Frequently Asked Questions
Q: What is internal auditing?
A: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” (The Statement of Responsibilities of Internal Auditing issued by the Institute of Internal Auditing, 1999. www.theiia.org)
Q: What is internal control?
A: Internal control is broadly defined as a process effected by an entity’s board of trustees, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
Q: Who is responsible for internal controls?
A: Evaluating internal controls is one of the Compliance and Audit Office’s primary responsibilities. However, everyone plays a part in the internal control system. Employees need to be aware of the concept and purpose of internal controls. It is management's responsibility to ensure that controls are in place. The administrator may delegate some of the related duties but cannot delegate accountability.
Q: Why are good internal controls important?
A: Good internal controls are essential to assuring the accomplishment of goals and objectives. They provide reliable financial reporting for management decisions. They ensure compliance with applicable laws and regulations to avoid the risk of public scandals. Poor or excessive internal controls reduce productivity, increase the complexity of processing transactions, increase the time required to process transactions and add no value to the activities.
Good internal controls help ensure efficient and effective operations that accomplish the goals of the unit and still protect employees and assets. Internal controls should be proactive, value-added and cost effective.
Q: What are the components of internal control?
A: Internal control consists of five interrelated components derived from basic college operations and administrative processes as follows:
- Control Environment – The core of any educational institution is its people. They are the engine that drives the organization. Their individual attributes (integrity, ethical values and competence) and the environment in which they operate determine the success of the institution.
- Risk Assessment – Colleges must be aware of and deal with the risks they face. They must set objectives that integrate key activities so the total organization operates in concert. They also must establish mechanisms to identify, analyze and manage the related risks.
- Control Activities – Control policies and procedures must be established and executed to help ensure that actions necessary to achieve the institution’s objectives are effectively carried out.
- Information and communication system – The purpose of the information and communication system is to help ensure that employees are aware of the unit's goals and objectives, how they are to be accomplished, and who is responsible for the specific tasks to accomplish them. An effective information and communication system enables the organization to capture and exchange the information needed to conduct, manage, and control its operations.
- Monitoring – The entire process must be monitored and modified as necessary. Thus, the system can react dynamically to changing conditions.
Q: What about independence and objectivity?
A: Independence and objectivity are essential to the effectiveness of internal auditing. Audits are performed using impartial and unbiased judgments. Internal auditors maintain an objective mental attitude when performing audits. Internal Audit is highly conscious that independence is vital to preserve the standards of the profession. Accordingly, Internal Audit does not make college operating or financial decisions.
Q: What does an Internal Auditor do?
A: The primary responsibility of the internal auditor is to evaluate and promote the system of internal controls established at the College. This is accomplished by a variety of means, including planned audits (i.e. assurance services), internal control reviews, advisory services (i.e. consulting engagements) and staff training. Specifically, the internal auditor identifies actual and potential problems and recommends corrective courses of action, in accordance with professional internal auditing standards. In addition, the internal auditor performs special projects as requested by the President’s Cabinet.
Q: How long will an audit take?
A: An audit can take from a few days to several months, depending on the nature, complexity and condition of the area under review.
Q: What’s in it for me?
A: There are many benefits to having an internal audit review of an area. Sometimes, it is difficult to find the time to stand back and thoroughly review one’s own systems or practices. The audit will provide a chance to have an objective review of your area. If you have recently assumed new or additional supervisory responsibilities, an audit can review administrative procedures to assess whether internal controls in a particular area are adequate. An audit is also beneficial in assessing system controls and modifications to office procedures resulting from the installation of new computer systems.
A periodic “checkup” to review a unit’s administrative activity can help ensure that procedures continue to comply with college policies and procedures. An audit is an opportunity to receive an independent appraisal of the effectiveness and efficiency of your unit’s administrative activities.
Q: What are the different types of audits?
- Operational Audits - Operational audits examine the use of unit resources to evaluate whether those resources are being used in the most efficient and effective ways to fulfill the unit’s mission and objectives. An operational audit can include elements of a compliance audit, a financial audit, and an IT audit. Operational audits are the most common type of audit. Operating procedures, document flow, and internal controls are reviewed in detail.
- Compliance Audits - Compliance audits assess the degree to which the area has adhered to laws, rules, regulations, policies and procedures. Audit recommendations typically address the need for improvements in procedures and controls intended to ensure compliance with applicable regulations.
- Financial Audits - Financial audits address issues related to the proper accounting and reporting of financial transactions, including authorizations, cash receipts, cash disbursements, and commitments to purchase.
- Investigative Audits - Investigative audits focus on alleged civil or criminal violations of state or federal laws or violations of college policies and procedures that may result in prosecution or disciplinary action. Investigative audits are performed when required and are the result of alleged acts of fraud or other misconduct. Alleged white-collar crime, misuse of college assets, and conflicts of interest are examples of reasons for an investigative audit. Typically, Internal Audit works with other parties, both internal and external to the College. Usually, the focus of Internal Audit’s review is on internal controls, with the goal of determining whether or not internal controls were compromised.
- Information Systems Audits - Information systems audits address the internal control environment of automated information processing systems and how people use those systems. These audits typically focus on general controls, focusing primarily on input controls, output controls, processing controls, backup and recovery plans, data security, and hardware security.
Q: How is the Annual Audit Plan prepared?
A: The internal auditor takes many factors into consideration when selecting a department or function to be included in the Annual Audit Plan. Assessments of potential risk or exposure to loss of college assets are considered. The internal audit office also responds to requests from the President’s Cabinet.
Q: What should I do if I learn of a fraud at the College?
A: Employees are required to adhere to College Policy and Procedures 4.04 - Employment Requirements. The policy requires any employee who receives any information or evidence of an attempted arson, an actual act of arson on, damage of, theft from, theft of, embezzlement from, embezzlement of, or misuse of, any state owned personal property, building or other real property, to report such to the immediate supervisor and file a report with CPCC Security as soon as possible, but not later than three days from receipt of the information or evidence. The supervisor shall, in turn, report such information or evidence to the Executive Vice President. Within ten days from receipt of this information, it must be reported in writing to the Director of the State Bureau of Investigation.