Diana Hill Raheel Qureshi, CPA March 8, 2018

Diana HillRaheel Qureshi, CPAMarch 8, 2018

1

Please silence your cell phonesTake notes – share ideas!Feel free to ask questions throughout the presentation.

2

NameDepartmentPositionWhat brought you to this class?Your last audit experience

3

4

Who is Internal Audit?What are internal controls?What can I do to reduce anxiety when I’m

audited?

The Internal Audit Department is an independent and objective assurance and consulting activity guided by a philosophy of adding value to improve the operations of the University. It assists the University in accomplishing its objectives by bringing a systematic and disciplined approach to evaluating and improving the effectiveness of the University’s governance, risk management, and internal controls.

5

To enhance and protect organizational value by providing risk‐based and objective assurance, advice, and insight.

Demonstrates integrity.Demonstrates competence and due professional care.Is objective and free from undue influence (independent).Aligns with the strategies, objectives, and risks of the organization.Is appropriately positioned and adequately resourced.Demonstrates quality and continuous improvement.Communicates effectively.Provides risk‐based assurance.Is insightful, proactive, and future‐focused.Promotes organizational improvement.

1. Institutional Research2. Centers & Institutes3. Capital Construction4. NCAA compliance – Rules Ed.5. Scholarships/Restricted Gifts6. Travel/Complex Payments7. Building Access / 49er Card8. Internal Audit QAR9. Minors on Campus10.Admin Review‐International

Programs11.Residency Classification

12. IT Security‐DRP13. PCI Compliance14. Admin Review‐CCI15. Admin Review‐DoS16. Admin Review‐Alumni

Affairs17. NCAA Compliance‐FB

Attendance

8

Internal Audit

ACERM

Chancellor

VC – Institutional Integrity

Jesh Humphrey

CAOJennifer Walker

AuditorRaheel Qureshi

AuditorJulie Earls

AuditorDiana Hill

AuditorRachel Kaplan

10

Board/Audit Committee

Senior Management

1st Line of Defense

Department AdminsBusiness Managers

3rd Line of Defense

Internal Audit

2nd Line of Defense

Risk Management& Compliance

State Auditors

That’s you!College business officesBusiness support specialistsDepartment officers and administrative assistantsSupervisors, managers, directors

11

Compliance Functions (Research, Athletics, etc.)Police and Public Safety, Environmental Health & Safety IT SecurityController’s OfficeDirector of Compliance – Sue Burgess

12

Internal Audit – That’s us!

13

14


audited?

Internal Controls are steps within a process designed to provide reasonable assurance regarding the achievement of objectives:

Effectiveness and Efficiency of OperationsReliability of Financial ReportingCompliance with applicable Laws, Regulations, Policies & Procedures

15

How can the job be completed to the intended result in an easier, faster way?How can the job be done with accurate results?How can the unit reach maximum productivityusing minimal resources?

16

University Policy 601.8 – Appropriate Use of University Funds:

Appropriated funds (central funds)Foundation FundsDiscretionary Funds

Grant funds – University Policy 601.12

17

Federal laws – FERPA, Title IXState laws – Department of Labor, Department of LicensingCounty/City laws – Waste disposal, code enforcementUNC System policies – Personnel, tuitionUNC Charlotte policies – legal.uncc.eduIT Standards and guidelines – itservices.uncc.edu

18

19

They are created Because who knows your job better than

Preventive:Training on policies.Assigning user access rights.Automatic log‐off after period of inactivity.

What are some other preventive internal controls?

20

Detective:Reconciling invoices to ledger (payments).Comparing packing list/order contents with purchase order.Periodic review of user access rights.

What other detective internal controls can you think of?

21

• Computer username/password• Preset time out on screen saver• 49er Mart approval path• Card swipe door locks• 2 signatures on DPRs• Speed limit signs• Reconciliations

22

What types of controls are:University Policies?IT configuration standards?Error messages or reports?Reconciliation of petty cash?

23

Internal controls are the tasks that are in place to help address risks.

What can go wrong? What can we do to reduce the risk?

• One risk could have multiple controls. • One control could mitigate multiple risks.

24

A situation involving exposure to danger. (Merriam‐Webster)The hazard or chance of loss. (dictionary.com)A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. (businessdictionary.com)

25

What “bad thing” could happen in your department?What is the chance of it happening? (Likelihood)How big of a deal is it? (Severity / Impact)

26

“A process step is a task, activity… that moves an input closer to the final

objective.”The office submits the reimbursements to the Travel Office within 30 days

Faculty members verbally request supplies.

27

“An internal control… is a critical step within the process that leads to the

success of the entire process.”Supervisors review timesheet submissions monthly to ensure they were completed on timeSupervisors review and approve all travel reimbursements for accuracy before submission to the Travel OfficeDepartment staff match the purchase order, invoice and receiving slip before marking the supply as received in 49er Mart

28

The department admin collects timesheets and files them

The office submits the reimbursements to the Travel Office within 30 days

Faculty members verballyrequest supplies.

Supervisors reviewtimesheet submissions monthly to ensure they were completed on timeSupervisors review and approve all travel reimbursements for accuracy before submission to the Travel OfficeDepartment staff matchthe purchase order, invoice and receiving slip before marking the supply as received in 49er Mart

29

Test your knowledge!

30

? Takes inventory of office supplies before submitting an order.

? Create a spreadsheet of all laptops, desktop computers and printers in the department.

? Verify the serial numbers on all laptops, desktops and printers in the department every 6 months. A director signs off on the spreadsheet.

Check out the Internal Audit website at internalaudit.uncc.edu to read more about

Internal Controls vs. Process Steps!

31

32

33

Situation:

All supply requisitions come through Lisa (the administrative assistant) and are

approved by the center director, Dr. Smith. College faculty working with the

center have had no complaints about Lisa. Dr. Smith thinks things are going

well, so he is surprised when the Dean asks him why he has spent so much of

his annual budget so early in the year? He is not sure how to answer the Dean

but does manage to say he will look into it. Dr. Smith calls Lisa and asks her

about the center’s spending and she tells him she doesn’t know what the Dean

is talking about. She has been ordering what the faculty have asked for and it

has been approved by the college, so she believed everything was fine. He asks

for a spending report and it shows 75% spent. It is only November. He wants

to know more about what is being purchased but does not know what to ask

for or how to get it.

Employees:

Sarah: Lab manager and responsible for fixed assets inventory

Mary: The new office manager

Situation

When Sarah first started, keeping track of all the computers was difficult, especially the laptops.

Now that laptops are not part of the inventory, she has a much easier job. Over the years, she

has kept two laptops in the bottom drawer of a file cabinet in the department office. If a faculty

member needs one for a trip or a conference, he or she takes it out and brings it back when the

event is over. Sarah has recently been told that she would be able to attend the Association of

Lab Mangers annual conference. She wanted to take a laptop to check her email and keep up

with 49er Mart, so she went to the file cabinet to get one. When she opened the drawer, it was

empty. She asked Mary where the laptops were. Mary said, “What laptops? I didn’t know we

had any.” Sarah and Mary went to see the department chair to ask what to do.

34

35

Control Environment – policies & procedures, overall tone from management.

Risk Assessment – identify the things that keep you from accomplishing your objective.

Control Activities – approvals, reconciliations, segregation of duties, etc.

Information & Communication – use relevant information and communicate appropriately.

Monitoring – How are you doing? Is the process working?

36

How they apply to you

37

Control Environment –department head announcing policy changes, how financial reporting is handled and communicated, and how university standards are discussed and enforced


38

Risk Assessment -considerations for security of cash collected, evaluation of student worker access to department files, and the information security vulnerabilities posed by maintaining a set of laptop computers for check-out by traveling faculty


39

Control Activities –authorizations, approvals, verifications, reconciliations, business performance reviews, and segregation of duties


40

Information and Communication - sharing and validating requests for information when received, then sharing and validating responses before their release


41

Monitoring Activities -regular financial status reports as well as progress reports for major department initiatives

A short video on internal controls

43


audited?

What you can do to be proactive before a visit from Internal Audit?How you can improve controls in your unit?

44

Learn University standards

Review admin operations

Check out internalaudit.uncc.edufor more information!

45

We schedule an entrance meeting with the Director of the department being auditedWe provide a list of items that we need for review, based on the nature of the auditA timeline is established – typically 6 – 8 weeksReview scope and time‐period for the auditDuring the course of the audit, we will contact you regularly with questions and updates – we encourage you to ask questions, too!

46

Used by Internal Audit to prepare the work program“Brain storming” of potential risks

49

52

A. Compliance with applicable laws, regulations, policies & procedures

B. Prevention of fraudC. Incorporating ethical

business practice standardsD. Periodic reviews by Internal

Audit

53

A. The one you used last.B. All assigned funds.C. Only the petty cash fund.D. The monthly phone bill.

54

A. Control EnvironmentB. MonitoringC. Organizational StructureD. Risk Assessment

55

A. A means to an end.B. Authorized procedures.C. The particular category in which a control

is placed.D. Steps within a process designed to

provide reasonable assurance regarding the achievement of your objectives.

56

A. Segregation of DutiesB. ReconciliationsC. AuthorizationsD. All of the Above

57

A. The ChancellorB. Business UnitsC. Board of TrusteesD. Internal Audit

58

A. Review Internal Audit’s website for articles and presentations

B. Review Guide for Self Assessment of Internal Controls

C. Ask lots of questionsD. All of the above!

59

60

Cast:

Brittany: Primary admin assistant in the department

for over 10 years. “Go to” person for the faculty

members with reputation as someone who gets the job

done.

Christina: The new staff member

61

Situation:

Due to an unexpected illness of her mother, Brittany was out on sick

leave for two weeks during the time fee payments for lab supplies were

being collected. The chair asked Christina to follow up with those

students who still owed the fee and to give him a status report. As

Christina reviewed the spreadsheet that she found on the shared drive,

some things did not add up. The amount of money on the spreadsheet

did not match what was showing in Banner as deposited. When she

contacted several students listed as still owing the fee, each one said

they had already paid and had a receipt from Brittany. After hearing

and seeing all this, Christina took her concerns to the chair, who called

Internal Audit.

What’s happened here?What are the first steps to take? How bad is this situation?What could the department have done to prevent or detect this?What do you do now?

63

Segregation of Duties ‐ Does any one person have too much control?Goals and Objectives – Every unit has them. Do you know yours?New Employee Onboarding ‐ How do you welcome someone new?Policies and procedures – Do you know which ones apply to you and your department?Faith, hope and trust are not controls ‐What are the words most often said after a fraud is uncovered?

64

Please complete the evaluation that will be emailed to you after the

class!

67

Documents

Diana Hill Raheel Qureshi, CPA March 8, 2018