VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY OPERATIONAL. 1. Operating Concerns of the Assessable Unit and/or Business Process

Similar documents
Community Bankers Conference

Comparison of the PCAOB s Auditing Standards No. 5 and No. 2 (Certain key differences are highlighted by underlining)

The most commonly applied model for designing and auditing internal

RISK BASED AUDIT WORK GROUP GUIDELINES FOR ANNUAL AUDIT PLANNING AND RESOURCE ALLOCATION FISCAL YEAR 2001

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

International Standard on Auditing (UK) 600 (Revised June 2016)

Auditing Standards and Practices Council

CAAS 104 Cost Audit and Assurance Standard on Knowledge of Business, its Processes and the Business Environment

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Internal Control Systems

Sample Audit Committee. of Auditors and Management

Loch Lomond & The Trossachs National Park Authority. Annual internal audit report Year ended 31 March 2015

Understanding Internal Controls. Federal Highway Administration New Mexico Division

Corporate Governance Update. SOX 404 and Internal Controls

ACTION Agenda Item I ANNUAL AUDIT REPORT December 6, 2002

The definition of a deficiency is also set forth in the attached Appendix I.

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

e. inadequacy or ineffectiveness of the internal audit program and other monitoring activities;

International Standard on Auditing (UK) 315 (Revised June 2016)

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

BOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems

Kentucky State University Office of Internal Audit

LeiningerCPA, Ltd. INTERNAL CONTROL PROCEDURE STATEMENT

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

OPERATIONAL RISK EXAMINATION TECHNIQUES

PART 6 - INTERNAL CONTROL

SRI LANKA AUDITING STANDARD 315 (REVISED)

Cost Auditing Standard Cost Auditing Standard on Knowledge of Business, its Processes and the Business Environment

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Implementation Tool for Auditors

Mapping of Original ISA 315 to New ISA 315 s Standards and Application Material (AM) Agenda Item 2-C

The definition of a deficiency is also set forth in the attached Appendix I.

Internal Control Questionnaire and Assessment

FEDERAL AWARD PROGRAMS INTERNAL CONTROL EVALUATION. Cross-cutting characteristics (generally applicable to all fourteen requirements)

The Audit Committee of the Supervisory Board of CB&I

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Risk-Focused Examination Process an Overview. Federal Reserve System

Chapter 06. Audit Planning, Understanding the Client, Assessing Risks, and Responding. McGraw-Hill/Irwin

International Standard on Auditing (Ireland) 315

Private Client Services Are your internal controls supporting your business strategy?*

ENGHOUSE SYSTEMS LIMITED AUDIT COMMITTEE CHARTER

Internal Audit Policy and Procedures Internal Audit Charter

Chapter 6 Field Work Standards for Performance Audits

Guide to Internal Controls

CHARTER AUDIT COMMITTEE

POLICY & PROCEDURES MEMORANDUM

Anti-Fraud Programs and Control Policy

Presented by Ed Williamson and Erica Bailey

Private Company Services. Private companies: are your internal controls supporting your business strategy?*

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

Single Audit Update: Internal Control over Compliance and the GAO s Green Book. MSBO s 80 th Annual Conference April 19, 2018

29 th Regional Conference of WIRC

NRCS AUDIT AND RISK COMMITTEE TERMS OF REFERENCE

INTERNAL CONTROLS FOR NONPROFITS

computer-assisted Chapter 10 Substantive testing, audit techniques and audit programmes


CHAPTER -10 CIS AUDIT

Minneapolis Public Schools Special School District No. 1 Minneapolis, Minnesota. Communications Letter of the Student Activity Accounts.

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

AUDIT COMMITTEE CHARTER

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Internal Audit Appendix: IIA Standards

Internal Controls: Need Them, Have Them, Love Them

Audit, Risk and Compliance Committee Terms of Reference. Atlas Mara Limited. (The "COMPANY") Amendments approved by the Board on 22 March 2016

TEVA PHARMACEUTICAL INDUSTRIES LIMITED AUDIT COMMITTEE CHARTER

Planning the audit and understanding internal control

INTERNAL CONTROLS FOR NONPROFITS

SRI LANKA AUDITING STANDARD 600 SPECIAL CONSIDERATIONS AUDITS OF GROUP FINANCIAL STATEMENTS (INCLUDING THE WORK OF COMPONENT AUDITORS) CONTENTS

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

Chapter 7 Internal Controls

[RELEASE NOS ; ; FR-77; File No. S ]

Auditing and Assurance Standards Council

INTERNAL CONTROLS FOR NONPROFITS

McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

4. Organic documents. Please provide an English translation of the company s charter, by-laws and other organic documents.

Corporate Governance. Information Request List Family- or Founder-Owned Unlisted Companies. Commitment to Corporate Governance

ACCA Certified Accounting Technician Examination Paper T8 (SGP) Implementing Audit Procedures (Singapore)

CORPORATE GOVERNANCE STATEMENT FOR THE PERIOD ENDED 30 JUNE

GROUP 1 AUTOMOTIVE, INC. AUDIT COMMITTEE CHARTER

STARWOOD HOTELS & RESORTS WORLDWIDE, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

QUESTION TWO Write brief explanation notes on each of the following terms:

WELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER

Seminar Internal Control Identification and Filtering

Internal Audit Report. Post Implementation Review PeopleSoft Accounts Payable TxDOT Internal Audit Division

Audit-Risk Committee. Board Approval: August 2018

GARMIN LTD. Audit Committee Charter. (Amended and Restated as of July 25, 2014)

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

INTERNATIONAL STANDARD ON AUDITING (NEW ZEALAND) 315 (Revised)

Appendix A. Simplified Sample Entity-Level Control Matrices

ABCANN GLOBAL CORPORATION CORPORATE GOVERNANCE POLICIES AND PROCEDURES

Internal Control Vulnerability Assessment (January 2011) Unit Name. Prepared by. Title. Reviewed by. Title. Reviewer s Comments

Code of Business Conduct and Ethics

Understanding Internal Controls Office of Internal Audit

County of Sutter. Management Letter. June 30, 2012

Internal Control in Higher Education

Glasgow Caledonian University Internal Audit Annual Report for the year ended 31 July 2008

AUDIT UNDP SOUTH SUDAN GRANTS FROM THE GLOBAL FUND TO FIGHT AIDS, TUBERCULOSIS AND MALARIA. Report No.1400 Issue Date: 6 February 2015

AWE LIMITED ACN

AUDIT COMMITTEE CHARTER (updated as of August 2016)

Transcription:

ASSESSABLE UNIT: Enter name of the Assessable Unit here BUSINESS PROCESS: Enter the Business Process here BANNER INDEX CODE: Enter Banner Index Code here 1. Operating Concerns of the Assessable Unit and/or Business Process Has the activity been the subject of significant audit comments, questioned costs, regulatory findings, or management concerns, or has the activity experienced serious funding deficits, irregularities, or any other significant control concerns during the preceding two years? 1 1 High confidence in the activity, well run organization, good reputation, efficient and effective operations, sound system of internal control, recently audited with good results. 2 2 Moderate confidence, but uncertain due to the newness of the function and/or no audits performed. 3 3 Little or no confidence in the activity, subject to significant audit comments that are still unresolved, poor University reputation. 1

2. Impact of Service Delays What is the impact on the entity if services are not provided at the required service level? 1 1 Nominal if any impact. 2 2 Failure to meet required service levels will have only a minor impact on the entity's relations. Short-term delays or errors may result within the entity's internal operations. 3 3 The consequences of a failure to meet required service levels will have a serious effect on relations with the State's constituency, create serious internal problems, or affect the reputation of the entity. 2

3. Impact of Inaccurate Information What is the impact on the entity if the assessable unit generates inaccurate information? For example, will the inaccurate information have an impact on external or internal decisions affecting the entity? Will the inaccurate information result in adverse publicity for the entity? Or, will the inaccurate information affect the entity's published financial reports? 1 1 Incorrect or inaccurate information generated by the assessable unit has little or no impact on the operations of the total entity. 2 2 Incorrect or inaccurate information generated by the assessable unit has a moderate impact on the operations of the total entity. The integrity and reliability of information may be questioned. 3 3 Incorrect or inaccurate information generated by the assessable unit has a serious impact on the operations of the total entity. Information produced by the assessable unit has little integrity or reliability. 3

4. Confidentiality of Information Will the loss or disclosure of information produced by the assessable unit result in financial loss or embarrassment for the entity? 1 1 Information produced by the assessable unit is generally available to the public, the release of which would not result in any potential loss or embarrassment to the entity. 2 2 Information produced by the assessable unit is available to designated employees of the entity. Release to the public or to an unauthorized entity could result in minor financial loss or moderate embarrassment or violation of the Privacy Protection Act. 3 3 Information produced by the assessable unit requires protection against unauthorized or premature disclosure. Such disclosure could result in serious loss or embarrassment or could adversely affect: interests of individuals or businesses subject to the regulatory authority of the entity, or violation of HIPPA, FERPA. 4

5. Size of Assessable Unit Has the University invested significant resources in the assessable unit or does the assessable unit manage significant resources on behalf of the University? Resources include assets, liabilities, revenues, expenditures, and personnel. Resources may be managed either directly or indirectly. Examples of direct resource management include inventory storage facilities, cashiering operations, or treasury functions. Indirect resource management is typified by transaction processing units such as voucher processing, payroll processing, or data processing centers. "Significant" is defined in dollar terms that are specific to the entity. Therefore, measures of relative risk must be established using auditor judgement with input from management. 1 1 Resources managed by the assessable unit are less than $1 million 2 2 Resources managed by the assessable unit equal or exceed $ 1 mil, but less than $5 million. 3 3 Resources managed by the assessable unit equal or exceed $5 million. 5

6. Control Environment Is the control environment appropriate to ensure that management's objectives are achieved? Issues to be considered in assessing the control environment include: Management s philosophy and style Extent of management planning and review Measurability of objectives Adequacy of policies and procedures The assessable unit's organizational structure and degree of segregation of duties Pressure on management to meet objectives (e.g. ability to override controls) Extent of government regulation Experience level of management Human resource policies and practices Commitment to competence and quality Management s integrity and ethical values Management s receptivity to audit reports and recommendations History of errors and irregularities which includes fraud 1 1 Strong control environment. 2 2 Moderate control environment. 3 3 Weak control environment. 6

7. Complexity of Operations Are assignments or transactions managed by the assessable unit inherently complex? Do assignments or transactions require a significant amount of time or number of steps to complete? Are work tasks difficult, requiring a high degree of interpersonal coordination and/or extensive training, or technical knowledge, interpretation or application? 1 1 Unskilled assignments. 2 2 Assignments or transactions require several persons or steps, are somewhat time consuming, and require moderate training. 3 3 Assignments or transactions require several persons or steps, are very time consuming, and require extensive training, technical knowledge, interpretation or application. 7

8. Changes in Operations Have there been significant changes in the assessable unit, i.e. growth, staffing additions or turnover, regulatory requirements in the prior 18 months? 1 1 No significant changes. 2 2 Funding, staffing, and/or responsibilities have changed moderately in the past 18 months. 3 3 Funding, staffing, and/or responsibilities have changed significantly in the past 18 months. 8

9. Impact of Adverse Publicity What is the impact on the entity if errors or problems within the assessable unit receive negative publicity? For example, would funding levels be reduced? Would donors or investors be discouraged from contributing or investing? Would clients be discouraged from using the entity's services? 1 1 Minor impact on the entity. 2 2 Moderate impact but not a pressing concern. 3 3 Significant impact due to the high degree of interest emanating from political groups or constituencies. 9

10. Level of Processing Sophistication Does the process used by the assessable unit (e.g., extremely complex computer hardware and software or extensive manual operations) represent a particular risk to the entity? 1 1 Little or no process-related risk. 2 2 Moderate process-related risk. 3 3 High process-related risk. 10

11. Date / Results of Last Audit Performed by Internal Audit When was the last internal audit performed of this assessable unit? Were there many significant audit findings? 1 1 Last audit performed in the last 12 months and/or no significant audit findings 2 2 Last audit performed 13-36 months ago and/or mid-level audit findings 3 3 Last audit performed more than 36 months ago and/or significant audit findings. 11

12. Training To what extent has the assessable unit established a training program? Training programs include formal training and less formal, on-the-job training, and rotation of duties for training purposes. 1 1 A well-planned training program is effectively administered to benefit all personnel. There is evidence that the training needs of staff members are being satisfied. 2 2 The extent and nature of staff training and development are satisfactory. A conscious effort is made to provide training but the training of some staff members has been neglected. 3 3 There is evidence that management has not recognized the need for training and personnel development. 12

13. Contingency Plans Does the assessable unit have tested and documented alternative procedures to be implemented in case of emergency or abnormal conditions which restrict normal processing? 1 1 Management has developed, documented, and tested contingency plans and procedures covering short and long-term disruptions. The plans are up-to-date, comprehensive and cover personnel resources, and alternate processing facilities and equipment. 2 2 Contingency plans have been developed and tested where appropriate. Short-term disruption plans are current but long-range plans may be lacking. 3 3 No plans exist for long-term disruptions and only minimal plans exist for handling short-term disruptions. Management views contingency planning as unnecessary. An inability to continue processing in the event of abnormal conditions is almost certain. 13

14. Computer Access and File Security How extensive are the controls to prevent and detect unauthorized access to systems resources, programs, and data? 1 1 Effective computer access and file security controls are in place. 2 2 Good preventive controls are in place; detective controls are lacking (or vice versa). 3 3 Inadequate or no computer access and file security controls are in place. 14

15. Desk Procedures Are the desk procedures current and do they mirror the business process for this assessable unit? 1 1 Desk procedures are current and available, and mirror the business process for this assessable unit. 2 2 Desk procedures are not current, but the desk procedures currently followed have been communicated directly or indirectly to employees through on the-job training. 3 3 No desk procedures exist. 15

16. Job/Position Descriptions Job/Position descriptions exist, are current, and have been communicated to all employees of this assessable unit. 1 1 Job/Position descriptions exist, are current, and have been communicated to all employees of this assessable unit. 2 2 Job/Position descriptions exist, but are not are current. 3 3 No Job/Position descriptions exist. 16

17. Ethical Behavior Management has communicated its views on ethical behavior to employees and these views are documented. 1 1 Management has communicated its views on ethical behavior and these views are documented. 2 2 Management has communicated its views on ethical behavior, however these views are not documented 3 3 Management has not communicated its views on ethical behavior. 17

18. Expenditure Reporting Are actual expenditures compared to budget with reasonable (monthly) frequency and on a timely basis? 1 1 Expenditures are compared to budget with reasonable frequency and on a timely basis. 2 2 Expenditures are compared to budget only when discrepancies arise. 3 3 Expenditures are never compared to budget. 18

19. Management s Response to Audit Findings Management is receptive to comments by internal and external auditors regarding control deficiencies or suggestions for process improvement. Appropriate actions are taken and documented. 1 1 Management is very receptive to comments by internal and external auditors. 2 2 Management is somewhat receptive, but does not acknowledge that appropriate actions have been taken and documented. 3 3 Management does not respond to comments. 19

20. Communication of Changes to Objectives Changes with respect to the assessable unit s objectives and strategies are communicated timely and effectively to all affected personnel. 1 1 Always or most often. 2 2 Infrequently or as time permits. 3 3 Never or only when requested. 20

21. Accuracy and Integrity of Information Personnel responsible for the data, information, and reports in an assessable unit are required to sign off on their accuracy and integrity and are held accountable if errors are discovered. 1 1 Personnel investigate discrepancies, unusual transactions, documenting the nature of these items and then sign-off and are held accountable for the accuracy and integrity of the information. 2 2 Personnel investigate discrepancies, unusual transactions, but do not document the nature of these items and do not sign-off for the accuracy and integrity of the information. 3 3 Personnel do not investigate discrepancies and unusual transactions. 21

22. Monitoring Changes to the Business Process Evaluations of the entire internal control system (sometimes referred to as a Control Self- Assessment) for the business process are performed when there are major changes in strategy, acquisitions or dispositions, or operations and methods of processing data and information. 1 1 Internal control evaluations are performed and documented. 2 2 Internal control evaluations are performed but timing of documentation may be delayed. 3 3 Internal control evaluations are not performed or documented. 22

23. Password Management Procedures exist for password management; i.e., for password selection and change, rules against sharing passwords, password holder s accountability for its use, etc. 1 1 Procedures exist for all systems and/or processes. 2 2 Procedures exist for more significant systems or processes. 3 3 Procedures do not exist. 23

24. Security Awareness Has the assessable unit s management established a security awareness and training program to ensure that all individuals involved in the use of information technology are aware of: a)what should be protected, b)required employee actions and security responsibilities, and c)procedures to follow when a problem is discovered? 1 1 A program has been established by management and enforced. 2 2 A program has been established and is monitored or enforced infrequently. 3 3 A program has not been established by management and/or if established, not enforced or monitored. 24

25. Effectiveness of Controls Supervisory personnel with appropriate responsibilities, organizational experience, and knowledge of the organization s affairs periodically review and document the functioning and overall effectiveness of controls. 1 1 Effectiveness of controls reviewed and documented. 2 2 Never documented, but supervisory personnel are aware of overall effectiveness. 3 3 Overall effectiveness of controls never reviewed or documented. 25

26. Segregation of Duties Job responsibilities within this assessable unit and/or for this business process are appropriately segregated for control over assets and data and the processing of transactions. 1 1 Proper segregation of duties. 2 2 Moderate segregation of duties. 3 3 Poor/weak segregation of duties. 26

27. Compliance with the Virginia Public Records Act (Section 42.1-77) Personnel of this Assessable Unit and involved with this Business Process are familiar with and adhere to the Virginia Public Records Act (Section 42.1-77) which states that records in electronic format are subject to the same legal regulation as records in other formats (hardcopy items such as, but not limited to, books, papers, letters, documents, memos, spreadsheets, printouts, photographs, etc.) The electronic format could be, but not limited to, the hardcopy items stated above stored as an E-Mail, stored on a University server, on a CDROM, DVDROM, USB Flash drive, local hard drive, memory sticks, diskettes, etc. Electronic records must be managed alongside traditional hardcopy records to ensure compliance with State and Federal record retention policies. 1 1 Personnel are familiar with and adhere to the Virginia Public Records Act (Section 42.1-77). 2 2 Personnel are familiar with the Virginia Public Records Act (Section 42.1-77), but adhere to on an infrequent basis. 3 3 Personnel are not familiar with and do not adhere to the Virginia Public Records Act (Section 42.1-77). 27

The questions below are intended to assist the Internal Audit Department with assessing risk and to gain a better understanding of the business process and possible risks unique to this assessable unit. 28. List or describe the risks associated with this business process, i.e. what could go wrong if controls are not in place. Enter response here. 29. For each risk listed in #28 above, please describe how risk is managed or the control(s) in place to mitigate the risk. Enter response here. 30. What are your source(s) of funding for this assessable unit? Enter response here. 31. What are the assessable unit s goals? (Please distinguish between short-term and longterm) Enter response here. 32. What measurements are used to determine the progress towards meeting the assessable unit s goals (i.e., key performance indicators used, internal or external assessments, etc.)? Enter response here. 33. Are there any other agencies/organizations which review or monitor your area? If yes, who are they and how frequently do they visit or contact you? Enter response here. 28

34. Other Factors to Consider Please provide additional management concerns or information deemed relevant to the risk of the assessable unit. The information provided is true and objective to the best of my knowledge and ability. Completed by: Name of who completed the survey Date mm/dd/year Reviewer 1 (if applicable): Name of reviewer #1 Date mm/dd/year Reviewer 2 (if applicable): Name of reviewer #2 Date mm/dd/year Cabinet Member Approval: Name of Cabinet Member Date: mm/dd/year 29

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback