomplish the objectives of the engagement. The auditor will follow a work program when conducting this phase of the engagement. A work program lists the control objectives of the engagement and the necessary steps an auditor must follow to collect and analyze the data.
This phase of the engagement is the most time-consuming part of the review for the client because personnel will need to be available to answer questions and provide information. Internal Audit realizes the value of each person's time and tries to arrange meetings in advance and work around scheduling conflicts when possible.
During this phase of the engagement, the auditor will strive to maintain an open communication with the client to ensure they are kept abreast of the initial observations and there are no surprises once the final report is issued.
5 - A draft report is prepared.
After the fieldwork is completed, the auditor prepares a draft report, which will include the background of area being audited, audit purpose, objectives, scope, methodology, reportable conditions, and recommendations. The draft report along with any non-reportable condition is sent to the client via email for review before the exit conference.
6 - An exit conference is scheduled.
An exit conference is scheduled by the auditor in charge with the client to discuss the draft audit report. The CAO or Associate Director and the auditor in charge attend the exit conference along with client personnel. The conference is an opportunity to discuss the observations and clarify any ambiguities. Non-reportable conditions will also be discussed during the exit conference.
7 - The client submits their responses to the audit findings and recommendations.
After the exit conference, any changes deemed necessary are made to the draft report and submitted to the client via email. The client is normally given one to two weeks to respond to the draft report. The client includes a response to each of the observations and recommendations and sends the report to the auditor in charge via email. If circumstances arise that prohibit the client from responding to the report in the allotted time frame, the client should contact the auditor to request more time.
8 - The final report is issued.
A final report is issued after the auditor in charge receives the draft report with the client's responses. The final report is distributed to the client, senior-level management, ECU Board of Trustees Audit Committee, and the Chancellor.
9 - A follow-up review is conducted.
A follow-up review is performed in the near future after the final report is issued to verify the resolution of the observations. The review will conclude with a follow-up report, which lists the actions taken by the client to resolve the original observations. A discussion draft of the report will be circulated to the client before the report is issued. The follow-up report will be circulated to the original report recipients and other University officials as deemed appropriate.