Professional Documents
Culture Documents
Who are internal auditors? Why does Cornell have an internal audit function? Where does the audit function fit in the organization? What's the difference between e ternal and internal auditors? What if an e ternal auditor contacts you? How are units selected for audit? What are internal auditors loo!ing for? What if something isn't handled correctly? "s the #udit $ffice %art of the &ivision of 'inancial #ffairs? Can a de%artment re(uest an audit? How long does an audit ta!e? What if " don't have the time to deal with the auditors? What if it's a bad time for an audit because )choose one* a* we're short+staffed b* the finance director ,ust (uit c* it's budget season d* we're crawling with studentse* we're trying to close out the year. Who will receive my audit re%ort? &oes the .oard of /rustees see what is in the audit re%orts? Who audits the #udit $ffice? "f " call you with information about a %ossible irregularity0 will my identity be !e%t a secret?
board0 the audit committee0 and e ecutive management assurance that ris!s are mitigated and that the organization's cor%orate governance is strong and effective. #nd0 when there is room for im%rovement0 internal auditors ma!e recommendations for enhancing %rocesses0 %olicies0 and %rocedures."
What if I don#t ha e the time to deal with the auditors? What if it#s a $ad time for an audit $ecause )choose one*: a* we#re short+staffed $* the finance director ,ust quit c* it#s $ud!et season d* we#re crawlin! with studentse* we#re tryin! to close out the year.
&uring the audit o%ening meeting0 we will discuss the audit schedule and try to accommodate time constraints that you may have. #lthough <== to >== hours loo!s li!e a lot of time0 much of our wor! is done behind the scenes. Many %eo%le o%erate under the erroneous belief that in doing an audit we will s%end lots of time with you and ta!e time away from your other obligations. We may need to meet !ey %ersonnel on the audit two or three times for maybe an hour at a time over the audit %eriod. We may s%end e(ual amounts of time0 and %erha%s less0 with others in the de%artment0 but we will not be mono%olizing anyone's time in the de%artment and much of our wor! such as audit %lanning and re%ort writing0 is done in our offices.
If I call you with information a$out a possi$le irre!ularity0 will my identity $e kept a secret?
/his is a hard (uestion to answer without !nowing whether or not the s%ecific circumstance you are re%orting will end u% in legal action. #s a general rule0 we do not reveal our sources to the %erson being investigated. #nd we always try to corroborate any accusations with our
own observation. "f an irregularity is referred to the &istrict #ttorney for legal %rosecution0 and your testimony would be critical to the outcome of the case0 it may become necessary to involve you in the irregularity. "n addition0 the Cornell Hotline %rovides for anonymous re%ort of financial irregularities.
@. 9otification <. 4lanning A. $%ening Meeting B. 'ieldwor! C. Communication >. 8e%ort &rafting D. Management 8es%onse E. Closing Meeting F. 8e%ort &istribution @=. 'ollow+u%
1otification
'irst0 you will receive a letter to inform you of an u%coming audit. /he auditor will send you a %reliminary chec!list. /his is a list of documents )e.g. organization charts0 financial statements* that will hel% the auditor learn about your unit before %lanning the audit.
2lannin!
#fter reviewing the information0 the auditor will %lan the review0 conduct a ris! wor!sho% %rimarily to identify !ey ris!s and raise ris! awareness0 draft an audit %lan0 and schedule an o%ening meeting.
'penin! 3eetin!
/he o%ening meeting should include senior management and any administrative staff that may be involved in the audit. &uring this meeting0 the sco%e of the audit will be discussed. ;ou should feel free to as! the auditors to review areas that you are concerned about. /he time frame of the audit will be determined0 and you should discuss any %otential timing issues )e.g. vacations0 deadlines* that could im%act the audit. "t doesn't ta!e as much of your time as you might e %ect-
Fieldwork
#fter the o%ening meeting0 the auditor will finalize the audit %lan and begin fieldwor!. 'ieldwor! ty%ically consists of tal!ing with staff0 reviewing %rocedure manuals0 learning about your business %rocesses0 testing for com%liance with a%%licable university %olicies and %rocedures and laws and regulations0 and assessing the ade(uacy of internal controls. ;ou should ma!e your staff aware that the auditor will be scheduling meetings with them.
Communication
/hroughout the %rocess0 the auditor will !ee% you informed0 and you will have an o%%ortunity to discuss issues noted and the %ossible solutions.
4eport (raftin!
#fter the fieldwor! is com%leted0 the auditor will draft a re%ort. /he re%ort consists of several sections and includes3 the distribution list0 the follow+u% date0 a general overview of your unit0 the sco%e of the audit0 any ma,or audit concerns0 the overall conclusion0 and detailed commentary describing the findings and recommended solutions. ;ou should read the draft re%ort carefully to ma!e sure there are no errors. "f you find a mista!e0 inform the auditor right away so that it can be corrected before the final re%ort is issued.
3ana!ement 4esponse
$nce the re%ort is finalized0 we will re(uest your management res%onses. /he res%onse consists of A com%onents3 whether you agree or disagree with the %roblem0 your action %lan to correct the %roblem0 and the e %ected com%letion date.
Closin! 3eetin!
# closing meeting will be held so that everyone can discuss the audit re%ort and review your management res%onses. /his is an o%%ortunity to discuss how the audit went and any remaining issues.
4eport (istri$ution
/he re%ort is then distributed to you0 your manager)s*0 senior university administrators0 internal audit0 and the university's e ternal auditors. We also distribute an audit survey to the audited unit to solicit feedbac! about the audit. 'eedbac! is im%ortant to us0 since it can hel% us im%rove the audit %rocess.
Follow+5p
'ollow+u% reviews are %erformed on an issue+by+issue basis and ty%ically occur shortly after the e %ected com%letion date0 so that agreed+u%on corrective actions can be im%lemented. /he %ur%ose of the follow+u% is to verify that you have im%lemented the agreed+u%on corrective actions. /he auditor will interview staff0 %erform tests0 or review new %rocedures to %erform the verification. ;ou will then receive a letter from the auditor indicating whether you have satisfactorily corrected all %roblems or whether further actions are necessary. "f further corrective action is re(uired0 you will need to write a management res%onse. $therwise0 the issue will be re%orted as resolved.
"m%ro%er 7egregation of &uties 4rocurement Card 4olicy 9ot 'ollowed 'ailure to &ocument .usiness 4ur%ose 7u%ervisors 9ot #%%roving /ime Wor!ed 'ailure to 4erform 4eriodic 9etwor! ?ulnerability 7cans /erminated 5m%loyees 8etain #ccess to Com%uter 7ystems "nade(uate Cash Controls 5m%loyees 9ot 6iven #nnual 4erformance #%%raisals "nade(uate 8eview of /ransactions .efore #%%roval 2nlicensed 7oftware "s "nstalled $n &e%artment Com%uters 8egular "nventory of Ca%ital #ssets "s 9ot /a!en 4ro%er .idding 4rocedures #re 9ot 'ollowed 7haring of 9et"&'s and 4asswords Gac! of 7u%ervisor 8eview of /ravel Gac! of Certification and &ocumented 8eview of #ccrued Geave .alances
#uthorizing a transaction0 receiving and maintaining custody of the asset that resulted from the transaction. 8eceiving chec!s )%ayment on account* and a%%roving write+offs. &e%ositing cash and reconciling ban! statements. #%%roving time cards and having custody of %ay chec!s.
7e%aration of duties will only limit %roblems stemming from incom%atible duties. "t is %ossible0 though not li!ely0 that collusion will occur0 ma!ing control %rocedures ineffective. Management needs to be aware of relationshi%s )family and friends* and be alert to the %ossibility of collusion.
#lso0 in a small o%eration0 it is not always %ossible to have enough staff to %ro%erly segregate duties. "n those cases0 management may need to ta!e a more active role to achieve se%aration of duties0 by chec!ing the wor! done by others. 7ometimes0 the !nowledge that records will be chec!ed by others is enough to %revent misa%%ro%riation of assets.
scanning wor!stations0 servers0 and %rinters for vulnerabilities and ta!ing ade(uate ste%s to understand and correct them0 hel%s to ensure that systems are %rotected from such attac!s.
Having unlicensed software on your de%artment's com%uters e %oses the university to %ossible %enalties from software vendors0 as well as litigation costs and:or damage to the university's re%utation. &e%artments should have a software management system in %lace that trac!s software installed on university com%uters. #n additional benefit to having such a system is the ability to ta!e advantage of bul! %urchases or site licenses for widely+used a%%lications.
su%ervisor as they are li!ely to be in the best %osition to assess the legitimacy of the business %ur%ose for travel. 7u%ervisory review can ta!e many forms0 such as %re+transaction review or a %eriodic scan of transactions with detailed review of unusual or (uestionable items. &elegation of this res%onsibility should only be on a short term0 emergency basis.
&eciding where to audit /he degree of ris!... /he 8is! 'actors... #nother 7te%... /he assessment %rocess... .ased on these scores...
(ecidin! where to audit at Cornell 2niversity is a %rocess we re+e amine %eriodically. 6iven the size of the 2niversity with its numerous individual o%erating units and our relatively small auditing staff0 it is im%ortant that we allocate our available time to the areas with high ris! e %osures. /his %lanning %rocess also allows us to coordinate with e ternal auditors to be sure that im%ortant areas are not overloo!ed0 and that total audit costs for the organization are minimized. /he de!ree of risk associated with a given unit is often defined in financial terms. We ta!e financial e %osures into consideration0 and consider any activities affecting the delivery of services to students0 em%loyees0 alumni and s%onsors0 or are regulated by legislation0 as e %osures.
8is! + the uncertainty of an event occurring that could have an im%act on the achievement of ob,ectives. /he 4isk Factors that enter into the ris! assessment and %riority of audits include3 4isk /ype (efinition Compliance Gabor Gaw "ssues0 H"4##0 7%onsoring agencies0 em%loyment. Financial .udgets0 financing0 cash flow0 sources and uses of funds0 re%orting $utside demands and restrictions0 such as grants0 data retention0 data :e!al %reservation Consider needs of the delivery of core o%erations0 such as s%ace:facilities0 'perational utilities0 %ersonnel0 student services0 information systems 4eputationalConsider %olitical and outside %erce%tion of unit and university "6oodwill" Consider what needs to be done to maintain and enhance units and universities 6trate!ic com%etitiveness in the industry by focusing on achieving strategic initiatives and mission. /echnolo!y #cademic and administrative information systems and infrastructure 4isk Factor 4isk /ype#s (efinition 8e%utational 'inancial Management effectiveness0 tone at the to%0 e %erience of Control $%erational staff0 %olicies and %rocedures0 change and %revious audit 8n ironment /echnology results. Com%liance /he im%act on the %restige and standing of the university in 8e%utationalterms of students0 alumni0 donors or the general %ublic1 and 4eputation/:e!al Gegal includes such things as failure to com%ly with regulations or Impact Com%liance ina%%ro%riate handling of sensitive information or involvement with controversial %rograms or research. /he im%act on the effectiveness and efficiency of o%erations0 $%erational 'perations including com%le ity of o%erations0 %erformance0 and /echnology Impact safeguarding resources. 8is! relating to organization's 'inancial system0 %rocesses0 technology0 and %eo%le. 7trategic /he im%act on obtaining high+level goals and the ris!s 6trate!ic Impact 8e%utationalrelating to strategy0 %olitical0 and economic conditions. $%erational /he im%act on the financial statements and the %otential for Financial Impact 'inancial significant fraud. 2niversity auditors and senior management rate ris! factors to determine their im%ortance0 and from these evaluations0 we weight the factors according to their im%ortance. Another step in the ris! assessment %rocess is to organize the s%rawling university organizational structure into "auditable units." /he university is not a static organization. .ecause we have restructuring and new initiatives0 we loo! at the university's structure each time we do a ris! assessment. "t's not efficient to %erform se%arate audits of each discrete unit of the university0 so we combine them in logical ways to reduce the number of units to a manageable level0 for the %ur%oses of both evaluation and auditing. 2nits may be combined on the basis of re%orting relationshi%0 or because they are %erforming similar functions.
/he assessment process really gets underway when we gather data on each unit. We also as! selected university staff to rate the units on each factor and combine these ratings to come u% with an overall score for the unit. .ased on these scores0 we determine where we will s%end our time over the ne t year. $f course0 we allow for some slac! time in case we are as!ed to %rovide in%ut on changes to university systems0 or if we need to loo! into an allegation of defalcation. &efalcation is white+collar crime0 fraud0 misuse of university resources.
#ccounting and 8e%orting .ursar Ca%ital #ssets "/ 7ystems 'H# 8ate )"ndirect Cost 8ate* 'inancial #id "nvestments 4ayroll 4lanning and .udget 4urchasing /reasury and Cash Management /rusts and 5states 2niversity .usiness 7ervice Center )2.7C*
Information /echnolo!y
#lumni #ffairs H &evelo%ment:Contributor #ffairs 7ystem )4eo%le7oft* #cademic /echnology 7ervices and 2ser 7u%%ort #ccounting "/ 7ystems )J5M70 6G and Hy%erion 7ystem* .enefits #dministration 7ystem )4eo%le7oft* .ursar 7ystems )4eo%le7oft* C"/ 7ecurity $ffice #udit C"/ 7ystems and $%eration C"/ Web 7ervices &ata 9etwor! and /ele%hone .illing "/ 7ystems e+Commerce and 4C" Credit Card Com%liance 'inancial #id )4eo%le7oft* "nformation 7ystems + #%%lications:Custom #%%lication "nformation 7ystems + &ata #dministration and &ata &elivery "nformation 7ystems + "nfrastructure "nformation 7ystems + 4lanning 4ro,ects and #nalysis Iuali )4re+"m%lementation 8eview* Mainframe 7ecurity 9etwor! and Communication 7ervices 9etwor! $%erations Center $racle &atabase 7ecurity 4eo%le7oft #%%lication and 7ecurity
4urchasing "/ 7ystems 8esearch #dministration "/ 7ystems 7ecurity of &atamarts and 5nter%rise &ata Warehouses 7ecurity of 5J .ac!u% and &ata 7torage 7tudent 8ecords 7ystem )4eo%le7oft* Web 'inancials Wireless 9etwor!
Institutional Concern
#dditional 4ay #nimal 2se in 8esearch Conflicts of "nterest and Commitment &ata Classification and 4rivacy 5ffort 8e%orting 5mail 7ecurity 5mergency 4re%aredness0 .usiness Continuity and &isaster 8ecovery 5 ecutive /ravel and Charter Jet 6ifts + 4rocessing and #ccounting Human 7ub,ect 2se in 8esearch "dentity Management "nternational 4rograms "/ + Change Control and Change Management 8echarge and 7ervice Center 8ates 7oftware Gicensing 7%onsored 4rogram /ransactions 7ystems &evelo%ment Methodology
Institutional 6upport
#dmissions #thletics and 4hysical 5ducation CC/5C "nternational 7tudent 7ervices $ffice )75?"7* Johnson Museum Gibraries 7tudent and #cademic 7ervices
College of #griculture H Gife 7ciences College of #rchitecture0 #rt and 4lanning College of #rts H 7ciences College of 5ngineering College of Hotel #dministration H 7tatler Hotel College of Human 5cology College of "ndustrial and Gabor 8elations College of ?eterinary Medicine Com%uting and "nformation 7cience
Coo%erative 5 tension Cornell Gaw 7chool Cornell 2niversity Hos%ital for #nimals 6eneva 5 %eriment 7tation 6raduate 7chool Johnson 6raduate 7chool of Management Gab of $rnithology
4esearch Centers
#nimal 2se in 8esearch 5ffort 8e%orting 6rant /ransactions Human 7ub,ect 2se in 8esearch 9#"C+#recibo $ffice of 8esearch0 "ntegrity0 and #ssurance )$8"#* 8echarge and 7ervice Center 8ates 8esearch .7C 7%onsored 4rogram 7ervices )747*
.enefits #dministration Cam%us Gife Cornell 7tore C2 4olice 5nvironmental Com%liance 5nvironmental0 Health and 7afety 'acilities 7ervices and 2tilities 'inance and #dministration .7C 6annett Health 7ervices $H8 H #cademic 4ersonnel $ffice $"/:C"/ .usiness 7ervice Center 4lanning0 &esign H Construction and Contracts $ffice 8eal 5state 8is! Management /rans%ortation and Mail 7ervices
6u$sidiaries
.iochemistry
Cell H &evelo%mental .iology 6enetic Medicine Microbiology and "mmunology 4harmacology 4hysiology and .io%hysics
#nesthesiology Cardiothoracic 7urgery &ermatology Medicine 9eurological 7urgery 9eurology and 9euroscience $bstetrics and 6ynecology $%hthalmology $torhinolaryngology 4athology and Gaboratory 7ervices 4ediatrics 4sychiatry 4ublic Health 8adiology including 9ew8ad )new ,oint venture w: 9;+4H * and 7ubsidiaries 8ehabilitation Medicine 8e%roductive Medicine and "nfertility 7urgery 2rology
Information /echnolo!y
Change Control and Change Management &atamart 7ecurity 5lectronic Medical 8ecords )5M8* 5%icCare 7ystem 65+C. )%hysician billing system* + 'ormerly "&K ).illing0 #40 7cheduling*0 H"4## )4rivacy and 7ecurity* "dentity Management "/7 6eneral Controls G #ctive &irectory 4C" Credit Card Com%liance 8esearch and 7%onsored 4rograms "/ 7ystems #udit 7#4 )4re+"m%lementation 8eview* ?oice over "4 )?o"4* #udit Wireless 9etwor!
Institutional Concern
#nimal 2se in 8esearch Conflicts of "nterest and Commitment 5mail 7ecurity 5mergency 4re%aredness0 .usiness Continuity and &isaster 8ecovery 5 ecutive /ravel 6ifts+4rocessing and #ccounting H"4## 4rivacy and 7ecurity Human 7ub,ect 2se in 8esearch "nternational "nitiatives 8echarge and 7ervice Center 8ates 7u%%lementary Com%ensation /ime and 5ffort 8e%orting
Institutional 6upport
4esearch Centers
.enefactor system 5nvironmental Com%liance and Health H 7afety 'acilities and Ca%ital 4lanning 6eneral 'inancial0 "/ 7ystems and 7ecurity #udit MC .illing Com%liance #udit )M& #udit* 4hysicians $rganization 8is! Management:MC"C