What is Internal Auditing?

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Institute of Internal Auditors, 2012

ksu faculty using laptop to research what is internal auditing.

Internal Controls

What are Internal Controls?

Internal controls, in the broadest sense, include the activities and procedures adopted by management to help meet their goals. Internal controls include processes for planning, organizing, directing, controlling, and reporting on the organization’s operations. Internal controls are an integral component of an organization’s operations that provide reasonable assurance that the following objectives are being achieved:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

What are the Components of Internal Controls?

Management is responsible for developing and maintaining internal control activities that comply with the following five interrelated components:

  • The control environment is the organizational structure and culture created by management and employees to sustain organizational support for effective internal controls.  When designing, evaluating, or modifying the organizational structure, management must clearly demonstrate their commitment to competence in the workplace.  Within the organizational structure, management must clearly:

    • Define areas of authority and responsibility.

    • Appropriately delegate authority and responsibility throughout the organization.

    • Establish a suitable hierarchy for reporting.

    • Support appropriate human capital policies for hiring, training, evaluating, counseling, advancing, compensating, and disciplining personnel.

    • Uphold the need for personnel to possess and maintain the proper knowledge and skills to perform their assigned duties.

    • Understand the importance of maintaining effective internal control within the organization.

    The organizational culture is also crucial within this standard.  The culture should be defined by management’s leadership in setting values of integrity and ethical behavior, but is also affected by the relationship between the organization and the Board of Regents.  Management’s philosophy and operational style will set the tone within the organization. Management’s commitment to establishing and maintaining effective internal controls should cascade down and permeate the organization’s control environment which will aid in the successful implementation of internal control systems.

  • Management should identify internal and external risks that may prevent the organization from meeting its objectives. When identifying risks, management should take into account relevant interactions within the organization as well as outside the organization. Management should also consider previous findings; e.g., auditor identified, internal management reviews, or noncompliance with laws and regulations when identifying risks. Identified risks should then be analyzed for their potential effect or impact on the organization.

  • Control activities include policies, procedures, and mechanisms in place to help ensure that organization objectives are met. Examples of control activities include:

    • Proper segregation of duties (separate individuals who authorize transactions from those who process and review transactions).

    • Physical controls to safeguard assets.

    • Proper approval of transactions and events.

    • Appropriate documentation and access to that documentation.

    Internal controls also need to be in place over information systems, including general and application controls. General controls apply to all information systems, such as the mainframe, network, and end-user environments, and include organization-wide security program planning, management, control over data center operations, system software acquisition, and maintenance. Application controls should be designed to ensure that transactions are properly authorized and processed accurately and that the data is valid and complete. Controls should be established at application interfaces to verify inputs and outputs, such as edit checks. General and application controls over information systems are interrelated and both are needed to ensure complete and accurate information processing. Due to the rapid changes in information technology, controls must also adapt and evolve to remain effective.

  • Information should be communicated to relevant personnel at all levels within an organization. The information should be relevant, reliable, and timely. It is also crucial that an organization communicate with outside organizations as well, whether providing information or receiving it.  

    Examples include:

    • Receiving updated guidance from central oversight agencies.

    • Management communicating requirements to the operational staff.

    • Operational staff communicating with the information systems staff to modify application software to extract data requested in the guidance.

  • Monitoring the effectiveness of internal controls should occur in the normal course of business. In addition, periodic reviews, reconciliations or comparisons of data should be included as part of the regular assigned duties of personnel. Periodic assessments should be integrated as part of management’s continuous monitoring of internal controls, which should be ingrained in the organization’s operations. If an effective continuous monitoring program is in place, it can level the resources needed to maintain effective internal controls throughout the year.

    Deficiencies found in internal controls should be reported to the appropriate personnel and management responsible for that area. Deficiencies identified, whether through internal review or by an external audit, should be evaluated and corrected. A systematic process should be in place for addressing deficiencies.

Planned Review Process

The process for planned reviews consists of the following phases:

  • Internal Audit conducts an opening conference with the Vice President, management, and key staff members of the office being audited to discuss the audit process and potential areas that could be reviewed with management and staff members. The conference is a participative forum that encourages input from participants and is designed to establish a teaming relationship with our audit customers.

  • Internal audit invites staff and management members to a collaborative meeting before audit fieldwork begins.  During the meeting, participants work together to identify the key processes of the area being audited, the risks associated with those processes and the internal controls that are or should be in place to reduce the risks associated with those processes. 

    PWT meetings will be held throughout the audit, either at the request of management or Internal Audit, to discuss audit observations and applicable management action plans.

  • The fieldwork phase consists of performing audit activities to satisfy the scope and objectives of the audit. General fieldwork procedures typically include:

    • Interviews with relevant staff and management members to determine the primary functions for each area or department, job responsibilities of each individual and how those responsibilities are fulfilled. During the interviews, we also determine reporting relationships and areas that employees are concerned about and/or would like Internal Audit to review.

    • Expenditure testing to verify compliance with departmental, KSU, Board of Regents, State, and Federal expenditure policies and procedures (e.g., general expenditures, P-Card expenditures, travel, appropriate approvals, business purposes, etc.).

    • Process reviews to determine if adequate internal controls are in place to reduce the risks associated with key processes (e.g., segregation of duties, cash handling procedures, etc.).

    • Review of safety measures in place (e.g., card readers, locks on doors, hazardous materials, etc.).

    • Safeguarding of assets (e.g., access to keys, combinations to safes, sign-out for assets that leave the campus, etc.).

    • Safeguarding of information (e.g., access to information systems and specific computer functions, retention of information, locked filing cabinets, etc.).

  • Throughout the audit, the auditor will provide information to management regarding areas where there are opportunities for process improvement. After meeting with management and relevant staff members to determine the most practical and reasonable way to improve these processes, management will be given the opportunity to implement the agreed-upon management action plans before the completion of the audit. 

    There may be instances where management is not able to implement agreed-upon management action plans for process improvement before the completion of the audit. For these occurrences, we will conduct a PWT meeting with departmental management and staff members to discuss the outstanding action plans, obtain agreement with them regarding the best way to report the observations, and determine the most reasonable and practical way to implement the remaining action plans. Based on this discussion, we will team with management to develop and document a management action plan and determine an estimated date of completion for the action plan. The audit observations and the related management action plans will be documented in the final audit report.

  • Before writing the draft audit report, Internal Audit will conduct a PWT meeting with management and staff members where participants help us determine what information should be in the report and the best format to use to present the information. Audit reports typically include:

    • Summary results of the areas tested.
    • Executive summary.
    • Introduction and background information.
    • Organizational structure.
    • Audit scope and objectives.
    • Detailed information on audit observations and management action plans for those areas where management was not able to implement process improvements before the completion of the audit.

    After the draft audit report is written, it will initially be shared only with management of the office that was audited and will not be distributed to any individuals outside of that office. Internal Audit will solicit feedback from management of the office audited to determine if they agree with the content and format of the draft audit report and if they have any suggestions to improve the report. This process will continue until management of the office audited and Internal Audit agree with the content and format of the draft audit report.

    After all agreed-upon revisions have been made to the draft audit report, a formal exit conference will be held to discuss the report. Formal exit conference attendees include Vice Presidents, management, and key staff members. After the formal exit conference is completed, Internal Audit will incorporate any changes into the draft audit report that were agreed-upon during the conference. The draft audit report will then be provided to KSU’s President and the Vice Presidents for their review and comments. After approval from the President and Vice Presidents, the final audit report will be distributed to KSU’s executive management, departmental managers, and the Board of Regents’ Chief Audit Officer and Associate Vice Chancellor.