Annual Report. NC STATE UNIVERSITY INTERNAL AUDIT DIVISION FISCAL YEAR (Data as of June 26, 2012)

Transcription

1 Photo by Roger Winstead Annual Report NC STATE UNIVERSITY INTERNAL AUDIT DIVISION FISCAL YEAR (Data as of June 26, 2012) Annual Report Highlights: Mission... 2 Significant Accomplishments Audit & Consulting Engagements Additional Audit Activities... 6 Vision for the Future... 7

2 Mission Tradition + Transition Our mission in the Internal Audit Division (IAD) is to support the University in the successful achievement of its strategic goals. This is accomplished by serving as an independent partner to University leadership, faculty, and staff in the identification and balancing of their units risks through objective, flexible, and proactive audit and consultation services. We provide independent evaluation of the effectiveness of risk management, control, and governance processes and makes recommendations for improvement. Significant Accomplishments Successfully implemented 3 of 5 major modules of the TeamMate audit management software, thus, we have improved the following processes: audit and resource management, issue monitoring and follow-up, scheduling, and reporting. As a result, we are more equipped to measure and track utilization of audit resources, identify major efficiencies and process enhancements, increase consistency of documentation, automated many previously manual processes, and ensure compliance with international auditing standards. In addition, we are moving toward a paperless audit process, thus contributing to the campus s overall sustainability initiatives. Completed a comprehensive, impactful audit of non-instructional summer salary that resulted in University administration revising or repealing University regulations and developing the first comprehensive Standard Operating Procedure for non-instructional summer salary, as well as the developing other tools, which specifically address noninstructional summer salary at the University. The development of this comprehensive guidance for non-instructional summer salary decreases the University s risk of noncompliance with external funding agency requirements and increases consistency and efficiency across campus. Implemented a new software tool to extend auditing and analytical capabilities and further enhance the team s ability to perform in-depth automated testing and analysis of critical data. Implemented IDEA: "a powerful and user-friendly tool designed to help accounting and financial professionals extend their auditing and analytical capabilities, detect fraud and meet documentation standards. It allows you to quickly import, join, analyze, sample and extract data from almost any source, including reports printed to a file" (from software vendor website: 2

3 Significant Accomplishments (cont d.) Ensured maximum benefit of IDEA tool through targeted utilization, training, and exploration of potential future benefits. Enabled deep incorporation of tool into staff s work approaches and methodologies thereby increasing efficiency and thoroughness of audit work. IDEA was used in almost all major audits to increase efficiency in analyzing large amounts of data records and transactions to identify potential policy or compliance violations. Continued improvements to the Internal Audit website, with a goal of providing information and tools to campus constituents to assist them in identifying and balancing risks. Specific enhancements included: The addition of IT self-assessment tools which allow campus to review their IT environment, identify strengths and weaknesses, and pro-actively implement corrective actions to strengthen their environments Expanding Internal Audit Tips in order to provide real-time recommendations and resources to campus concerning emerging risks and to educate the campus community on commonly seen audit issues Staff and management attended targeted training outside their traditional areas of expertise in order to create a more integrated mix of audit skills across the Division. This allowed for more flexibility in assigning audit engagements to both managers and staff. Operational staff attended the Association of College and University Auditor s (ACUA) conference and focused exclusively on training related to IT controls and data analytic tools; upon returning were empowered to begin utilizing their new skills to audit outside their traditional areas of expertise Cross-training activities for the audit managers included: Two audits were managed jointly by the Operational and IT audit managers which allowed for on-the-job-training for both and familiarization with the university, state, and federal regulations related to both subject areas IT Audit Manager attended the ACUA conference and focused exclusively on operational and regulatory compliance sessions Both Operational and IT Audit managers participated in risk assessment meetings with university executives and unit management across both IT and operational functional areas to enhance their knowledge of the other s subjects areas and the associated risks. 3

4 Audit & Consulting Engagements Audit engagements arise directly from our continuous risk assessment and analysis process. Each year in April, the Board of Trustees reviews and approves a new Plan for the coming fiscal year. That Plan is a snapshot in time of the current risks as of February 1 (the end of our planning year). It is subject to change as our on-going risk analysis weighs emerging areas of risk, management requests, and potential investigations received throughout the year against the audits on the approved Plan. The impact of this is that some audits on the Plan will be replaced or postponed by new audits that carry higher or more immediate risk. The result is a more responsive, comprehensive process. Audit Engagements: Chemistry Electronic Instrumentation Shop Investigation Facilities Housekeeping Investigation University Housing Warehouse and Upholstery Investigation CES Cumberland County 4-H Investigation Audit of the Financials System McKimmon Conference and Training Center Investigation College of Veterinary Medicine - Misuse of Assets Investigation Non-Instructional Summer Salary Audit (Payments Against Contract and Grant Projects) Phase 1 CES Gates and Hertford Counties Investigation CALS Rental Lease Investigation Horticulture Department - Misuse of State Assets Investigation Security Applications and Technologies Investigation Follow-ups on previously reported issues: Audit of the Friends of NC State Baseball, L.L.C. ( Rally Club ) 4

5 Audit & Consulting Engagements (Cont d) In addition to audits, we perform numerous consulting engagements each year, partnering with units to create an awareness of internal controls, reinforce the importance of compliance to Federal, State, and University requirements, and increase efficiency and effectiveness. It is our philosophy that consulting up front or immediately upon identifying a risk is more valuable, timely, and cost beneficial than conducting an after the fact audit. Consulting engagements are typically separated into two general categories: major consulting projects have a duration of several weeks to several months or more and minor consulting projects last less than one week. Consulting projects arise on an almost daily basis through a variety of sources and are added to our work load based on the resources available. Overall, the goal for our consulting engagements is to help the units, colleges, faculty, and staff effectively achieve their goals while still remaining compliant to the requirements that relate to their work. Major Consulting Engagements Examples: Business Operations Realignment Southern Association of Colleges and Schools (SACS) Accreditation Resources and Control Team Task force addressing security breach the Friday Institute Business practices review at Prague Institute Detailed review of University policies, regulations, and rules related to computer use, prohibited gifts, payment card security standards to ensure completeness and accuracy Scholarship award process review for 4-H Numerous collaborations with Employee Relations related to employee allegations Minor Consulting Engagements: IAD receives requests every week from colleges, business units, centers, institutes, and remotely located sites seeking consultative audit input on their projects, new initiatives, or for proper handling of problems encountered. We classify these as minor consulting engagements. This year we handled over 100 minor consulting engagements lasting 1 week or less. These minor activities dealt with security, financial, research, and personnel matters and resulted in recommendations related to compliance, efficiency, security and privacy, or provided general audit related information to campus. 5

6 Additional Audit Activities Everyone in IAD attends a variety of regularly scheduled state, UNC system, and University meetings or focus groups as an attendee, participant, presenter or, when not a conflict of interest, a committee member. It is common for topics addressed at these forums to relate to current, future, or potential audit or consulting work and, thus, these play a critical role in our continuous risk assessment process. IAD s participation in these gatherings often present us with the opportunity to point out, early in the process, the unexpected impact of decisions being made. In addition, these meetings allow us to educate the campus on the value we can provide, the tools and information available on our website, current trends in the issues noted across campus, and address special topics of interest to each group in an informal training environment. University Level Activities: Business Operations Realignment Information Technology Strategic Advisory Committee NCSU Research Support Council Enterprise Resource Planning Systems Business Connections HR Connections Vice Chancellor for Finance and Business Staff Meetings Research Administrators Q&A Internal Control Assessment Committee Annual Research Retreat Committee Activities: Business Operations Realignment Steering Team University Council Office of Information Technology s Identity and Access Management Teams NC State Records Retention Schedule Revision Committee Information Technology Strategic Advisory Committee UNC System Level Activities: UNC Finance Improvement and Transformation (FIT) Team UNC FIT Audit Advisory Team UNC Auditor s Association State Level Activities: NC Council of Internal Audit NC Internal Audit Alliance Professional Organization Activities: Information Systems Audit and Control Association Institute of Internal Auditors ACUA -Association of College & University Auditors UNC Auditors Association Association of Certified Fraud Examiners 6

7 Vision for the Future As always we will continue working on the engagements in-process as we transition into the new fiscal year. In keeping with our risk-based focus of work, at the beginning of the new fiscal year, as prescribed by our continuous risk assessment process, we will re-analyze the fiscal year 2013 Plan approved in April 2012 and make adjustments as necessary to ensure appropriate coverage of those high risk items in relation to our resources. Goals: With an eye to the future, IAD will continue to focus on quality improvement in our Division through the following goals: The North Carolina Internal Audit Act requires a formal external review every 5 years by a group of qualified peers in accordance with the international Institute of Internal Auditors requirements. IAD is scheduled to receive a peer review through the state s Office of Internal Audit Quality Assessment Review program in fiscal year IAD will complete the implementation of TeamMate including further audit management reporting functionality, trend reporting, and resource management and scheduling IAD will design and implementation a continuous monitoring/auditing initiative to cover common risk areas related to business transactions and automated physical security Complete implementation of internal hotline separate phone line for calls, awareness/promotion Continue integrated staffing and management initiative Increase Permanent Staff as budget allows by filling the 2 remaining vacant positions Community Service: Lastly, IAD will continue with, and research opportunities to increase, our team s volunteer activities in the local community. Each year IAD identifies and performs volunteer activities in the community in an effort to give back to those who have sacrificed for others or to provide help to others in need. This year we volunteered at Me Fine Foundation ( Activities and personal donations supported Me Fine's annual Christmas gift distribution to children being treated at Duke and UNC Children's Hospitals and their family members. 7