Procedures

Introduction

Internal Audit of William Paterson University of New Jersey is governed by the Internal Audit Charter approved by the Audit Committee of the Board of Trustees and the Policies and Procedures set herewith. Internal Audit subscribes to the Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing and the Core Principles stipulated by the Institute of Internal Auditors.

 

Mission Statement

The mission of Internal Audit is to provide independent and objective reviews and assessments of the business activities, operations, financial systems and internal accounting controls of William Paterson University of New Jersey. Internal Audit accomplishes its mission through the conduct of operational, financial, regulatory and performance audits, selected as a result of a comprehensive risk analysis and assessment process. The risk assessment plan is reviewed and approved by the Audit Committee of the Board of Trustees and the President of William Paterson University of New Jersey.

 

Objective

Internal Audit conducts independent reviews and appraisals of the University’s procedures and operations. These reviews provide management with an independent appraisal of the various operations and systems of control. The reviews also help to ensure that University resources are used efficiently and effectively while working towards helping the University achieve its mission, as endorsed by the Board of Trustees. It is the intention of Internal Audit to perform this service with professional care and with minimal disruption to University operations.

 

Standards of Audit Practice

The internal audit function will conduct its activities in accordance with the Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing and Code of Ethics. Generally accepted auditing standards promulgated by the American Institute of Certified Public Accountants and government auditing standards issued by the United States Government Accountability Office will be referenced as appropriate.

 

Core Principles

Internal Audit at William Paterson University subscribes to the Core Principles stipulated by the Institute of Internal Auditors. Internal Audit will align its effectiveness with the following principles:

  • Demonstrate Integrity
  • Demonstrate competence and due professional care
  • Be objective and free from undue influence
  • Align with strategies, objectives and risks of the organization
  • Is appropriately positioned and adequately resources
  • Demonstrates quality and continuous improvement
  • Communicate effectively
  • Provide risk-based assurance
  • Be insightful, proactive and future-focused
  • Promote organizational improvement

 

Code of Ethics

Internal Audit at William Paterson University shall subscribe to the Code of Ethics established by the Institute of Internal Auditors, as well as adhere to the policies set forth by the management of the University and the State of New Jersey. In addition, Internal Audit will uphold the following:

  • Integrity- Establish trust and thus provide the basis for reliance on the judgment of Internal Audit.
  • Objectivity- Exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the area under examination. Make balanced assessments of all the relevant circumstances and do not become unduly influenced by individual interests or by others in forming judgments.
  • Confidentiality- Respect the value and ownership of information received and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
  • Competency- Apply the knowledge, skills and experience required in the performance of internal auditing services.

Standards of Conduct

Internal Audit at William Paterson University will adhere to the following standards of conduct:

  • Service– Preserve a commitment to carry out all responsibilities with an attitude of service toward University members while maintaining a sincere and dignified attitude.
  • Excellence – Uphold a high standard of service and a commitment to quality in performing all projects and assignments.
  • Leadership – Provide noteworthy examples which emphasize high ethical and moral standards.
  • Professionalism – Conduct business in a manner that reflects favorably on the University and the individual. Exercise skill, integrity, maturity and tact in all relations.

Scope of the Internal Audit Function

While carrying out its duties, Internal Audit is responsible for utilizing a systematic, disciplined approach to evaluating and improving the effectiveness of internal controls and should include the following:

  • Developing and maintaining a comprehensive audit program necessary to ensure compliance with, policies and procedures necessary to safeguard University resources.
  • Communicating the results of audits and reviews by preparing timely reports, including recommendations for modifications of management practices, fiscal policies and accounting procedures as warranted by audit findings.

Services Provided by Internal Audit

Internal Audit’s primary activity is to implement a program of regular audits of University business operations. The complete range of services provided by Internal Audit may also include special projects and consultations as directed by the President and the FAID Committee. Reviews performed by Internal Audit include:

  • Operational Audits– Operational audits consist of critical reviews of operating processes and procedures and internal controls that mitigate area specific risks. These audits examine the use of resources to determine if they are being used in the most effective and efficient manner to fulfill the University’s mission and objectives.
  • Compliance Audits– These audits determine the degree to which areas within the University adhere to mandated Federal, State and College policies and practices. Other regulatory agencies are also included within compliance audits (e.g. NCAA, EPA, OSHA, Department of Education, etc.). Recommendations usually require improvements in processes and controls used to ensure compliance with regulations.
  • Financial Audits– These audits review accounting and financial transactions to determine if commitments, authorizations and the receipt and disbursement of funds are properly and accurately recorded and reported. This type of audit also determines if there are sufficient controls over cash and other assets and whether there are adequate process controls over the acquisition and use of resources. Unlike external financial audits, internal financial audits do not prepare or express professional opinions on the financial statements fairness.
  • Investigative Audits– These audits are conducted to identify existing control weaknesses, assist in determining the amount of loss and recommending corrective measures to prevent additional losses. Internal Audit will also work with outside agencies to determine if misconduct occurred at William Paterson University. These types of investigations can encompass misuse of University funds or assets, fraud or potential conflicts of interest.
  • Technology Audits– Technology audits are usually comprised of control reviews of disaster recovery plans, system back up procedures and the general security of data and of the physical plant. The purpose of these audits is to evaluate the accuracy, effectiveness and efficiency of the University’s electronic and information processing systems.

Professional Proficiency

The Internal Auditor has a professional obligation to schedule and attend on-going professional education forums to ensure they maintain academic proficiency and to advance professionally.

Responsibility for Detection of Errors or Irregularities

The management of the University is responsible for establishing and maintaining controls to discourage perpetuation of fraud. Internal Audit is responsible for examining and evaluating the adequacy and effectiveness of those controls. Audit procedures alone are not designed to guarantee the detection of fraud.

An error is an unintentional mistake in financial statements which includes mathematical or clerical mistakes in the underlying records and accounting data from which the financial statements or other reports are prepared, mistakes in the application of accounting principles and oversight or misinterpretation of facts that existed at the time the reports were prepared. An irregularity is an intentional distortion of financial statements or other reported data or the misappropriation of assets.

If Internal Audit believes that a material error or an irregularity exists in an area under review or in any other area of the University, the implications of the error or irregularity and its disposition shall be reviewed with the responsible Vice President and/or the President. 

Internal Audit Plan

As noted throughout this Charter, the Director of Internal Audit is responsible for establishing a risk-based plan to determine the priorities of the internal audit activity, consistent with the University’s goals. The risk assessment takes into consideration the risk profile of the University as set by Management as well as the Auditor’s own judgement of risk and input from Management, the President and the FAID Committee. The plan will be adjusted and reviewed as needed in response to changes in the University’s business, risks, operations, programs, external regulations, systems and controls.

At least annually, the Director of Internal Audit will submit to the President and the FAID Committee an internal audit plan. The Committee will review, discuss, and endorse the plan subject to the FAID Committee members’ concurrence. The internal audit plan will include a summary of engagements and other audit activities, as well as resource requirements for the next fiscal year. The Director of Internal Audit will communicate the impact of resource limitations and significant interim changes to senior management and the FAID Committee. Any proposed changes to the approved Audit Plan will be presented to the President and to the FAID Committee at subsequent meetings.

Risk Factors

Internal Audit will evaluate each identified auditable area based on certain risk factors and the weight of risk impact and risk concerns, as follows:

  • Compliance Risk– The threat to the University as a result of violations and nonconformance with State, Federal and Industry laws, regulations or prescribed practices.
  • Operational Risk– Risk of loss resulting from inadequate or failed in internal procedures, people and systems or from external events.
  • Financial Risk– Multiple types of risk associated with financing, including financial transactions and financial loss.
  • Reputational Risk– Risk resulting from damages to the University’s reputation.
  • Strategic Risk – Uncertainties and untapped opportunities embedded in the University’s strategic intent and how well they are executed.
  • Technology Risk– Threats to assets and processes vital to the business and may prevent compliance with regulations, impact profitability and damage reputation. Risk can result from human error, malicious intent or event compliance regulations.
  • Human Capital Risk– Events and employee behaviors that occur both within and outside the workplace that can affect employee productivity and/or otherwise effect the organization’s operation and financial results.

 

Risk Measures

Risk Measures taken in consideration when rating each auditable area that weigh on the risk impact and risk concern are:
• Analysis and prioritization of the audit universe.
• Input of senior management and the FAID Committee.
• First-hand knowledge of the College and its evolving operations.
• Results of prior audits.
• Understanding of risk in higher education, and biomedical and health care services.
• Quality of management.
• Emerging needs of campus clients.
• Support to external auditors.

Unplanned Audits

The majority of audits are planned. However, said planning does not preclude Internal Audit from conducting unplanned audits. Prior to any audit, the Director of Internal Audit will discuss the engagement with management. The discussion will include the scope, purpose and estimated timeframe of the audit. As unplanned projects emerge, they will be included in the overall plan for the year.

Internal Audit Process

Although every audit project is unique, the audit process is similar for most engagements and normally consists of five stages:
1. Audit Announcement and Initial Meeting
2. Preliminary Review
3. Fieldwork
4. Audit Report
5. Follow-up
Client involvement is critical at each stage of the audit process. As in any special project, an audit results in a certain amount of time being diverted from a unit’s usual routine. A key objective of an internal audit is to minimize this time and avoid disrupting the on-going activities.

  1. Audit Announcement and Initial Meeting

The Director of Internal Audit, will schedule a meeting with (as appropriate) the Unit Manager and the Senior Managers of the process to be audited. An initial meeting will take place, during this meeting, the client describes the unit and/or system, the organization, available resources (personnel, facilities, equipment, funds), and other relevant information. The internal auditor meets with the senior officer directly responsible for the unit under review and any staff members he/she wishes to include. It is important that the client identify issues or areas of special concern that should be addressed.

  1. Preliminary Review

The development of the Audit Program is based on the preliminary survey and internal control reviews. The auditor talks to key personnel and reviews reports, files and other information as needed to obtain a general overview of the operations. The auditor will review the unit’s internal control structure, which helps the auditor determine the areas of highest risk and design tests to be performed in the fieldwork section. The audit program outlines the fieldwork necessary to achieve the audit objectives.

  1. Fieldwork

The field work concentrates on transaction testing and informal communications. It is during this phase that the auditor determines whether the controls identified during the preliminary review are operating properly and in the manner described by the client. The fieldwork stage concludes with a list of issues or/and best practices from which the auditor will prepare a draft of the audit report.

  • Transaction Testing– After completing the preliminary review, the auditor performs the procedures in the audit program. These procedures usually test the major internal controls and the accuracy and propriety of the transactions.
  • Advice and Informal Communications– As fieldwork progresses, the auditor discusses any significant issues with the client. Hopefully, the client can offer insights and work with the auditor to determine the best method of resolving the issue. Usually these communications are oral. However, in more complex situations, memos/emails can be written in order to ensure full understanding by the client and the auditor. The goal: No surprises.
  • Audit Summary– Upon completion of the fieldwork, the auditor summarizes the audit issues, conclusions, and action to be taken (as agreed upon by both auditor and client) for the audit report discussion draft.
  • Workpapers– Audit workpapers are the connecting link between fieldwork and audit report. They serve as the systematic record of work performed and shall contain sufficient, competent and relevant evidence to support the auditor’s findings, opinions, conclusions, judgements and recommendations in the audit report. All workpapers will be kept electronically secure within Internal Audit’s private Network Drive.
  1. Audit Report

Internal Audit’s principal product is the final report in which we express our opinions, present the audit issues, and action to be taken for improvements. To facilitate communication and ensure that the final report is practical, Internal Audit will discuss the rough draft with the auditee prior to issuing the final report.

  • Discussion Draft and Draft Report– at the conclusion of fieldwork, the auditor drafts the issues. This discussion draft is prepared for the unit’s operating management and is submitted for the auditee’s review. The Auditor and management will meet to discuss the issues, reach an agreement of audit issues, resolution and implementation date. If management does not agree to the issue, management must accept the risk of not implementing the recommendation. The auditor then prepares a formal draft, taking into account revisions resulting from the meeting with management. Managers and senior managers will have one last review before the report is issued.
  • Final Report– The final Audit Report will include the scope of the review, Audit’s opinion, and Audit Issues (with management’s response, responsible party and implementation date). Final Audit Reports will be issued timely and distributed, via email, to the FAID Committee of the Board of Trustees, the President, General Counsel, and Vice Presidents.

Internal Audit reports are considered advisory, consultative, deliberative and highly confidential. Approval is required from the Director of Internal Audit and General Counsel prior to release to anyone not noted on the report distribution list.

  1. Audit Issue Follow Up

The Institute of Internal Auditors (IIA) Professional Standard 2500, requires the Auditor to establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

  • Responsibility: it is the responsibility of management to implement the corrective action, however the Director of Internal Audit is responsible for assessing that corrective action has been taken to achieve the desired results, or that senior management has assumed the risk of not taking corrective action on reported issues/observations.
  • Follow up process: the Auditor will follow up with the responsible party prior to the issue due date, and at a minimum quarterly. When, according to management, the issue has been implemented and is complete, the auditor will conduct a review and obtain documentation to ensure the process has been properly implemented. This may occur on or before the due date.
  • Closure: If by the due date the issue has been satisfactorily handled and addressed, the auditor will consider the issue closed and no further action will be required from management at that time. If the issue is not properly addressed, the issue will remain opened and will be considered past due.
  • Reporting: The Director of Internal Audit will report quarterly to the President and to the FAID Committee of the Board of Trustees and such reports shall include issue follow up status. Open, closed and past due items will be reported. Past due items will be aged and tracked until resolution.

Evidential Matter

Evidential matter obtained during the course of fieldwork provides the documented basis for the auditor’s opinions, observations and recommendations as expressed in the auditor’s opinions, observations and recommendations as noted in the audit report. The Office of Internal Audit is obligated by professional standards to act objectively, exercise due professional care and collect sufficient and relevant information to provide a sound basis for audit observations and recommendations.

Auditors must obtain all evidence necessary for the effective completion of the audit. The decision on how much evidence is enough and what type to seek requires the exercise of the auditor’s judgment based on experience, education and intuition. A thorough knowledge of the concepts underlying audit evidence will help the auditor to improve the audit quality and efficiency of the process.

Standards for the Professional Practice of Internal Auditing require that work papers possess certain attributes to provide a sound basis for audit observations and opinions and to be considered as evidential matter. These attributes are:

  • Sufficient information is factual and adequate so that a prudent, informed person would reach the same conclusions as the auditor
  • Information is reliable and the best attainable through use of appropriate audit techniques
  • Relevant information supports audit findings and recommendations and is consistent with the audit objectives for the audit
  • Useful information helps the organization meet its goals. It also provides a reference for the preparer when called upon to answer questions.

 

Types of Evidence

If the evidence supports the basic test of sufficiency, competence and relevance, it may be used to support the auditor’s findings. The following outlines the different types of evidence obtained during the course of an audit:

  • Physical evidence– Obtained through observation and inquiry
  • Testimonial evidence– Based on interviews and statements form involved persons
  • Documentary evidence– Consists of legislation, reports, minutes, memoranda, contracts, extracts from accounting records, formal charts and specifications of documentation flows, systems design, operational and organizational structure
  • Analytical evidence– Secured by analysis of information collected by the auditor.

Documentation of Evidential Matter

Standards for the Professional Practice of Internal Auditing require that audit workpapers reflect the details of the evidence upon which the auditor has relied. The Internal Auditor must maintain adequate documentation of the audit, including the basis and extent of planning, the work performed and the results and findings of the audit. This will allow the workpapers to serve both as tools to aid the auditor in performing their work and as written evidence of the work done to support the auditor’s report. Information included in work papers should be sufficient and relevant to provide a sound basis for audit findings and recommendations. Evidence gathered should be organized and easily correlated with audit program steps and subsequent conclusions and issues reported.

In the process of collecting evidential matter, the auditor is required to perform audit testing to support all observations and opinions. During the performance of such testing, the auditor is not required to test the population in its entirety. Audit sampling may be employed. Audit sampling is performing an audit test on less than 100% of a population. In “sampling”, the auditor accepts the risk that some or all errors will not be found and the conclusions drawn (i.e. all transactions were proper and accurate) may be wrong. The type of sampling used and the number of items selected should be based on the auditors understanding of the relative risks and exposures of the areas audited.

 

 

June 2024