Office of Internal Audit

The purpose of Arcadia University’s Office of Audit Services is to provide independent, objective assurance and consulting services designed to add value for the university, its stakeholders, and improve Arcadia’s operations. The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, compliance assessments, advice and insight on the mitigation of business risk. The Office of Audit Services helps Arcadia accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control processes, and the internal operating processes that support the University’s mission, vision and core values.

The Office of Audit Services at Arcadia University will conduct its activities in accordance to the mandatory elements of The Institute of Internal Auditors’ International Professional Practices Framework, including the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing. The Director of Internal Audit will report periodically to senior management and the Audit Committee of the Board of Trustees regarding the Office of Audit Service’s conformance to the Code of Ethics and the Standards.

Internal Audit will review and evaluate accounting, financial and operating systems to ensure that they comply with University policies, objectives, procedures, and federal, state and local laws and regulations. Internal Audit can provide as objective assessment of your operations and share ideas for your consideration to help improve your processes. We can also perform management requested consulting engagements.

Compliance – This audit is performed to determine compliance with policies and procedures established by the university, laws and regulations established by the federal, state and local authorities and any applicable external organizations.

Financial – Audit of internal control systems and financial transactions of the university.
Operational – This type of audit will look at the operational efficiency and effectiveness in accordance with the goals and policies established by the university and/or any other outside agencies. Safeguarding assets is also reviewed during this type of audit.

Consulting – provide consulting and advisory services as requested and with certain limitations of time allotted and topic focus.

You can expect to be involved or kept informed in every stage of the audit process. The process works best when we both have a solid and constructive working relationship based on clear and ongoing communications. We will help to ensure that there are no surprises during the audit and will result in a better finished product. 

While each audit is different, the life cycle of most engagements will normally go through a process including broad phases.

The annual audit plan is based a university wide assessment of auditable areas and business risk. Included in the analysis are various risk factors such as financial, compliance, operational, reputational, health and safety, and protection of organizational value.  Input from a variety of sources is obtained and incorporated into the overall development of the plan. This annual audit plan is reviewed and approved by the Audit Committee of the Board of Trustees.  

Fieldwork is the phase of the process involving examination of transactions, documents and records with the purpose of confirming that the controls established by university management exist, are adequate, are being followed, and are operating efficiently. At the conclusion of fieldwork, an exit meeting will be scheduled to discuss the audit results and identify possible corrective action plans, if any are needed.

The deliverable product of an engagement is the audit report. This written report includes a discussion about the specific audited area and the audit observations, both positive and negative. Any audit findings are noted in the report along with recommendations to management and management’s action plan. Audit clients will have the opportunity to review and provide input on the wording of the final report before it is issued to ensure accuracy.

Internal Audit will perform follow up procedures to verify the implementation of management’s action plans for the agreed upon solutions and corrective actions. A timeline is usually included with management’s response to the recommendation. This timeline will be used as a baseline for follow up procedures by Internal Audit. It is Internal Audit’s responsibility to report the follow up status to the Audit Committee of the Board of Trustees. At the completion of each engagement, it is Internal Audit’s intention to request feedback about the audit process and the overall audit experience so we can continuously improve our skills and service.

Audit engagements are performed in three general phases: planning, fieldwork and review, and reporting. The illustration below documents the procedures normally employed in the performance of an engagement.

• Select engagement team
• Perform engagement risk assessment with input from the client, management, and audit team members
• Develop audit scope, objectives, timing and necessary resources to conduct the audit
• Document anticipated deliverables
• Prepare audit program
• Hold entrance conference with client

• Gather information about the process to be audited
• Document and evaluate processes and internal controls
• Interview client staff members
• Develop and perform detailed testing and analysis
• Perform other audit procedures to meet audit objectives
• Review work papers for completeness and accuracy
• Evaluate audit evidence and develop conclusions
• Communicate with client on an ongoing basis

• Document strengths and opportunities for improvement
• Communicate with client management regarding audit results
• Develop preliminary observations and recommendations
• Prepare draft audit report
• Obtain management’s plan of action to address issues
• Prepare final audit report
• Evaluate audit performance
• Follow up on implementation of action plans

The Institute of Internal Auditors defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal Audit will provide an independent and objective review of university operations. Reviews offer the opportunity to identify and improve operations before a weakness may be identified by external auditors. Internal Audit can make recommendations for improving controls, processes and procedures, performance and risk mitigation. 

When you are engaged with Internal Audit, you can expect our team to be courteous and respectful of you, your team and your time. We will communicate throughout the entire process via an entrance meeting, periodic status updates and an exit meeting. We will be professional in all aspects of our operation and consistent in our audit focus. We will strive to obtain an overall understanding of your operations and will probably ask a lot of questions as we both learn and advance through the process. Questions of us are always welcomed as well. Being collaborative through the process is really important as we are on one team together with the ultimate goal of making operations better. An internal audit is not about finding fault or pointing fingers. It is about identifying ways to make things better and putting action plans in place to make that happen. We will be clear in our recommendations and suggestions and maintain the highest level of respect and professionalism. 

We ask and expect management to participate with us in the process. Client involvement is critical at each stage of the audit process. We ask all involved to discuss risks within the area or process and to contribute to suggestions for managing or reducing the risks.

Internal Audit may perform the following activities including offering insight and advice, evaluate risks, assess controls, ensure accuracy, offer recommendations to improve operations, maintain and promote ethics, review processes and procedures, monitor compliance, assure safeguarding for assets, and fraud investigation.  

There are general differences between internal and external auditors. Internal audit is employed by the University though independent of the activities they audit. External auditors are hired by the University generally to provide a specific service. Internal auditors usually will have a broad focus regarding risk, operations, compliance and financial statements. They also will usually have a diverse background and skill set. External auditors are usually much more specific in their focus such as accuracy of the financial statements and will have primarily an accounting background and skills. Whether internal or external, it is important to remember that auditors are looking to help improve the University and its operations by offering recommendations and best practices.

Internal controls are the mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. Besides complying with laws and regulations and preventing employees from stealing assets or committing fraud, internal controls can help improve operational efficiency by improving the accuracy and timeliness of financial reporting.

Some examples of operational internal controls would include:

• Segregation of Duties
• Delegation of Authority
• Purchasing Card Monitoring
• Controls over Cash
• Documented policies and procedures
• Documentation that includes the business purpose for an expense
• Verification and approval of time cards
• Annual performance evaluations
• Review of petty cash accounts

Risk is everyone’s responsibility. Risk is defined as exposure to the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.  Risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective of the University. Risks can be internal or external and can be within our control and sometimes outside of our control. Risk can be related to people, process or technology. Risk is measured in terms of impact and likelihood. 

The goal we are striving for as a university is risk reduction. It is unrealistic to think we can totally eliminate risk. We can only hope to minimize and manage our exposure to risk. Identification and assessment of risk, good business practices, documented policies, proper controls and compliance, all work together towards reducing the overall risk for the university. Everyone has a role to play and risk should always be considered by every employee of the university. 

The Internal Control Integrated Framework published by the Committee of Sponsoring Organizations (COSO) is the recognized standard for establishing internal controls. COSO defines internal controls as: “ a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

1. Effectiveness and efficiency of operations – deals with the entity’s achievement of basic business objectives.
2. Reliability of Financial Reporting – Refers to the reliability of the financial information (both internal and external) that is used by decision makers.
3. Compliance with applicable laws and objectives” – deals with complying with laws, regulations, and policies.

Under the COSO model, there are 5 components to a system of internal control. All are applicable to organizations of any size and type but organizations can apply them in different ways. All five components are aimed at achieving one or more of the objectives listed above. The 5 components are: Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring.

One component of the five listed above is Risk Assessment. A large component for all university employees is the assessment of risk.  All organizations and levels within an organization face a myriad of operating risks. Risks affect the organization’s ability to survive, successfully compete, maintain financial strength and positive public image, and to maintain the quality of services and products. This component therefore, deals with the organizations ability to set clear operating goals and objectives, identify risks that could impede achievement of those objectives, and to mitigate exposure to those risks to acceptable levels. Understanding risk assessment and how it interacts with everything we do is vital for all employees to recognize.

The Office of Internal Audit, through dialogues with management, completes a risk assessment for the University which culminates in the development of the annual internal audit work plan. The risk assessment process employed is based on a top-down risk based methodology that evaluates risks in people, process, and technology. The annual internal audit work plan is submitted to the Audit Committee of the Board of Trustees for review and approval but is flexible and adjusted as needed. Risks continue to be monitored and evaluated throughout the year with appropriate adjustments to the plan as needed. In conjunction, the University will engage with outside professional firms to also assess risk. These could be top level discussions or more granular as directed.

Risk can be managed by recognition, good process, and continuous monitoring. Including:

• Preparation of a Risk Matrix – identification of potential risks
• Preparation of a Compliance Matrix – identification of all the associated rules and regulations to be followed at the federal, state and local levels, as well as any internal requirements.
• Good Internal Controls – the internal processes to ensure safeguarding of assets. Management is responsible for establishing, maintaining and promoting effective business practices and effective internal controls. But all employees play a part and should be asked for their input to create effective controls.  
• Internal and External Audits – annual or periodic reviews to validate that controls are in place and operating as planned to ensure good business practices and safeguarding of university assets.

The philosophy of the internal audit department is not a “gotcha” mentality. We are focused on risk, its mitigation, and offering suggestions or best practices for improvements. Working together, our overall joint focus is towards improving Arcadia University and its operations to ultimately serve students directly or indirectly.  The success of the audit engagement, for both parties, involves understanding the goals, expectations, terminology, and actions needed and the timeline to result in the agreed upon recommendations. All these areas will be clearly discussed as an audit progresses through each of these phases. 

A good place to start is understanding the university’s support for this process. The University has an Audit Committee of the Board of Trustees which oversees the performance of the internal audit function, approves the annual audit plan and reviews the audit results.  One a day-to-day basis, the administration of the internal audit department reports to the Chief Financial Officer.  Internal Audit works collaboratively with senior leadership and clients to share and discuss audit results before reporting to the audit committee. As a potential client for an audit engagement, ideally we have discussions early in the process to gain context surrounding the department’s strategies, operations, policies and procedures, as well as internal controls at a detailed level.

So you’re probably asking yourself how do I make this process easier on me or how do I make it go away as fast as possible? Well, an understanding of the overall audit process and the actions you can take to accelerate the success of an audit would be a good first step. These include:

• Designate an audit liaison from your department to work directly with the auditor enabling more direct and effective communication.
• Educate the auditor and yourself to learn about each other so we are both talking the same language.
• Share any scheduling concerns with the auditor
• Disclose any known issues. Remember we are both on the same team so if you know something needs improvement, don’t wait for the auditor to find it. They may be able to offer suggestions to help.
• Ask questions. Open dialog is very much welcomed and encouraged.
• Illustrate to the auditor how your processes work by using real life examples. This will help them understand better the purpose and activities of your operations.
• Discuss with the auditor the intended use of requested documentation before you begin to gather it.
• Schedule regular check-ins with the auditor for structured organization.
• Collaborate with the auditor to discuss observations
• Review the draft audit report before it is shared with management.
• Urge Practicality. When you review the draft report, pay close attention to the recommendations of the auditor. Speak up when you know the recommendations will be difficult to implement in your department or offer possible alternate recommendations to facilitate the recommendation.