Internal Audits: What to Expect

If the Internal Audit Office contacts you to request information or to notify you of an upcoming audit, you may want to understand our process, why we need your assistance and the rules protecting you and your colleagues.

The Internal Audit process is completed in four phases. During the planning phase, the audit team works with the department to understand the processes and internal controls in place. We use that information to evaluate the level of risk there is to the University and its assets. Based on risk levels, we determine what testing will be appropriate.

During the fieldwork phase, the audit team tests the subject matter to determine if the processes and internal controls that are in place are effective and efficient in minimizing risk. This may include interviewing staff, analyzing data and reviewing supporting documentation. As we complete our testing, we will likely reach out to the department lead to inquire about outliers or unexpected results. Usually, there is a reasonable explanation for these outliers, and follow-up questions do not necessarily indicate negative results.

Once testing is complete and the audit team feels that it has a sound understanding of the subject, we prepare a report. We will share any findings or observations with management and answer questions about our results. When the report is finalized, management will have the opportunity to write a response that will be included in the final report. Managers often use their responses to describe additional procedures or controls that have been incorporated since the testing period.

If the audit results in findings, the IAO will revisit the subject once the department has had a reasonable amount of time to implement changes. Follow-up audits follow the same process as others, but the scope is usually limited to the prior findings.

In accordance with the internal audit charter, NCGS §116-40.7, NCGS §143-748 and other applicable laws, the Internal Audit Office has unrestricted access to all records, assets and other resources of the University that are necessary to accomplish its objectives. The IAO, with strict accountability for confidentiality and safeguarding records and information, is authorized to:

• Have full, free and unrestricted access to all university functions, data, information, records, manual and automated systems, property and personnel;
• Have unrestricted access to external personas and records as a result of all contracts and grants entered into by the university;
• Have direct access to the Chancellor of North Carolina Central University, through the Chief of Staff, and shall present any matter considered to be of sufficient importance to warrant attention or that has been brought to the IAO for review;
• Have free and unrestricted access to the audit committee of the Board of Trustees;
• Audit or review any function, activity or unit of the university and the accounts of all organizations required to submit financial statements to the university;
• Allocate resources, set frequencies, select subjects, determine the scope of work and apply the techniques required to accomplish the audit objectives;
• Obtain the necessary assistance of personnel in units of the university, as well as other specialized services from within or outside the university.

In order to maintain an effective spirit of independence and objectivity, the IAO shall have no day-to-day authority or operating responsibilities for the management processes, activities or the internal controls that it audits or reviews. Thus, compliance and audit activities do not relieve university administrators, staff and faculty of the responsibilities assigned to them.

Further, the IAO is not authorized to:

• Perform any operational duties for the university or its affiliates;
• Initiate or approve accounting or other transactions external to the IAO;
• Direct the activities of any university employee not employed by the IAO, except to the extent such employees have been appropriately assigned to auditing teams or to otherwise assist the internal auditors.

Section 116-40.7 of the North Carolina General Statutes states that Internal Audit work papers are confidential unless subpoenaed by an authorized court or required by another audit or an authorized representative of the State or Federal government in connection with some matter officially before them.

While a published Internal Audit report is a public record, this is only to the extent that it does not include information that is confidential under state or federal law, or unless it would compromise the security of a state agency. Personally identifying information will be redacted from audit reports and work papers before they are made available for public inspection.