Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six...
Transcript of Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six...
![Page 1: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/1.jpg)
In ternal Audi tA U G U S T 7 , 2 0 1 8
M a r i l y n K . Ta r r a n t , C PA , C H CE x e c u t i v e D i r e c t o r , I n t e r n a l A u d i tIn te rna l Aud i t
Photo © 2008 Michigan State University Board of Trustees
![Page 2: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/2.jpg)
Learning ObjectivesLearning Objectives
Understand Internal Audit’s mission and responsibility
Understand the audit process
Understand common audit areas
Understand common audit findings
Understand IT risks and findings
Indentify good internal controls and techniques
Understand fraud indicators and reporting methods
![Page 3: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/3.jpg)
Mission StatementMission Statement
“To assist University units in effectively discharging their duties while ensuring proper control over University assets.”
![Page 4: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/4.jpg)
Organization of Internal AuditOrganization of Internal Audit
Marilyn K. Tarrant
Steve Kurncz
Michael ChandelRoushell Mignott-Nesbitt
Michael PresockiStudent Internship Program
Brianna Slater Susan Little
OpenDavid LaHaine
Daryl SaligananChanda Cleaves
Ryan O’Rourke
![Page 5: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/5.jpg)
Internal Auditor ApproachInternal Auditor Approach
We act as an independent objective internal assurance and consulting function designed to add value and improve the University’s operations.
We are here to assist you and help protect our University as a whole.
We try to view audit projects as a partnership with you and your department maintaining a relationship characterized by respect, helpfulness, and collaboration.
We attempt to be as “transparent” as possible.
![Page 6: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/6.jpg)
Roles of IA & ManagementRoles of IA & Management
University Management Internal Audit
Develops and enforces effective internal controlsResponsible for monitoring compliance with federal, state, or applicable lawsResponsible for setting policies and proceduresRESPONSIBLE FOR MAKING MANAGEMENT DECISIONS
Evaluates and provides reasonable assurance that internal controls are functioning as intendedEvaluates compliance with federal, state, or other applicable lawsEvaluates compliance with MSU internal policiesCANNOT MAKE MANAGEMENT DECISIONS
![Page 7: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/7.jpg)
Audit Plan Development/ApprovalAudit Plan Development/Approval
“C’mon, why us???”
University-wide risk assessment• Annual risk discussions - existing/emerging issues
• Special Project Time - investigations/special requests
• Cyclical Audits - inherent risks of your business
• Likelihood (probability of occurrence)
• Impact (effect on MSU/your unit)
Approval• President• Audit Committee
Tom Izzo, Head Men’s Basketball Coach
![Page 8: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/8.jpg)
Audit ProcessAudit Process
![Page 9: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/9.jpg)
Stage 1 - PlanningStage 1 - PlanningAudit engagement• Engagement letter• Preliminary information request
Opening meeting• Project overview given to the management group• Designate a primary contact person• Official project start date
Inquiry of management & staff• Interviews & Internal Control Questionnaires (ICQ) • Tours
Scope definition• Risk assessment• Twelve-month “snap-shot”
![Page 10: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/10.jpg)
Stage 2 - Fieldwork & DocumentationStage 2 - Fieldwork & Documentation
Observations of processes & procedures• Observing critical processes or activities
Sampling & testing• Select specific transactions, events or activities for testing• Collaboration with unit staff
Verification of statements made• Sample the verbal statements made during the planning
process to verify accuracy
![Page 11: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/11.jpg)
Stage 3 - Issue Discovery & ValidationStage 3 - Issue Discovery & Validation
Risk exposure discovery & evaluation• Risk identification process based on ICQs & fieldwork• Risk validation & mitigating controls discussion with personnel
Risk exposure presentation to management• Discussion with management regarding identified risk & potential
mitigating controls
Management solution development• Risk mitigation vs. risk acceptance• Risk considerations in strategic planning
![Page 12: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/12.jpg)
Stage 4 - ReportingStage 4 - ReportingDraft report development & distribution• Based on levels of identified risk• Grade assignment is discussed• Closing meeting discussion• Limited draft distribution
Management response opportunity• Due 30 days from issuance of draft report• Short description of management's action plan and timeline to address
identified risk
Final report distribution• Standard executive distribution list with additional unit requests• Management responses included
![Page 13: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/13.jpg)
Stage 5 - Issue TrackingStage 5 - Issue Tracking
Post audit review & follow up• Three (3) to six (6) months after final report is issued• Review status of management response• Written status report issued to final audit report distribution list
Periodic status updates• Potential second post audit review• Otherwise, we may request periodic progress updates
![Page 14: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/14.jpg)
In te rna l Aud i t
C o m m o n A u d i t A r e a s & F i n d i n g s
![Page 15: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/15.jpg)
Common Audit AreasUnderstanding internal controls • Segregation of duties; reviews; reconciliations
Testing significant activity including:• Cash receipts/Accounts receivable• Expenditures (including payroll, travel, endowments/scholarships)• Procurement cards• Grant activity including effort reporting• Equipment inventory• Resale inventory
Significant contracts
Sensitive data
Conflict of Interest/Outside work for pay
![Page 16: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/16.jpg)
Common Findings
Non-compliance with:MSU Manual of Business Procedures (MBP)Federal/State regulations
Lack of segregation of duties – payroll, expenditures, receipting – fiscal officer role/HR roles
Procurement cards not used or reconciled according to the Purchasing Card (Pcard) Users Manual
Travel not authorized appropriately
Travel voucher not completed according to Section 70 of the MBP
![Page 17: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/17.jpg)
Common Findings
Contracts signed by someone without signature authority
Record retention - sensitive data stored in department
Conflict of Interest not disclosed
Outside work for pay policy not followed
Timeliness of cash deposits
![Page 18: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/18.jpg)
I n f o r m a t i o n Te c h n o l o g y A u d i t i n g
Interna l Aud i t
![Page 19: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/19.jpg)
Formal DefinitionFormal Definition
Informat ion Technology ( IT ) Audit ing :Def ined as any aud i t tha t encompasses the r ev i ew and eva lua t i on o f a l l aspec t s ( o r any
por t i on ) o f automated i n fo rmat ion proces s i ng sy s tems , i n c l ud ing r e l a ted non ‐automated
proces se s , and the i n te r faces between them.
![Page 20: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/20.jpg)
In-Formal DefinitionIn-Formal Definition
I n fo rmat ion Techno logy ( I T ) Aud i t i ng :
Def ined as any aud i t tha t encompasses the r ev i ew and eva lua t i on o f a l l aspec t s ( o r any
por t i on ) o f automated i n fo rmat ion proces s i ng sy s tems , i n c l ud ing r e l a ted non ‐automated
proces se s , and the i n te r faces between them.Tom Izzo, Men’s Basketball Coach
Say What?!?!
Basically, a review of the flow of data through an IT infrastructure and the evaluation of the
controls that help protect it…
![Page 21: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/21.jpg)
“C.I.A.” Core Control Concept“C.I.A.” Core Control Concept
Confidentiality• Keeping sensitive data a secret from those without a need‐to‐know.
• Opposing Force: Disclosure (Fines, Legal Action, Loss of Public Trust)
Integrity• Protecting data against unauthorized modifications.
• Opposing Force: Alteration (Inaccurate Info, Financial Loss, Waste of Resources)
Availability• Ensuring data is readily accessible by authorized users.
• Opposing Force: Destruction(Waste of Resources, Financial Loss)
Confidentiality
T h e C . I . A . T r i a d
D A T A
![Page 22: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/22.jpg)
IT RisksIT Risks
IT Infrastructure Risks:
• Sensitive information
• Electronic monetary transaction processes (PCI, ACH, etc.)
• System access restrictions and enforcement
• Weak password policies
• Overall network security controls
![Page 23: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/23.jpg)
Typical IT Audit FindingsTypical IT Audit Findings
Data Backup Procedures
Business Continuity Plan
Disaster Recovery Plan
Access Controls
Security Practices
![Page 24: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/24.jpg)
IT Audit Sensitive Data FocusIT Audit Sensitive Data Focus
Identified as a key risk to the University. • Examples: SSN, Payment Card Data, Student Info., Medical Records, etc.
• Liabilit ies of Disclosure: Financial Loss, Legal Action, Loss of Public Trust, etc.
MSU Institutional Data Policy (IDP)• Took effect on January 1st, 2011.
• Defines minimum requirements for securing University institutional data.
• Applies to all University business and academic units and all MSU employees.
• Visit the MSU Information Security webpage for more information.
• h t t p s : / / s e c u r e i t . m s u . e d u /
![Page 25: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/25.jpg)
H o w t o R e d u c e R i s k
Interna l Aud i t
![Page 26: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/26.jpg)
Characteristics of a Good Internal Control Environment
Characteristics of a Good Internal Control Environment
Tone at the Top• Management’s clear commitment to a culture of ethics, integrity
and compliance
Adequate management oversightProper authorization of transactions and activitiesAdequate documents and records – originalreceipts scannedPhysical safeguards – restricted accessSegregation of dutiesAccount activity is reviewed monthly and support for transactions is maintained
![Page 27: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/27.jpg)
Fraud IndicatorsFraud Indicators
Pressure
Opportunity
Rationalization
Pressure
T h e F r a u d Tr i a n g l e
![Page 28: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/28.jpg)
PressuresPressures
High personal debtPoor creditUnexpected financial needsAddictions (gambling, drugs)Other Pressures
![Page 29: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/29.jpg)
OpportunityOpportunity
Lack or circumvention of internal controlsPast failure to discipline embezzlersManagement apathyIgnorance or incapacity to detect fraudLack of an audit trail
![Page 30: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/30.jpg)
RationalizationRationalization
The organization owes it to meI am only borrowing the moneyThey can afford itI deserve moreIt’s for a good purpose
![Page 31: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/31.jpg)
Methods of Reporting MisconductMethods of Reporting MisconductMSU Misconduct Hotline• Phone or On-line reporting• Concerns reported include:
• Conflict of Interest• Fiscal• Medical/HIPAA• Privacy• Research• Safety• Any Other Compliance Issue
Direct contact with Internal Audit, MSU Police, HR, etc.Key links:• IA website: www.msu.edu/~intaudit• Misconduct Hotline website: http://misconduct.msu.edu
![Page 32: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/32.jpg)
![Page 33: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/33.jpg)
Summary of TopicsSummary of Topics
Internal audit overview
Audit process
Common audit areas and findings
IT risks and findings
Internal controls
Fraud detection and prevention
![Page 34: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/34.jpg)
Key Points for New AdministratorKey Points for New AdministratorSupervision – support fiscal officer – be involvedAssignment of roles – review annuallyConflict of interest – employment/vendor/time commitmentGood internal controls – common sense
segregation of dutiesapprovalsreconciliations – pcards/general ledger/review transactions monthlytravel requirements/authorizations (section 70 Manual ofBusiness Procedureshttps://ctlr.msu.edu/combp/mbp70EBS.aspxProfessional service contractshttps://usd.msu.edu/purchasing/purchase‐orders/professional‐services‐contract/index.html
Ethical decisionsMaintain adequate documentation – scanned copiesCompensation time – policy/documentationAddress performance issues timely
![Page 35: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/35.jpg)
Ques t i onsQues t i ons
![Page 36: Internal Audit - Michigan State University · Post audit review & follow up • Three (3) to six (6) months after final report is issued • Review status of management response •](https://reader034.fdocuments.us/reader034/viewer/2022042021/5e78531f664cd9437f28219f/html5/thumbnails/36.jpg)
T h a n k Y o u !
* Background Images Compliments of MSU University Relations Photo © 2008 Michigan State University Board of Trustees
I n t e r n a l A u d i t
M a r i l y n K . T a r r a n tExecutive Director
Email: [email protected]
I n t e r n a l A u d i t M a i n P h o n e :( 5 1 7 ) 3 5 5 ‐ 5 0 3 0
M S U M i s c o n d u c t H o t l i n e :1 ‐ 8 0 0 ‐ 7 6 3 ‐ 0 7 6 4
P l e a s e V i s i t O u r W e b s i t e F o r M o r e I n f o r m a t i o n :www . m s u . e d u / ~ i n t a u d i t