MSU Department of Internal Audit Presents: Internal Audit Processes and Procedures - PowerPoint PPT Presentation


PPT – MSU Department of Internal Audit Presents: Internal Audit Processes and Procedures PowerPoint presentation | free to view - id: 4dad89-MTc5N


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

MSU Department of Internal Audit Presents: Internal Audit Processes and Procedures


MSU Department of Internal Audit Presents: Internal Audit Processes and Procedures Thomas Luccock, Director Presenters Thomas Luccock Jana Dean Steve Kurncz Jim ... – PowerPoint PPT presentation

Number of Views:380
Avg rating:3.0/5.0
Slides: 62
Provided by: msuEduin9


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: MSU Department of Internal Audit Presents: Internal Audit Processes and Procedures

MSU Department of Internal Audit Presents Interna
l Audit Processes and Procedures
Thomas Luccock, Director
  • Thomas Luccock
  • Jana Dean
  • Steve Kurncz
  • Jim Jesswein

Overview of Topics
  • Organization and Mission
  • Internal Controls
  • Risk Assessment
  • Typical Findings
  • Fraud Awareness and SAS 99
  • Information Technology Auditing
  • The Internal Audit Quiz Bowl

Organization Chart
Our Mission
  • To assist University units in effectively
    discharging their duties while ensuring proper
    control over University assets.

Our Charter
  • Introduction
  • Purpose
  • Authority
  • Responsibility
  • Independence
  • Audit Scope
  • Special Investigations
  • Reporting
  • Audit Standards and Ethics

What is Internal Auditing?
  • Internal auditing is an independent, objective
    assurance and consulting activity designed to add
    value and improve an organizations operations.
    It helps an organization accomplish its
    objectives by bringing a systematic, disciplined
    approach to evaluate and improve the
    effectiveness of risk management, control, and
    governance processes.
  • -Courtesy of the Institute of Internal Auditors

The IIA Standards
  • Independence
  • Professional Proficiency
  • Scope
  • Performance of Audit
  • Management
  • Code of Ethics

Internal Controls
  • An integrated system to protect an entitys
    resources and assess risk.
  • A system of checks and balances.
  • An established way to prevent and detect
    intentional and unintentional errors.
  • Examples include segregation of duties,
    reconciliation, and proper authorization.
  • Controls can be preventive or detective.

Who is Responsible for Internal Controls?
Delegated to operational Areas
Everyone in the Organization
Common Types of Internal Controls
Situation Type of Control
Requiring Passwords to access functions Preventive
Locking the office when the entire staff leaves Preventive
The person who collects money does not reconcile the fund ledgers Preventive/ Detective
Supervisor review of reconciliations Preventive/ Detective
Authorized signatures for DPVs and JVEs Preventive
Petty cash fund locked in safe Preventive
Procurement card statement approval by supervisor Detective
Required procurement card training Preventive
Policy Statements
  • MSU Manual of Business Procedures
  • http//
  • Travel Reimbursement
  • Cash Handling Procedures
  • Cell Phone usage practices
  • It even covers flower purchasing requirements
  • Departmental Policies

Procurement Card Policy
  • Manual Available at http//
  • Key Concerns-
  • Approval
  • Documentation
  • Appropriate Purchases

Regulatory Requirements
  • NCAA
  • / EPA
  • Contracts and Grants
  • Financial Aid
  • A133
  • Record Retention
  • http//

Organizational Risk
  • What is Risk?
  • -The potential or likelihood of an event
    adversely impacting the assets of the
    organization or the organizations business
  • -courtesy of Jefferson Wells

The Big Picture
  • Certain factors may impact the industry,
    organization, or the auditable unit.

What is Risk Assessment?
  • Its purpose
  • To identify the level of uncontrolled risk.
  • To perform an independent appraisal of the design
    of an organizations system of internal control.
  • Includes all the work activities that provide
    assurance that the auditable unit has appropriate
    controls in place to comprehensively,
    effectively, and efficiently manage its risks.

How can risk assessment be used?
  • To determine which areas within a given business
    process should be reviewed.
  • To design tests to verify the adequacy of the
    identified controls.
  • To support a cyclical approach to auditing.

Audit Tools used during a risk assessment
  • Opening meeting
  • Internal control questionnaires and flowcharts
  • Regulatory requirements
  • Prior audit reports and correspondence
  • Observation of daily activities
  • Risk Survey plan to circulate periodically

Risk Assessment Approach
  • Quantifying Risk
  • -High
  • -Medium
  • -Low
  • Degree of Control
  • -High
  • -Medium
  • -Low

Other risk assessment methods utilize convenient
color coding.
Typical Findings
  • Deposits
  • Payroll
  • Reconciliation
  • Segregation of Duties
  • Procurement Cards
  • Travel Reimbursements

Fraud Awareness
  • SAS 99
  • Requirements
  • 24 Hour Hotline or web reporting
  • Complete Anonymity
  • 1-800-763-0764
  • /hotline.html
  • Employee Responsibilities

Types of Fraud
  • Fraud
  • Misstatements arising from fraudulent financial
    reporting (eg. falsification of accounting
  • Misstatements arising from misappropriation of
    assets (eg. theft of assets or fraudulent

Fraud Facts
  • According to the Association of Certified Fraud
    Examiners (ACFE), U.S. businesses lose
    approximately 5 of their annual revenues to
  • Seventy five percent of companies surveyed by the
    KPMG reported that they had experienced at least
    one instance of fraud during the previous 12
  • The ACFE estimates that the median loss suffered
    by organizations with fewer than 100 employees is
    190,000 per fraud scheme. previous version of
    the same study, completed in 2002, added that
  • According to the ACFE, the median length of time
    between when a fraud begins and when it is
    ultimately detected is 18 months.
  • In its 2006 Report to the Nation, the ACFE
    reports that frauds are more likely to be
    detected by a tip than by other means such as
    internal audits, external audits, or internal

The Fraud Triangle

Pressure / Motives
Pressures and Motives
  • Financial pressures rising debt/bills spouse
    loses job poor credit
  • Work Related Pressures adverse relationship
    with management promotions, compensation or
    other awards inconsistent with expectations
  • Vice pressures
  • Other pressures

  • Lack or circumvention of internal controls
  • Past failure to discipline wrongdoers
  • Management apathy
  • Unwillingness or inability to detect fraud
  • Lack of an audit trail

  • The organization owes it to me.
  • I am only borrowing the money.
  • They can afford it.
  • I deserve more.
  • Its for a good purpose.

Profile of an Embezzler
  • Tends to be a trusted employee
  • Works long hours first in/last out
  • Skirts mandatory vacation policy
  • Opposes cross training
  • Likeable and generous
  • Personality may change, moodiness may set in,
    when stress of embezzlement catches up to them,
    or when they are about to be caught
  • Evasive and usually good at lying

Fraud Red Flags
  • Not separating functional responsibilities of
    authorization, custodianship, and record keeping.
    No one should be responsible for all aspects of
    a function from the beginning to the end of the
  • Unrestricted access to assets or sensitive data
    (e.g., cash, personnel records, etc.)
  • Not recording transactions resulting in lack of
  • Not reconciling assets with the appropriate

More Red Flags
  • Unauthorized transactions
  • Controls not implemented due to lack of personnel
    or adequate training
  • Walk through approvals
  • Unimplemented Controls
  • Living beyond ones means

  • Senior management team sets the moral and ethical
    compass for others to follow
  • Management must clearly communicate zero
    tolerance for fraud and reinforce the message on
    a regular basis
  • Strict ethical code at all levels
  • Tighten computer security
  • Actively seek out red flags
  • Make staff accountable
  • Utilize MSUs prevention tools
  • Learn and understand behavioral cues
  • Use the hotline!!

What is an Information Technology Audit?
  • Information Technology (IT) auditing is defined
    as any audit that encompasses the review and
    evaluation of all aspects (or any portion) of
    automated information processing systems,
    including related non-automated processes, and
    the interfaces between them.

  • IT infrastructure risks
  • Sensitive information
  • Monetary transactions processes
  • System access restrictions and enforcement
  • Weak password policies
  • Overall network security controls

IT Audit Scope
  • University policies and guidelines
  • Disaster Recovery Planning and Implementation
  • Acceptable Use Policy
  • Data Security and Backup Procedures
  • Managing Sensitive Data / PCI DSS Compliance
  • Industry standards
  • Password Policies
  • Security Planning and Implementation
  • Departmental Acceptable Use Policies

Information Technology Process
  • Scan of systems and associated network
  • COBIT Standards - 'Control Objectives for
    Information and related Technology
  • IT Industry Known Best Practices
  • Partnership with Libraries Computing and
  • Employee Responsibilities

Typical IT Audit Findings
  • Data backup procedures
  • Disaster Recovery Plan
  • Access controls
  • Security practices

IT Audit Sensitive Data Focus
  • Unit Managing Sensitive Data Procedures and
  • Unit SSN and other sensitive data procedures and
  • Unit Payment Card Industry Data Security Standard
    (PCI DSS) Compliance
  • Unit policies regarding electronic and paper
    storage of credit card data
  • PCI DSS Compliance Questionnaire
  • Unit vulnerability scanning

Internal Audit Website
Internal Audit Hotline
Internal Audit Comments
Internal Audit Website Resources
The Audit Bowl

Question I
  • Jane is such a dedicated worker, she never misses
    work no vacations, never calls in sick.
    Because she is always here, we do not need to
    train someone to be her back up.
  • What Control Weaknesses exist in the above
  • Jane could be committing fraud that could not be
    detected because no one ever does her job.
  • If something does happen and Jane is not
    available to perform her duties, no one else is
    able to step in because no one has been trained.
  • There are no control weaknesses.
  • Both a and b identify weaknesses.

Question II
  • Claires department sells small items off of
    their departmental website. She accepts phone
    orders for this merchandise and stores the
    purchasers credit card number and information in
    an Excel spreadsheet, on her departmental share
    drive. Once a month Claire logs into WebCredit
    and runs all of the credit cards at once. Is
    Claire doing anything wrong? If so, why?

Question III
  • Bob forgot his lunch money today so he borrowed
    from the petty cash fund. Which statement best
    describes if this is a control issue or if it is
    an acceptable practice.
  • Thats ok as long as Bob put an IOU in the petty
    cash fund.
  • Thats ok as long as Bob repays the next day or
    at least before the fund is reconciled.
  • Borrowing from university money is never
    acceptable and is considered a control violation.
  • This isnt an issue as Bob always repays the

Question IV
  • Mary collects registration money, prepares the
    deposit, agrees to the monthly fund ledger
    reports, and prepares the list of participants.
    Which statement concerning this scenario is true.
  • This makes sense because Mary is responsible for
    handling the conference, so she should be
    responsible for all areas.
  • This scenario lacks adequate segregation of
    duties. Someone else should be involved in at
    least one of the steps. The list of participants
    should be agreed to the fund ledger report by
    someone other than Mary.
  • Mary knows everything that is going on with the
    conference so it is more efficient to have her
    handle all the functions.

Question V
  • Charley is a student employee on campus. He knows
    the rules dictate that he cannot work more than
    29 hours in one week during the semester. He
    works 40 one week but will not work at all the
    second week. So Charley records 20 hours per
    week instead of 40 for week one and 0 for the
    second week. Is this acceptable? Why?

Question VI
  • Sarah is the business manager. She has several
    employees that report to her and are responsible
    for posting all money received on their
    subsidiary system. Another employee prepares a
    deposit and sends by courier to the Cashiers
    Office. Sarah agrees the deposit ticket to the
    fund ledger each month. What step is Sarah

Question VII
  • Jims job is to enter mail-in conference
    registration forms that his department receives
    (for a conference they sponsor) into the AIS
    WebCredit system. After Jim charges the customer
    he keeps these forms (with full credit card
    numbers) in a locked cabinet for 3 years because
    he wants to provide them to the internal
    auditors, if necessary, and be able to dispute
    any chargeback claims? Is Jim following the
    recommended procedures? If not , why?

Question VIII
  • Julie frequently takes University office supplies
    for home use, such as pens, pencils, and paper.
    She also uses the office copy machine to make
    personal copies. Which statement is correct
    concerning this scenario?
  • Because the items are low cost, this is not a
  • Because Julie is paid less than her co-workers,
    she is entitled to these extra benefits.
  • It is not acceptable to use the University
    property and supplies for personal use regardless
    of cost.
  • Julie has worked for the University for 20 years,
    and frequently worked extra hours. The University
    owes her.

Question IX
  • You see a co-worker put some cash received for a
    conference in his bag. Later you are reconciling
    the list of participants to the fund ledger and
    have a difference. What should you do?

Question X
  • Abbie is responsible for depositing all checks
    with the Cashiers Office. It is late Friday
    afternoon and Abbie is leaving for a 10 day
    vacation in the Bahamas. Her last task for the
    day is to open the mail. In the mail, there is a
    10,000 check for the upcoming conference and the
    Cashiers Office is already closed. What should
    Abbie do?
  • Lock the check in her desk drawer and deposit it
    when she returns from vacation.
  • Take the check home with her so she is sure it is
    secure and deposit it when she returns from
  • Give the check to Wanda, her backup, so she can
    make sure it is secure and deposit it first thing
    Monday morning.

Question XI
  • Scott has a university procurement card. Scott
    is very careful to keep all receipts for each
    purchase and makes sure no one has access to his
    card but him. Each month Scott agrees his
    receipts to his statement. He attaches the
    receipts to the statements and stores them in his
    desk in a file labeled Procurement Card. What
    control step is Scott missing?
  • Scott should verify that sales tax was not
    charged to the university.
  • Scotts supervisor or a designated
    budget/business administrator should review and
    approve the statement with the receipts.
  • Scott should sign the statement as the
  • All of the above

Question XII
  • Ben is a professor. A conference relating to his
    research is being held in Orlando, Florida in
    May. Ben talks to his Dean and receives verbal
    approval for the trip. The Administrative
    Assistant registers Ben for the conference and
    contacts Spartan Travel to make the airline and
    hotel reservations. Ben now feels he is all set
    for the trip. What step is Ben missing?

Question XIII
  • Ben attended the conference and found it very
    useful. He turns in the receipts for the hotel
    and meals, and also the airline tickets to the
    Administrative Assistant to process his travel
    voucher. What other document should Ben include?

Question XIV
  • Jennifer is the Business Manager for a large
    department on campus. Her secretary has just
    accepted a position in another department.
    Jennifer knows the perfect replacement who has
    the type of experience needed, Suzie. Suzie is
    Jennifers younger sister. Suzie would report
    directly to Jennifer. Which statement best
    describes this situation?
  • Suzie is qualified then she should be hired for
    the position.
  • If Suzie is a direct report to Jennifer then it
    appears to be a conflict of interest. Someone
    could accuse Jennifer of providing higher raises
    or other benefits to Suzie because they are
  • Jennifer and Suzie would work great together
    since they are sisters.

Question XV
  • The Administrative Assistant for a large
    department is filing last years fund ledger
    documents and other departmental documents. When
    she enters the storage room she finds it almost
    full. She reviews the dates on the boxes and
    finds many that are 10 years old. She decides
    she should throw those out but thought she should
    get approval first. Who should she contact to
    find out the record retention policy?
  • Internal Audit
  • Controllers Office
  • University Archives
  • Both b and c

  • The Internal Audit mission is defined by our
  • Internal Controls are everyones responsibility.
  • Policies and procedures should be followed.
  • Internal Audit constantly assesses risks.
  • Fraud should be reported.
  • Internal Audit is available for advice.

Audience Questions?
  • Comments may be directed to our website at-
  • (submissions may be made anonymously, if so
  • Remember to tell your friends about the Fraud
    Hotline at 1-800-763-0764 or

Methods of Reporting Fraud
  • MSU Hotline call center/web reporting
  • Direct contact with Internal Audit/DPPS/HR
  • Key links
  • IA website
  • Fiscal misconduct guidelines
  • http//