Left Navigation

About Internal Audit
Internal Audit Charter Organizational Chart Audit Plan Annual Report
Operational Audit Information Technology Audit Additional Resources Links

Annual Report

Home > About Internal Audit > Annual Report

NC STATE UNIVERSITY INTERNAL AUDIT DIVISION

ANNUAL REPORT

FISCAL YEAR 2008 – 2009

 

I. New Programs and Activities

Audits Performed

During fiscal year 2009, Internal Audit (IA) performed a total of 30 Operational and IT engagements: 11 audits, 10 investigations, and 9 follow-up audits.  At year end, work in process included: 3 audits, 2 follow-ups, and 2 reports.

Due to budget issues creating 1.75 FTE vacancies in the IA staff and the emergence of issues requiring our immediate attention over the course of the year, 7 audits from the 2009 Audit Plan were incorporated back into our new Continuous Risk Assessment Process to be reprioritized against other potential audits and risks and considered for potential inclusion in future audit plans.  

For the same reasons, 1 audit on the 2009 Audit Plan was canceled.  That audit related to activities within a single University unit.  The audit was canceled as opposed to moved back into the new Continuous Risk Assessment process based on its relatively lower risk compared to those that arose and were addressed over the course of the year.  Additionally, relevant testing of that unit will occur during the planned Fiscal Year 2010 audit of high-risk contracts and grants.  This will facilitate further risk assessment of the unit and subject matter, if needed.

New Activities

In fiscal year 2008, Session Law 2007, House Bill 1401, “An Act to Enact the North Carolina Internal Audit Act” was passed.  The Act details requirements for internal audit organizations in all state agencies.  The Act resulted in the formation of the North Carolina Council of Internal Auditing and a state-level central Office of Internal Audit (OIA) residing in the Office of State Budget and Management.  NC State IA participated in the working group that developed the state-level North Carolina Internal Audit Manual and in the creation of the state-wide Peer Review Program. Additionally, the IA Director and IT Audit Manager are now qualified to be Peer Reviewers at other state agencies which will enable a cost-free Peer Review to be performed of the NCSU IA Division.  Finally, IA attends the Council’s quarterly meetings to stay abreast of developing programs, expectations, and requirements from the state level.  In 2009, the Director was asked by the OIA Internal Audit Manager to speak to the Council during several meetings and provide information to facilitate decisions regarding policy and proposed changes to the Act that may be brought before the Legislature.

II. Major Initiatives

New Risk Assessment and Audit Planning Process

Building on changes started informally in FY 2008, IA completely revised both the risk assessment (RA) and audit planning processes during the past fiscal year.  The result is a more comprehensive, broader-reaching, continuous process that allows for greater flexibility and responsiveness in the rapid-paced, ever-changing, challenging environment we are currently experiencing.

The RA process is at the core of our audit and consulting engagements and is used as an objective tool in the development of our Annual Audit Plans. The process focuses on potential exposures relating to the University’s governance, operations, and information systems regarding the:

From an objective perspective, our assessment includes analysis and numerical ranking of the risks in each area related to: financials, potential for fraud, physical and logical security, compliance requirements, operational functionality and efficiency, and reputation.

In addition, every month throughout the year, IA meets both formally and informally with University administrative and academic executive management, deans, business officers, department heads, faculty, and staff.  These meetings represent our subjective risk analyses and are tracked on a newly created spreadsheet to ensure adequate coverage and appropriate frequency of contact.  All information relating to risk, potential or existing, along with special requests for audits, and identified areas of concern is documented on a “real-time” basis in our RA electronic and physical files. 

All objective and subjective information and data gathered over the year through our continuous RA process is analyzed when received and again every six months.  This on-going analysis process allows IA to determine areas that may need immediate attention, areas that are potential near-term or future audits, and areas that we will continue to watch and status through our process.

Our Annual Audit Plan reflects the results of our continuous assessment and analysis process as of the end of the first quarter of each calendar year.  Each year’s Plan is presented for approval at the regularly scheduled April meeting of the NC State Board of Trustees and is implemented at the start of the new fiscal year on July 1.

Improved Audit Processes

We have significantly revised our existing standardized audit processes and created new ones to ensure maximum consistency, efficiency, and effectiveness as we continue to serve NC State. Major changes include:

New and On-going Consultative Activities

IA participates on a number of university committees, work groups, task forces, and system development projects to partner with units in creating an awareness of internal controls and reinforce the importance of compliance.  It is our philosophy that addressing risks “up front” as opposed to after a process or system is implemented is more effective from both a cost and a human resources perspective.  It is common for topics addressed at these forums to relate to current, future, or potential audit work and thus these Committees and Partnerships play a critical role in our new Continuous Risk Assessment process. Examples include: University Council, Contract Review Task Force, University Research Support Council, Privacy Task Force, Alcohol Policy Review Task Force, Identity and Access Management Oversight Committee and various Project Teams, Disaster Recovery/Business Continuity Planning Oversight Committee, Red Flag Rules Policy Implementation Team, Student Information System Implementation Team(s), University Business Officers, and University Information Technology Committee (including various sub-committees). 

We also receive requests weekly from colleges and units seeking consultative input to their projects from an audit perspective.  For example, consultative activities in FY 2009 included assisting: the Kenan Institute in assessing and redesigning their financial reporting methods; OIT in research of outsourcing student data storage to third-party vendors and preventing leakage of sensitive data; and County Extension Services training for potential directors.

Campus Education

IA strives to educate the campus community on University policies, regulations, and rules as well as the importance of effective internal controls and compliance to Federal and State laws and requirements.  We continue to communicate the importance of training for University employees, especially for individuals with financial, human resource, information technology, and contract and grant responsibilities.  We take a proactive approach to addressing potential or emerging issues and internal control weaknesses and we research and recommend best practices to help keep the University performing efficiently and effectively in all areas we touch.  Specific examples of our more formalized educational efforts include:

III. Staff Updates

Organization

IA currently consists of 8 positions (7.75 FTE) of which only 6 are filled: a Director, an IT Audit Manager, 2 full-time and 1 part-time (<20 hours per week) Operational Auditors, and 1 full-time and 1 part-time (<20 hours per week) IT Auditors. The funding related to  the vacant positions is being used to cover budget reductions and consists of 1 Operational Auditor position and a .75 FTE Administrative Support Specialist position. The Administrative position has been vacant since December 2007 and the Operational Auditor position became vacant in October 2008.

Update on Staff Qualifications and Certifications

The new state law governing Internal Audit places emphasis on the qualifications of state agency internal audit staff.  A summary of staff changes and certifications follows.

Cecile M. Hinson – She is currently a Certified Information Systems Auditor (CISA) and is pursuing the Certified Internal Auditor (CIA) certification.

Jordan P. Holaren – Jordan is continuing to work toward obtaining the Certified Internal Auditor (CIA) certification.

Leo F. Howell – Leo was promoted to the new IT Audit Manager position and has successfully managed the IT Audit Department throughout FY 2009.  Leo’s certifications include the following: CISA, CISSP, CBRM.

Gail Kashulon – Gail is our part-time IT auditor.  She joined IA in December 2008.  Gail is a CISA and an MBA.

Rosemary M. King – Rosemary retired in October 2008.

Andy Lull – Andy is our part-time Operational Auditor and has masters degrees in Education, Business, and Accounting. He has met the experience requirement for the Certified Public Accountant (CPA), has passed several parts of the required exam, and is in process of completing the remaining portions of the exam. 

Satya Maruvada – Satya joined IA in February 2009.  He previously worked for PricewaterhouseCoopers, LLP within the Systems and Process Assurance (SPA) department. Satya has a Bachelor of Science in Computer Science from NC State University and a Master of Accounting from University of North Carolina. He is a CPA and has successfully completed the CISA examination.  He is currently working toward obtaining his CIA designation, also.

Cheryl Vetter – Cheryl is pursuing her Certified Fraud Examiner (CFE) certification.

IV.  Concerns and Vision for the Future

The impact of the current and proposed budget reductions is of significant concern as it has created two vacant staff positions.  These vacancies significantly reduce the available auditor work hours not only by the loss of the full-time auditor but also because all current auditors and the director loose hours that should be used for audit-related activities to cover the responsibilities of the unfilled Administrative Assistant position.  The result is that all forms of audits, consulting activities, and daily assistance we provide to University employees and management and to external entities on a regular basis have been reduced.  Additionally, risk across the University is compounded as studies show that deep budget and staff reductions in an organization generally increase inherent risk within processes and the risk of employee fraud or misconduct.  Our coverage of these increasing risks is restricted by the reduction of available auditor work hours.  Thus, the potential negative impact to the University is compounded by the reduction of the IA staff.

In these uncertain economic times, it is critical to maintain an adequate University internal audit function.  With the above mentioned personnel reductions and subsequent decrease in auditor hours available, it is inevitable that our ability to be vigilant and proactive in addressing problems is restricted.  However, we believe that our new continuous risk assessment process and the newly streamlined processes for all other aspects of our work will facilitate the most efficient approach and best possible coverage in light of our reduced human and budgetary resources.  Most importantly, we are confident these new processes ensure that when the economy improves we are effectively positioned to respond to and support the University’s inevitable growth and increased opportunities.

 

 

 

Footer Nav