Financial and Operational Auditing works toward ensuring:
Prior to the start of a project, Financial and Operational Audit (FOA) staff will meet with departmental management to discuss the upcoming audit. This will give management the opportunity to become familiar with our process and for the auditors to learn more about the department or process being reviewed.
Management can use this time to discuss areas of concern that they may want included in the audit.
At the start of the audit, we will review with management a series of questions that will help us identify areas of risk and internal control so we may focus our efforts during the project. This will result in a more productive and effective audit.
During this part of the process our staff will select specific controls to test. We will review documents and transactions such as time sheets, expenditures and deposits. Employees may be interviewed and procedure manuals will be reviewed. Any errors or concerns will be brought to the attention of management at this stage. There should be no surprises in the report. Our staff will work around your schedule and cause minimal disruption.
Shortly after the conclusion of field work, we will prepare a written DRAFT report. This report summarizes the results of our testing and analysis. If deficiencies were identified, we will include recommendations to correct these problems. We will ask management to review the report for accuracy.
Management and FOA can meet to discuss the findings and recommendations. The department can provide clarification during this meeting that may change the contents of the report.
We will ask management to address the findings and recommendations included in the report (if any). This response should include how and when management plans to correct the problems that were identified.
Once all changes have been finalized and management has provided their response, a FINAL report will be issued. The FINAL report will be distributed to the appropriate management, vice-president, president and Audit Committee of the Board of Regents.
Approximately 6 months after completion of the audit, we will contact management to review the status of agreed upon recommendations. Results of the follow-up review will be distributed to those who received the original audit report. We will continue to monitor the status until all problems have been resolved.
At the end of the audit, we will forward a confidential evaluation to management to learn what our office did right and what areas need improvement.
o Financial- The purpose of this type of review is to determine whether an organization's financial information was properly recorded and adequately supported. A financial audit also provides an assessment as to the accuracy, fairness, and reliability of information provided in the preparation of the financial statement.
o Compliance- During these audits, we evaluate the degree of adherence to laws, regulations, policies, and procedures.
o Operational- We review the procedures and practices of the department and the use of resources to determine if goals and objectives are being met in the most effective and efficient manner.
o Information Technology- We evaluate system processing controls, data security, physical security, systems development procedures, contingency planning, and systems requirements.
o Special Investigations- These audits are performed in response to allegations received by our office through the University's third-party helpline or other internal and external sources.
FOA completes an annual risk assessment that is the basis of our audit plan. The frequency of departmental audits is based on a risk assessment process. We considers several risk factors such as size and complexity of the department, compliance risks, amount of cash receipts, changes in key personnel, etc. Departments with high risk will be audited more frequently than those with medium or low risk. We also receive input from management as we develop our audit plan.
All audits are unique but they generally follow the same process:
o Planning: During this phase, the objectives and scope are determined. A meeting is held with the department head regarding the audit plan and what is required during the audit. At this meeting we will review expectations of management and expectations of the audit staff.
o Fieldwork: This phase involves conducting interviews and testing compliance with policies and procedures. Internal controls are also assessed and tested. This represents the majority of time spent on the audit.
o Reporting of Results: In this phase, a summary of audit findings and recommendations is prepared and presented to management for discussion. A closing meeting can be scheduled to discuss the results of the audit. Once the findings, recommendations and management responses are finalized, a report is issued to management, the appropriate vice-president, the president and the Audit Committee of the Board of Regents.
o Six Month Follow-Up Review: This phase ensures that all audit recommendations have been satisfactorily implemented. Some verification procedures will be performed to ensure that recommendations have been adequately addressed. We will continue to monitor all recommendations until they have been implemented. The results of the follow-up reviews will be shared with those individuals who received the original report.
o Ensure that university assets (cash/checks, equipment, facilities) are adequately safeguarded from loss, theft or misuse.
o Evaluate the effectiveness and efficiency of internal controls and resources employed.
o Review the reliability and integrity of financial and operational information
o Ensure compliance with applicable policies, procedures, plans, laws and regulations.
Requested audits and investigations will have other objectives.
During each audit we expect open communication and your complete cooperation. We will need to meet with key personnel of the department for planning, interviewing and testing purposes. We will require full and complete access to your records and information. To ensure that the audit is completed in a reasonable time we will need the full cooperation of you and your staff. This includes providing requested documents in a timely fashion.
The audit duration depends on the size, complexity and risk of each department. Generally audits can last from one to three months. However not all of that time will be spent on-site in your offices. Your cooperation and response to our requests also have an impact on the length of the audit.
We are mindful of your deadlines and appreciate you being mindful of ours. During the course of the audit, we will request documents and information from you and your staff. We will provide a deadline to you to respond to requests. If these deadlines are not met, we will note that in the audit report.
Here are typical deadlines during the audit process:
o Entrance Conference-The auditee will be notified of the upcoming audit and an entrance conference date is requested within 10 days.
o Requested Documents-During the audit we will request that specific documents and records (receipts, deposits etc.). We will ask that they be provided by a specific date. If you cannot achieve that date, please let us know. If you ignore the deadlines, we will forward the request to your supervisor.
o Exit Conference-We will issue a draft report for your review and comments. Please contact us within 5 business days if you’d like to request an exit conference to discuss the contents of the report.
o Management Response We request that you provide your written response to each finding and recommendation in the report so it may be included in the final report. Your response is requested within 5 business days unless an extension is granted. If you ignore the deadline, we will request a response from your supervisor.
An audit finding is a weakness that was identified during an audit that must be corrected by management. A Best Practice or Management Comment is a suggestion that management should considered implementing but it is not required to do so.
When we complete our six month follow up review, we will be most concerned with the Findings.
We perform a follow up review six months after every audit. The results of this review will be shared with the same personnel that received the original report. We will communicate to the appropriate vice president if there is still a deficiency in your area after six months. Management’s expectations are that all audit findings will have been corrected and they will request explanations for those that have not. We will continue to monitor each recommendation until they have been implemented.
Internal controls are systems and procedures that have been established to prevent things like theft or misuse from happening. Some examples of internal control include separating the duties of cash handling and depositing, regularly reconciling budgets and establishing a review and approval process for all transactions.
You may contact our office at 572-6117 or the University’s Compliance Officer at 572- 7843. You can also file a report using our anonymous helpline at 855-597-4539 or at www.nku.ethicspoint.com. This helpline is operated by NAVEX Global, a 3rd party provider. All reports to the helpline will be thoroughly investigated.
1. Set the tone at the top. Be a good example for the expectation of ethical behavior, compliance with laws/policies, and communicate your expectations routinely to your unit’s personnel.
2. Never sign something you haven’t read or don’t understand.
3. Limit signature authority and don’t let anyone sign your name (an employee should sign their own name). Never use a signature stamp.
4. If something doesn’t make sense, ask questions about it until you do. Pay attention to what your employees are doing.
5. Develop written policies and procedures for your unit’s critical functions. This can be used as training tools and help identify areas of risk.
6. Be familiar with University policies and procedures. Be willing to call and ask questions.
7. Consider unique risks your unit may have (i.e. cash collections, contracts and grants, etc.) and ensure additional oversight is provided.
8. Ensure accounts (SAP, Pcards, etc.) are reconciled monthly and review this reconciliation for any unusual transactions. (This should include a review of payroll and leave reports.)
9. Segregate Duties--Don’t let one employee have complete control of any process or transaction. One person should initiate and another one to approve.
10. Keep offices and labs locked to protect property, data, and other resources. (Remember to shred paper documents with identifying information—Social Security numbers, credit card numbers, student records,etc.)
11. Ensure University assets are used for University business (incidental personal use is allowed).
12. Review all expenditures made by your unit. Ensure each expenditure is a prudent use of taxpayer monies and is supported by documentation (approvals, receipts, delivery receipts, etc.) If in doubt, ask yourself, “How would this look on the front page of the local paper?”
13. Make sure funds collected by your department or office are secured until deposited in a timely manner according to University policy timeframes.
14. When an employee departs from the university or a department, be sure to collect all NKU property (keys, pcards, computers, etc.) and remove/change access to NKU IT systems, other databases, and buildings.
15. Follow the University document destruction schedule. Don’t keep files with sensitive or confidential information longer than necessary.
All transactions should be supported by adequate documentation. The documentation should include proper authorizations and enough detail to provide a trail for future reviews/audit/questions.
Each department is responsible for ensuring that the Comptroller's Office is kept up-to-date on all new purchases and any dispositions. All new items over $500 in cost need an NKU tag. Disposal of all property should use proper surplus forms. This ensures the university's inventory system is accurate.
Assign duties to different individuals. No one individual should have complete control of any process. This deters fraudulent activities in the normal course of their duties or responsibilities. Design a system of checks and balances to decrease the likelihood of this happening.
The person who prepares documentation should not be the same person to authorize and execute the transaction (i.e. one person should not be able to accept cash or checks, record deposits for banking, make the bank deposits, and reconcile the account).
All fees and service charges are submitted annually to the Budget Office and approved by the Board of Regents before implementation.
Procurement cards are to be reconciled monthly. Supporting receipts and other documentation should be attached in the online reconciliation system and hard copies kept according to University policy. This includes meals and entertainment forms for all food purchases. Gas and food during travel should not be charged to the pcard. These items are reimbursed via per diems and mileage allowances on the Travel Expense process. Do not use the pcard for charitable donations or computers/laptop purchases. The proper reconciling report is the Transaction Detail Report which should be signed by the cardholder and cardholder's supervisor.
Be familiar with the University's cash handling policies.
NKU is exempt from payment of Kentucky sales tax. Most states recognize the university's tax exempt status for items to be delivered to the University, however, use of the card in person or out of state may result in non‐acceptance. The cardholder should emphasize this tax‐exempt status at the time of purchase. The University's tax‐exempt number is shown on the front of your pcard or can be obtained from Procurement Services.
Access to critical or sensitive information should be appropriate restricted based on job duties. This can be obtained through lock and key or frequently changed passwords.
