450 likes | 606 Views
How to Survive an Audit Risk Awareness Certificate Series Staff Development and Professional Services. Presented by: Internal Audit Services (IAS). Presentation Objectives. Familiarize you with the kinds of auditors / audits you may encounter at UC Davis
E N D
How to Survive an AuditRisk Awareness Certificate SeriesStaff Development and Professional Services Presented by: Internal Audit Services (IAS)
Presentation Objectives • Familiarize you with the kinds of auditors / audits you may encounter at UC Davis • Describe what to expect during an audit • Provide suggestions on how best to prepare for an audit • Help you work effectively with auditors during an audit
Definition of an Audit Audit is a term used to describe independent and objective work done by accountants and auditors in examining or reviewing the • fair presentation of financial statements, • economy and efficiency of operations, • effectiveness in achieving program results, • compliance with laws and regulations.
Regulatory & Professional Requirements The auditing profession is governed by regulatory bodies such as SEC, IIA, Comptroller General, etc. Auditors adhere to professional standards such as independent and ethical demeanor, objectivity, competency and continuing education, planning and supervision, etc.
Types of Audits • Internal – Evaluation of risk exposures relating to the University’s governance, operations, and information systems regarding • reliability and integrity of financial and operational information • economy and efficiency of operations • safeguarding of assets • compliance with policies, procedures, laws, regulations and contracts • Financial– Attestation to the fair presentation of an entity’s financial statements • Compliance – Assessment of adherence to policies, procedures, laws, regulations, and contracts • Investigations– Determination regarding the validity of allegations of wrongdoing or misuse of University resources
Auditors You May Encounter • Internal Auditors – University employees who perform primarily internal audits and investigations as a service to management • External Auditors – Auditors not employed by the University who may work for regulatory agencies or public accounting firms, and primarily perform compliance or financial audits
UCOP UC Regents UC Auditor (Patrick Reed) UCD Audit Director (Rick Catalano) IAS (13 total staff) Two Assoc. Dirs. Two Admin. Staff Eight Auditors UCD Chancellor’s Office ORMP (John Meyer) IAS (Rick Catalano) Audit Committee (John Meyer, Chair) Investigations Coordination Work Group (Robert Loessberg-Zahl) IAS Reporting Structure
How Was My Department Selected for an Audit? Each year, IAS prepares an audit plan by • identifying all potential operational audit topics (audit universe); • conducting interviews with key members of management; • ranking potential topics based upon the following five risk factors: • Quality and Stability of Control Environment • Business Exposure • Public and Political Sensitivity • Compliance Requirements • Information Technology and Management Reporting • selecting topics with the highest cumulative risk scores for inclusion on the audit plan. Audits can also be added to the plan by management request or a mandate from Office of the President.
Consideration Factors For example, IAS may select a department for an audit if it has recently • been the focus of an investigation; • performed similar activities highlighted in an unrelated investigation of another department; • experienced significant changes (new systems / regulations / programs / etc.); • experienced turnover of critical staff; • been awarded significant research funding; • performed activities in IAS “core” areas.
Samples of Audit Categories We may conduct “core” audits in the following areas
Samples of Audit Categories (continued) We may also conduct Administrative Reviews of any Department or School, including an evaluation of controls over the following activities
Notification Send announcement letter Conduct entrance conference Preliminary Survey Gather information to help focus the audit on areas of greatest risk Develop the audit program Fieldwork Perform detailed testing Reporting Discuss audit observations as issues are noted Issue draft report and obtain management’s corrective actions Issue final report Follow-Up Determine if corrective actions agreed to by management have been implemented What is the Audit Process?
Where Do We Focus? During an audit, IAS may focus our efforts in such areas as • management of research funds; • knowledge of policies and procedures; • awareness of proper control practices; • management style; • high dollar operations or activities; • more complex/higher volume/less common activities; • more complex funding terms and conditions.
How Can a Department Preparefor an Internal Audit? Learn to think like an auditor and consider the five components of internal control by evaluating your: • Control Environment – Ensure you have good tone-at-the-top, integrity, ethics, and competence. • Risks – Identify obstacles to achieving your objectives. • Control Activities – Identify procedures or practices in place to minimize your risks and maximize achieving your objectives. • Information and Communication Systems – Ensure you are relevant, timely, and accurate in your reporting. • Results(through Monitoring) – Periodically assess your controls and processes to ensure you are meeting objectives.
How Can a Department Preparefor an Internal Audit? Before IAS ever notifies you that you will be audited • understand that it is the department’s responsibility to develop, implement, and maintain controls to manage risk and achieve goals; • ensure that separation of duties is adequate (PPM 330-11, Departmental Financial Administrative Controls and Separation of Duties); • ensure that staff have an understanding of the policies and procedures impacting their areas of responsibility (e.g., identify / reconfirm high-risk areas);
How Can a Department Preparefor an Internal Audit? Before IAS ever notifies you that you will be audited (continued) • ensure that staff are complying with policies and procedures impacting their areas of responsibility (e.g., implement appropriate procedures); • ensure that staff are following sound record retention protocol (PPM 320-Series, Records and Archives, and PPM 330-Series, Financial Management and Services); • consider completing the Internal Control Assessment – Self Evaluation Tool (currently under revision– call us); • consider performing a control self-assessment with assistance from the Controls and Accountability Division (AF&S – John Gregg)
How Can an Individual Work Most Effectively with the Internal Auditors? You can help the audit process go more smoothly when you • are open and honest; • advise auditors up-front of any known problems; • are responsive to requests for information and documents; • work with the auditors to develop a plan of corrective action for problems noted during the audit; • ask questions when you don’t understand the auditors’ assumptions or conclusions; • remember that we are all working together for the betterment of the University.
What the Auditors Look For Best Practices We like to see good organizational (operational and fiscal) practices, such as • Completed worksheets / computations; • Knowledge of PPMs / reference materials; • Well thought out processes and procedures; • SOPs / Desk Manuals / Checklists; • Document Control- Management of original documents, correspondences, etc.; • Adherence to DaFIS and PPS accountability rules for initiators and reviewers; • Designated backups or delegates for initiators and approvers.
What Do We Report On?High Level IAS communicates results in the following broad review areas • Operational Processes & Functions • Internal Control Activities • Advisory Services • Investigations (to limited parties)
Investigationsat UCD The investigation process is different than the audit process just described . . .
Investigations Defined They are • conducted in accordance with requirements outlined in PPM 330-95, Misuse of University Resources; • coordinated by the Investigations Coordination Work Group (ICWG); • conducted to determine the validity of allegations in question and to identify any internal control weaknesses that may have contributed to the misuse; • confidential, and communication with department personnel depends upon the allegations and who is involved; • Typically, written results are reported directly to the chair of the ICWG for distribution as necessary, though minor investigations may now be sent directly to the department.
Investigation Protocol What should I do if I am contacted about an investigation in my department? • Read and become familiar with • PPM 330-95, Misuse of University Resources; • PPM 380-17, Improper Government Activities; • UCOP Whistleblower Policies: The Whistleblower Policy, and The Whistleblower Protection Policy • Whistleblower Hotline Numbers: • UC Davis = 1.877.384.4272 • UC-wide = 1.800.403.4744 • Cooperate with auditors conducting the investigation to the best of your ability. Always maintain confidentiality regarding the investigation!
How Does the Whistleblower Policy Work? The University of California wants you to report improper activities, and will protect you from retaliation for whistleblowing. A person should report • any UC-related activity that may violate any state or federal law or regulation, or activities that may involve waste, misconduct, incompetence, or gross inefficiencies; • suspected improprieties to any number of places, including your supervisor, the campus locally designated officer (LDO), various offices, or hotline numbers; • the suspicious activity in writing or orally and with as much specific factual information as possible (it can be filed anonymously).
Primary UC DavisRegulatory Agencies UC Davis may be audited by any or all of the following agencies: • The Department of Health and Human Services(HHS) – the University’s designated cognizant agency, which provides oversight of audits conducted by and on behalf of federal agencies. Cognizant agency functions are typically run out of the Office of Inspector General (OIG). • The OIG are auditors from other federal agencies, including the National Science Foundation (NSF) and the United States Department of Agriculture (USDA). • The Bureau of State Audits is California’s state auditor responsible for audits requested by the Joint Legislative Audit Committee.
Why was my department or program selected for review? A regulatory audit can be triggered by • failure to submit financial and/or technical reports by deadlines; • amended financial reports; • requests for deviations (e.g., budget transfers, cost overruns, etc.); • complaints by disgruntled employees; • random selection by agency; • scheduled periodic monitoring as stipulated in a contract or grant agreement. Audits by federal and state regulatory agencies can be pre-award, post-award, renewal reviews, or peer reviews.
Are there University policies regarding regulatory audits? UC Davis currently does not have a policy regarding external reviews, though one is being developed. However, as soon as you learn you are going to be audited by an external agency, contact Extramural Accounting and IAS. We have been through this many times and can help make the audit process run a little smoother. The Health System does have a policy in place for regulatory agency reviews related to clinical research (Hospital Policies and Procedures– 1506). This policy requires notification to the Licensure and Accreditation Office.
What is the audit process for regulatory audits? There is not a uniform audit process for the various regulatory agencies that may audit at UC Davis. There may be differences in the • Audit Notification Process (it could be unannounced); • Audit Purpose and Objectives (which may not be shared); • Communication Method (of results / findings); • Turn-Around Response Time (may be tight time frame).
Labor distribution and effort reporting (PARs) Level of commitment (looking for greater than 100% commitment on funded projects) Equipment purchases Travel (especially foreign) Use of consultants Program income Recharges Subcontracts Indirect costs (including direct charging of costs – e.g., salaries and benefits for administrative personnel that are normally included in the indirect cost rate) Cost transfers (using C&G funds to provide bridge funding for other projects) Cost sharing Costs charged at the end of the C&G period What will the regulatory auditors focus on?
How can I prepare for a regulatory audit? The key to being prepared for a federal regulatory audit is to properly maintain the books and records associated with the contracts and grants (C&G) on an ongoing basis – long before the auditors ever come to visit. This means • proper controls within the department over all types of expenditures (principal investigator approval, separation of duties, management of source documents, etc.); • timely review and reconciliation of C&G accounts by an individual who is knowledgeable about costing requirements for contracts and grants; • proper documentation/support for any necessary cost transfers; • timely review and signature of Personnel Activity Reports (PARs) by a knowledgeable person (should be the principal investigator); • timely submission of required financial and technical reports.
How can I prepare for a regulatory audit? It is important to have a basic familiarity with the regulatory requirements related to federal contracts and grants, including • OMB Circular A-21 “Cost Principles for Educational Institutions”; • OBM Circular A-110 “Uniform Administrative Requirements for Grants and Agreements With Institutions of Higher Education, Hospitals and Other Non-Profit Organizations”; • OMB Circular A-133 “Audits of State, Local Government and Non-Profit Organizations” (Single Audit); • Rules specific to agencies you are working with.
Do’s Be honest and open. Understand the purpose of the meeting and review related records prior to interviews. Listen carefully and understand each question before answering. Be sure responses are complete and accurate. Respond only to the question asked; keep answer simple and direct. Weigh answers carefully, being certain you have the facts to back them up. Limit comments to areas where you have "first hand" knowledge. Don’ts Do not speculate or answer hypothetical questions. Do not agree or disagree with opinions. Do not "ramble" or provide irrelevant information (office gossip). Do not get offended by WHY questions. Do not sign anything on behalf of the University. Interacting with External Regulatory Auditors – Helpful Hints* * Courtesy of University of Washington (UW)
Interacting with External Regulatory Auditors – Helpful Hints* There are many elements to consider in the audit process; we will highlight some of the basic areas and give pointers on how to help the audit go more smoothly. Call IAS for more details if you are audited. We will discuss five basic areas: • The entrance conference • Document management • Fieldwork (testing) • Response to the findings • Response to the audit report * Courtesy of UW
Interacting with External Regulatory Auditors – Helpful Hints* • During the entrance conference you should • remain positive; • get contact names and information; • get explanations from the auditor (e.g., why selected, their audit process/timelines/estimated report date/reporting process); • clarify the audit objective and scope; • discuss the results of other recent audits – this may limit the scope of the current audit; • determine staffing and space requirements. * Courtesy of UW
Interacting with External Regulatory Auditors – Helpful Hints* • In response to the auditor’s request for documents, you should • obtain a list of requested records; • provide only requested records; • keep original documents in the department, if possible (or make copies of any documents leaving your area); • get clarification on ambiguous requests (ask the auditor for the purpose of reviewing the document and make alternative recommendations that would better meet the purpose); • don’t allow full access to your documents unless absolutely necessary; * Courtesy of UW
Interacting with External Regulatory Auditors – Helpful Hints* • In response to the auditor’s request for documents, you should (continued) • communicate reasons for any significant delays; • provide documents to the auditors upon their arrival / ASAP; • keep a list of records provided and ensure all records are returned; • review records you are providing to anticipate questions; • if a record will hurt the University's interest, notify department management and IAS of the issue. * Courtesy of UW
Interacting with External Regulatory Auditors – Helpful Hints* • During audit fieldwork (testing phase) you should designate a central contact person who will try to • keep the audit focused and parties informed; • facilitate the audit and stay in contact with the auditor; • resolve audit issues as they are arise; • attend meetings between the auditors and employees when possible (but respect an employee's wish to meet with the auditor alone). * Courtesy of UW
Interacting with External Regulatory Auditors – Helpful Hints* • When responding to audit findings you should • ensure an exit conference is held to confirm facts and respond to the audit (ask a representative from IAS and/or Extramural Accounting to attend if there are questioned or disputed findings); • ask for time to review findings; re-verify calculations and source data; • concede valid findings, but do not speculate on whether they apply to other areas on campus; • take immediate corrective action and resolve the issues before they are put in writing, if possible; • discuss the disposition of audit issues with the auditor (determine if it will be addressed as a verbal comment, exit item, management summary, or report item); • appeal the auditor's conclusion with their supervisors if necessary (this action should be coordinated with IAS and Extramural Accounting). * Courtesy of UW
Interacting with External Regulatory Auditors – Helpful Hints* 5) When responding to the audit report you should • ask to review the draft report. • provide a management response which should include • whether you agree or disagree with the finding, • a corrective action plan, • a target date for implementation. • understand the audit follow-up process. • consult with IAS and Extramural Accounting prior to finalizing your response. * Courtesy of UW
Annual Financial Audit The University’s public accountants conduct an annual audit for the purpose of • attesting to the fair presentation of the University’s financial statements; • performing the annual review of federally funded programs mandated by OMB Circular A-133 – Single Audit. Interaction with the external financial auditors is normally confined to Accounting and Financial Services and the departments administering significant federally funded contracts and grants.
Selected References • IAS Contacts (under construction) (http://www.ormp.ucdavis.edu/audit/contact.html) • UCOP Auditor (http://www.ucop.edu/audit/) • UCOP Whistleblower Policy: • (http://ucwhistleblower.ucop.edu) • (http://ucwhistleblower.ucop.edu/policy.html) • (http://ucwhistleblower.ucop.edu/docs/wbposter.pdf) • AFS (http://accounting.ucdavis.edu/) • Administrative Responsibilities Handbook (http://accounting.ucdavis.edu/refs/AdminHandbook.pdf) • PPMs (http://manuals.ucdavis.edu/) • UCDHS P&Ps (http://intranet.ucdmc.ucdavis.edu/policies/) • OMB Circulars (http://www.whitehouse.gov/omb/circulars/)
QUESTIONS? Contact Information: Leslyn Kraus, 530.752.9173, lakraus@ucdavis.edu Sueann Gawel, 530.752.7597, shgawel@ucdavis.edu Sherrill Jenkins, 530.752.0341, ssjenkins@ucdavis.edu