Governmental audits include audits performed under the Single Audit Act Amendments of 1996 and OMB Circular A-133, Audits of States, Local Governments and Non-Profit Organizations, program specific audits as defined under OMB Circular A-133, and other compliance audits and attestation engagements performed as required by federal, state, or local laws. Yet, an internal audit is only as good as the continuing training and skills improvement that is given to the employee who will perform these assessments. Internal audit training will ensure that the employee will give an unbiased perspective when documenting problems and perform thoroughly assessments by providing information that can be used. Governmental audits include audits performed under the Single Audit Act Amendments of 1996 and OMB Circular A-133, Audits of States, Local Governments and Non-Profit Organizations, program specific audits as defined under OMB Circular A-133, and other compliance audits and attestation engagements performed as required by federal, state, or local laws.
Policy 1001
1.1 The Office of Internal Audits serves as an independent control and appraisal activity. A primary mission of the office is the review and evaluation of all institutional operations of the University. This includes an evaluation of internal control with recommendations for improvements of controls. Also included is audit coverage through Information Systems audits of computer applications and administrative systems.
1.2 In accomplishing the mission of the office, the Chief Audit Officer is authorized full, free and unrestricted access to all University functions, property, personnel and records maintained by all units of the University. Such access shall be with or without prior notice to or specific approval by any level of management, depending on the nature and sensitivity of the audit. The Chief Audit Officer will exercise appropriate professional judgment in the use of this authority.
1.3 The Chief Audit Officer reports administratively to the Chancellor of the University and functionally to the Board of Trustees of the Audit Committee. This reporting relationship ensures the independence of the office, promotes comprehensive audit coverage, and assures adequate consideration of audit recommendations. The Office of Internal Audits serves as a constructive link between the Office of the Chancellor and all operational and administrative levels of the University.
1.4 The Chief Audit Officer determines the audit coverage and schedule based on the risk analysis of the operational areas of the University and available personnel to perform the audits. He may also receive advice and counsel from the North Carolina State Auditor as to areas that should be reviewed before the annual State audit. As the need arises, the Chief Audit Officer may adjust the schedule in order to perform special audits/reviews as requested by senior administrators of the University.
2.1 This policy applies to all departments and offices of Appalachian State University.
4.1.1 The Office of Internal Audits adheres to the Standards for the Professional Practice of Internal Auditing of The Institute of Internal Auditors. The Standards are mandatory requirements consisting of:
4.2.1 The Chief Audit Officer maintains a schedule of audits to be performed during the fiscal year. The schedule is developed by the Chief Audit Officer, discussed and approved by the Audit Committee, and is based on risk analysis.
4.2.2 As the need arises, the Chief Audit Officer may adjust the schedule in order to perform special audits and reviews of other operational areas as requested by senior administrators of the University. Occasional special investigations of a confidential nature are also done at the request of appropriate senior administrators, management, or the North Carolina Office of State Auditor.
4.2.3 A request for an internal audit or a review of a University activity is made by memorandum and addressed to the Chief Audit Officer. The request should state the particular coverage desired and any pertinent related facts. The request will be followed up by an individual conference with all parties concerned with the request.
4.3.1 The principal product of an audit is the final report in which the auditor expresses an opinion, presents the audit findings, and discusses recommendations for improvement. To facilitate communication and ensure that the recommendations presented in the final report are practical, the auditor should discuss the rough draft with the department under review prior to issuing the final report.
To ensure that consistent practices and procedures are followed regarding the correction of audit deficiencies, the following policies are applicable:
4.4.1.1 The internal auditor-in-charge is responsible for scheduling the exit conference before the Chief Audit Officer issues the final audit report. The goal is to have knowledgeable and accountable audit, client, supervisory, and management personnel at the meeting who can make decisions and implement agreed improvements. The Chief Audit Officer of Internal Audits and the auditor-in-charge as well as any staff auditors the Chief Audit Officer deems necessary should also attend the exit conference. The purpose of the exit conference is to inform management of the audit results and the report process, reach final agreement on findings, and finalize planned improvement actions. Management can also provide an update on any actions already taken.
4.4.2.1 A formal written reply to all audit findings mentioned in the audit report should be addressed to the Chief Audit Officer. The written reply to the audit report is due within fifteen (15) days of the date of the audit conference.
4.4.2.2 The reply should consist of the action taken to correct each audit finding. Where applicable, it should also give attention to changes in operating procedures that would alleviate the problem in the future.
4.4.2.3 If it is felt that the reply to the audit letter is unsatisfactory in corrective action, it will be resolved through consultation of all parties concerned. This process also may include a determination that senior management and/or the board have assumed the risk of not taking corrective action on reported observations.
4.4.2.4 The Chief Audit Officer will review the audit report and the audit response with the Chancellor and the Board of Trustees Audit Committee.