Office of Internal Audit

Procedural Guidelines

I. Introduction

The internal audit process at the University System of Maryland is a cooperative undertaking to help those who administer the System's resources. Inherent in this process is the concept that managers and staff can frequently propose solutions to the problems auditors identify. For this reason, Internal Audit is committed to participatory reviews that enable the System's managers and staff to:

• Gain greater insight into controlling their operations,
• Improve their administrative performances, and
• Highlight their departmental strengths, achievements, and initiatives.

II. Guidelines

The main phases of the audit process are:

• Assessing risk.
• Selecting the area to audit.
• Notifying the component to be audited.
• Conducting a preliminary survey.
• Evaluating the control environment.
• Preparing an audit program, a step-by-step guide to be followed while auditing.
• Performing field work such as interviewing staff, testing transactions, and observing operations.
• Drafting a report and holding an exit conference.
• Issuing a final report.
• Obtaining and evaluating the component's written response to the audit report.
• Conducting a follow-up review.

2. Identifying the types of audits.

The types of audits conducted are:

• Financial: During financial reviews, auditors determine whether historical financial information presents fairly the financial position and results of operations. To form an opinion, auditors examine the internal control structure and test transactions surrounding economic events. Financial audits are not primarily intended to evaluated auditees' effectiveness or efficiency. As a result, comments and recommendations about operational matters are byproducts of a financial audit rather than the main objective.
• Operational: Also known as performance audits or managerial audits, these reviews are aimed at assessing an operation's ongoing administrative efficiency and effectiveness. The objective is to assist management in identifying and resolving problems. To successfully audit operations, auditors develop standard managerial yardsticks and approaches to administrative activities. This process enables the internal audit staff to analyze and evaluate the effectiveness, efficiency, and economy of System operations. Although financial data continues to be the base of reference, auditors look beyond the figures to provide assistance toward improving auditees' operations. At the end of the audit, a written report containing the most significant findings and recommendations is sent to affected and responsible management for consideration and action.
• Compliance: During compliance audits, internal auditors assess to what degree an operation conforms with legal obligations and agreements with outside parties. Included in this category are reviews of federal contracts and grants as well as audits of trusts in the endowment fund. Also included in compliance auditing is assessing the degree to which a component adheres to applicable federal and State policies and procedures.
• Investigative: Internal Audit undertakes investigative audits when circumstances or evidence suggest a fiscal irregularity involving System funds, property, or personnel. Investigative audits differ from other audits in that they are normally conducted without first notifying the personnel who may be affected by the findings.
• Follow-up audits: Internal Audit has been charged with following up the status of corrective actions taken in response to recommendations in legislative audit reports. Six months after a report has been issued, the Assistant Vice Chancellor for Financial Affairs writes to the audited component, asking for a status report on completed or planned corrective measures. A copy of the completed status report is directed to Internal Audit for follow-up review and comment. After the review, Internal Audit provides management with a written report assessing the status of the corrective actions outlined in the component's response to the legislative audit.
• Information Systems: IS auditing provides evaluations of our institutions' policies, procedures, standards, measures, and practices for safeguarding electronic information from loss, damage, unintended disclosure, or denial of availability. We provide management with an assessment of whether there exists sufficient controls to mitigate institutions' risks. Reviews include areas such as: network security; application security and controls; software change management procedures; environmental and physical security; and, disaster recovery procedures.

3. Scheduling Audits and Assessing Risk Factors.

Internal Audit maintains both one-year and long-term audit schedules, which may be preempted by special reviews. Both are primarily planning devices for coordinating the audit staff's work. The audits are sometimes expanded or narrowed in scope depending on factors that become known after an audit begins. For these reasons, the schedules are flexible.

Internal Audit initially prepares the schedule based on a number of risk factors. Risk factors are objective and judgmental criteria used to determine the segments of the System that might benefit most from an internal audit.

Objective factors include the size of the budget and payroll; number of employees; value of capital equipment; liquidity of assets; effect of large deficit or surplus balances; and the time elapsed since the last audit. Judgmental risk factors include areas of concern to regents and administrators; possibility of adverse publicity; the extent, nature, and reliability of systems for processing data electronically; the effect of governmental or other regulations; and a unit's impact or control over other departments. Internal Audit quantifies, weights, summarizes, and analyzed these risk factors as a guide for determining the components and audit areas needing the greatest or most urgent attention, recognizing availability of staff to perform those audits.

The Board of Regents Audit Committee annually reviews and approves the proposed one-year audit schedule. On request, Internal Audit will meet with a component's president or other interested administrator to discuss planned audits or past audit results. Administrators are also encouraged to recommend to Internal Audit other areas they believe would benefit from a review.

4. Coordinating with External Auditors.

Among the System's external auditors are independent auditors and the State legislative auditors. Internal audits are coordinated with external audits to avoid duplicating audit coverage and to complement external auditors' efforts. Normally, except for follow-up reviews of legislative audits, the Internal Audit schedule excludes the areas recently covered by external auditors.

The contract for the annual audit of the System's financial statements by outside, independent auditors is negotiated and awarded by the State with the System's approval. If a need arises for additional service from independent auditors, approval must first be obtained from the Chancellor, as required by Board of Regents' Policy VII - 7.20.

5. Notifying Components.

When planning routine audits, Internal Audit notifies the President or designee about two weeks before the audit is scheduled. Concerned officers at higher levels, including the Vice Presidents for Administration or for Business and Finance, or their equivalents at other units, also receive copies of the notice.

6. Providing Work Space.

Internal auditors should be assigned reasonably private work space near the department being audited. The space should be consistent with the space generally assigned to professional staff at the component. Normally the space should be well-lighted, equipped with a telephone, and climate- controlled. In addition, the furniture should be in good condition and close to electrical outlets.

7. Holding Exit Conferences.

After every audit, the internal auditors draft a report and meet with the department head and other appropriate staff in an exit conference. During the exit conference, departmental administrators and managers have the opportunity to informally provide additional information, question findings, or challenge conclusions. On the basis of those discussions, the final report may be modified.

Normally, only the administrators of the department being reviewed attend the exit conference to allow the parties most affected by the report to more freely and confidentially express their views, and to ensure the accuracy of the final audit report. After completing this last phase of audit field work, Internal Audit may hold briefings with concerned higher-level management or their representatives. The briefings may be held at management's request or when:

• Internal Audit judges that an oral report could enhance mutual understanding of the issues raised during the audit, or
• Immediate action is needed to correct problems.

8. Issuing Audit Reports.

Audits usually cover fiscal and administrative processes. In the report scope statement, Internal Audit defines the characteristics of the audit and lists the functional areas examined. Since an auditor's role is to provide constructive criticism, audit reports are necessarily critical in nature. Nevertheless, Internal Audit routinely includes departments' or units' notable strengths to credit staff for correcting past deficiencies and to recognize superior management.

An audit report is normally addressed to the President (or designee). Copies of the final audit report are sent to appropriate administrators, including the Chancellor, the Vice President for Administration or the Vice President for Business and Finance, and the Department Head. Summaries of final reports and responses are also sent monthly to the Board of Regents; complete reports and responses are available at their request.

9. Maintaining Confidentiality of Audit Reports.

Because all internal audit reports are confidential, they must be protected and distributed only on a "need-to-know" basis. External auditors performing authorized audits may gain access to internal audit reports by contacting the Director of Internal Audit.

10. Responding to Audits.

Each component must address and submit a written response to Internal Audit within 25 working days of the report date. Responses should fully address each finding and recommendation in the report, giving enough information for Internal Audit to evaluate a planned correction or providing sufficient support for a solution other than the one recommended in the audit report. Respondents should also specify when each action will be completed.

11. Resolving Differences About Audit Conclusions.

After an audit report has been issued, Internal Audit will continue to make every effort to settle differences about audit findings and recommendations within each component's administrative framework. When viewpoints continue to differ, however, either the component or Internal Audit may forward the matter to the Chancellor or other concerned administrators at the System office, as appropriate, for further discussion and possible resolution. As a last resort, either the component or the Director of Internal Audit may forward the matter to the Chairperson of the Board of Regents Audit Committee for final resolution.

12. Reporting to the Board of Regents Audit Committee.

Internal Audit responds to all requests by the Board of Regents Audit Committee. In addition, summaries of all audit reports and component responses will be submitted monthly to the Audit Committee. Full reports and component responses will be submitted at the Audit Committee's request. Further, Internal Audit will report to the Committee significant findings or those that demonstrate trends throughout the System. Statistical reports characterizing the components' overall responses to audit reports or rates of success or failure in addressing audit findings may be presented to the Committee periodically as well.

13. Participating in Task Forces and Working Groups.

Internal Audit may participate in task forces or working groups concerned with establishing new systems or revamping existing systems. Internal auditors will be assigned to work with such groups when their participation would clearly be more valuable in the planning and implementing stages rather than after implementation has taken place. Internal Audit's role in these situations is to:

• Review the project as it develops;
• Recommend action; and
• Provide relevant information to those responsible for ensuring that the project incorporates sound principles of managerial control, efficiency, and effectiveness.

14. Describing the Auditing Standards and Code of Ethics.

Internal Audit subscribes to and supports the standards for the professional practice of internal auditing and the codes of ethics established by the various recognized auditing and accounting organizations. These organizations include the Institute of Internal Auditors (IIA), the Information System Audit and Control Association (ISACA), the United States General Accounting Office (GAO), and the American Institute for Certified Public Accountants. Among these standards is the requirement that auditors maintain an independent outlook in their work, both in attitude and in fact. For this reason, auditors have no authority to effect changes or take executive action.

15. Reporting Suspected Fiscal Irregularities.

Anyone discovering or suspecting that an employee has taken part in a fiscal irregularity should refer to Board of Regents' Policy VII 2.30, which provides guidelines for reporting irregularities.

Issued January 7, 1992; Revised October 26, 1992

Return to USM IAO Home Page