First, you will receive a letter to inform you of an upcoming audit. The auditor will send you a preliminary checklist, which is a list of documents that will help the auditor learn about your unit before planning the audit.
After reviewing the information, the auditor will plan the review and identify key risks within the area, draft an audit plan, and schedule an opening conference.
The opening conference should include senior management and any administrative staff that may be involved in the audit. During this meeting, the scope of the audit will be discussed. You should feel free to ask the auditors to review areas that you are concerned about. The time frame of the audit will be determined, and you should discuss any potential timing issues (e.g. vacations, deadlines) that could impact the audit.
After the opening meeting, the auditor will finalize the audit plan and begin fieldwork. Fieldwork typically consists of talking with staff, reviewing procedure manuals, learning about your business processes, testing for compliance with applicable policies and procedures and laws and regulations, and assessing the adequacy of internal controls. Please note that often times the majority of our audit testing can be performed at our offices, but there will be times in which we will need access to you and your staff in order to obtain documents and/or ask questions. We understand that you still have your job to do and we will always strive to make the interruptions as minimal as possible.
The results of the audit will be communicated via a formal audit report. The purpose of this written document is for Internal Audit to report the conclusions drawn from the audit tests, observations and inquires.
A closing meeting will be held so that everyone can discuss the audit observations. The exit conference provides an opportunity to resolve any question or concerns you may have about the observations and to resolve any other issues before the final audit report is released.
Once the report is finalized with any corrections management may have suggested, we will request your responses. You may accept the recommendations offered by Internal Audit, present your own remedy to the findings noted, or accept the risks associated with the findings. Estimated completion dates for each observation should be included with all management responses.
Once responses are received, the final audit report is compiled and distributed to the Chancellor, Board Finance Committee as well as to the appropriate level of management.
An audit survey will be sent to the audited unit in order to solicit feedback about the audit. Feedback is important to us since it can help us improve the audit process.
Follow-up reviews are performed on an issue-by-issue basis and typically occur shortly after the expected completion date, so that agreed-upon corrective actions can be implemented. The purpose of the follow-up is to verify that you have implemented the agreed-upon corrective actions. The auditor will interview staff, perform tests, or review new procedures to perform the verification. If further corrective action is required, you will need to write a management response. Otherwise, the issue will be reported as resolved.
Frequently Asked Questions
The Internal Audit Department receives its authority from the Board Finance Committee of the San Jacinto Community College District (Internal Audit Charter). The authority includes full and unrestricted access to all personnel and departmental records while conducting audit activities. All information received by the audit department is held at the appropriate level of confidentiality.
Internal Audit reports directly to the Vice Chancellor of Fiscal Affairs, with an advisory reporting relationship to the Chancellor and Board Finance Committee.
Internal Audit annually reviews all of the risks facing the College for the upcoming year. If your department scores "high" on the risk analysis, IA recommends your department for an audit. The Board Finance Committee reviews these recommendations and approves the audit plan for the upcoming fiscal year.
The frequency of department audits depends on the level of risk associated with the department. A high risk department could be audited each year where a department with a lesser associated risk may be part of a several year rotation.
Internal Audit calculates the risk score using key risk factors such as previous audit findings, negative publicity, financial impact, time since last audit, etc.
The scope of an audit refers to what organization functions will be included for review as part of the audit. Internal Audit wants to maximize its resources by concentrating on specific significant areas within an organization. The audit scope is determined through review of the organization's functions, discussion with the organization's management and auditor judgment.
If a significant issue is identified during the audit of a department, Internal Audit expresses the results of its audit work as findings. Findings have certain elements, including the criteria or basis for determining that a problem does exist, a condition or situation that was observed, the effect or impact of the condition, and the cause of the problem to the extent that it can be determined. Findings should result in recommendations that resolve the issue and are helpful to management.
The length of time it takes to complete an audit varies significantly. Some take as little as a couple of weeks and others can take several months. The audit is a dynamic process, the scope of which can be expanded or reduced at any time depending on the findings.
The overall goal of our audit is to provide the department being reviewed with an assessment of its control environment and compliance with appropriate policies. A secondary goal of our review is to make recommendations, if necessary, that are aimed to improve the efficiency and/or accuracy by which certain procedures are performed.
Prior to our review, we submit an initial request for information to the department. This request includes general department information which aids us in gaining an understanding of the department being reviewed. When we begin the fieldwork segment of our review the department will need to provide us with various details supporting the transactions we are testing.
Inevitably there will be some disruption within the department's daily schedule. However, we try to keep this disruption to a minimum and schedule our meetings with department personnel at their convenience.
Audit reports are issued to the auditee and supervisor, as well as the Vice Chancellor of Fiscal Affairs, Chancellor, Board Finance Committee and other interested parties.
Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. The elements of fraud are:
- A representation about a material fact
- Which is false
- And made intentionally, knowingly, or recklessly so
- Which is believed
- And acted upon by the victim
- To the victim’s damage
Employees who commit fraud generally are able to do so because there is opportunity, pressure, and a rationalization.
Opportunity is generally provided through weaknesses in the internal controls. Some examples include inadequate or no:
- Supervision and review
- Separation of duties
- Management approval
- System controls
Pressure can be imposed due to:
- Personal financial problems
- Personal vices such as gambling or drug use
- Unrealistic deadlines and performance goals
Rationalization occurs when the individual develops a justification for their fraudulent activities. The rationalization varies by case and individual. Examples include:
- "I really need this money and I’ll put it back when I get my paycheck."
- "I'd rather have the company on my back than the IRS."
- "I just can't afford to lose everything – my home, my car, everything."
Management. Internal Audit is responsible for examining and evaluating the adequacy and effectiveness of actions taken by management to fulfill this obligation. Deterrence consists of actions taken to discourage fraud and limit financial losses if it does occur. The principal mechanism for deterring fraud is strong internal controls.
Internal auditors should have sufficient knowledge of fraud to be able to identify indicators that fraud might have been committed. If significant control weaknesses are detected, additional tests conducted by internal auditors should include tests directed toward identification of other indicators of fraud. Internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is to detect and investigate fraud. Audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected.
Call the Internal Audit department at 281-991-2612.
Fraud investigations may be conducted by or involve the participation of the Internal Audit Department, campus Police Departments and other areas of the College as appropriate.
The following is a partial list of the factors contributing to fraud.
- Ineffective internal controls such as:
- Not separating functional responsibilities of authorization, custodianship, and record keeping. No one should be responsible for all aspects of a function from the beginning to the end of the process.
- Unrestricted access to assets or sensitive data
- Nor recording transactions resulting in lack of accountability
- Not reconciling assets with the appropriate records
- Unauthorized transactions
- Unimplemented controls because of the lack of or unqualified personnel
- Collusion among employees over whom there is little or no supervision
- Embezzlement “red flags” include:
- Borrowing money from co-workers
- Creditors or collectors appearing at the workplace
- Gambling beyond the ability to stand the loss
- Excessive drinking or other personal habits
- Easily annoyed at reasonable questioning
- Providing unreasonable responses to questions
- Refusing vacations or promotions for fear of detection
- Bragging about significant new purchases
- Carrying unusually large sums of money
- Rewriting records under the guise of neatness in presentation
- Other common forms of fraud are:
- Falsifying timesheets for a higher amount of pay
- Stealing of any kind (e.g., cash, petty cash, supplies, equipment, tools, data, records, etc.)
- Lapping collections on customers’ accounts
- Pocketing payments on customers’ accounts, issuing receipts on self-design receipt books
- Not depositing all cash receipts
- Creating fictitious employees and collecting the paychecks
- Failing to end personnel assignments for terminated employees and collecting the paychecks
- Paying for personal expenses with University funds
- Increasing vendor invoices through collusion
- Billing for services not rendered and collecting the cash
- Seizing checks payable to vendors
- Recording fictitious transactions on the books to cover up theft
- Other fraud danger signals:
- High personnel turnover
- Low employee morale
- No supporting documentation for adjusting entries
- Incomplete or untimely bank reconciliations
- Increased customer complaints
- Write-offs of inventory shortages with no attempt to determine the cause
- Unrealistic performance expectations
- Rumors of conflicts of interest
- Using duplicate invoices to pay vendors
- Frequent use of sole-source procurement contracts
The Internal Audit function is an independent appraisal activity established within an organization to examine and evaluate its activities as a service to the organization. It functions by examining the adequacy and effectiveness of controls.
The objective of Internal Auditing is to assist management in the effective discharge of their responsibilities. To this end, the Internal Audit function furnishes management with analyses, appraisals, recommendations, counsel, and information concerning activities reviewed to promote effective control at a reasonable cost.
Internal Audit reports administratively to the Vice Chancellor of Fiscal Affairs; however, it may report audit matters directly to the Chancellor and/or to the Board Finance Committee of the Board of Trustees. In the performance of audits, the Internal Auditor is granted access to all college activities, records, property, and employees. The Internal Auditor will exercise discretion and ensure the safekeeping and confidentiality of audit matters.
Internal Audit is a staff function and has no direct operational responsibility for or authority over any of the activities reviewed. Accordingly, they shall not develop nor install systems or procedures, prepare records, or engage in any other activity which would normally be audited. Additionally, an Internal Audit review in no way relieves management of any assigned responsibilities.
The Internal Auditor is assigned the responsibility for carrying out an Internal Audit program as described under the section “Responsibilities of Internal Audit" of this Charter. This responsibility includes coordinating Internal Audit activities with the organization's external auditors and others to best achieve organizational and auditing objectives.
All requests for special (unscheduled) audits will be directed to the Vice Chancellor of Fiscal Affairs.
All internal audit activities shall remain free of influence by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of an independent and objective mental attitude necessary in rendering reports.
The Internal Audit function has the following responsibilities:
- Develop a flexible annual audit plan using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit that plan to the Chancellor and Vice Chancellor of Fiscal Affairs for submission to the Board Finance Committee of the Board of Trustees for review and approval.
- Maintain a professional audit staff with sufficient knowledge, skills, experience and technical competence through continuing education and active participation in professional activities.
- Examine and evaluate the adequacy and effectiveness of the College’s system of internal controls, policies and procedures, and systems in place to safeguard college assets.
- Evaluate the reliability and integrity of information, and the efficient and effective use of resources.
- Ensure compliance with applicable policies, procedures, laws, and regulations which could have a significant impact on College operations and reports.
- Review operations or programs to ascertain whether results are consistent with established goals and objectives and whether the operations or programs are being carried out as planned.
- Participate in or conduct evaluations, financial and management studies, special audits and fraud investigations as directed.
- Conduct follow up reviews, as needed, on audit reports issued by the San Jacinto College District Internal Audit Department and other external agencies.
- Issue periodic reports to the Vice Chancellor of Fiscal Affairs, Chancellor and Board Finance Committee of the Board of Trustees summarizing the status and results of audit activities.
- Consider the scope of work of the external auditors and regulatory agencies, as appropriate, to provide optimal audit coverage to the College at a reasonable overall cost.
The following are the procedures to be adhered to when carrying out the Internal Audit function:
- An annual audit plan will be established after conducting an annual risk assessment, securing input from the Chancellor and Vice Chancellor of Fiscal Affairs and obtaining approval of the plan from the Board Finance Committee of the Board of Trustees.
- Advance notice to each department to be audited will be provided.
- An opening meeting with the managers of the unit being audited will be conducted to discuss the nature of the audit, length of engagement and to coordinate the timing of review by area. Internal Audit will review the proposed audit program with functional managers to ensure proper and thorough audit coverage.
- The audit program will be finalized and the audit steps performed. Findings noted during the audit will be communicated to the auditee and Vice Chancellor of Fiscal Affairs throughout the course of the audit.
- A written, draft Audit Report will be prepared by Internal Audit following the conclusion of the audit. The draft Audit Report will be submitted to the Vice Chancellor of Fiscal Affairs for review. Once desired changes are made, the draft Audit Report will be provided to the auditee for their review prior to the exit conference.
- An exit meeting will be held to discuss the written audit findings with the appropriate management in order to come to a consensus on the accuracy of the findings and the propriety of the recommendations. Any revisions agreed upon will be included in the final report. Based on the complexities of the findings noted, the auditee will have an appropriate amount of time to respond with their corrective action plans to the findings presented in the report. The auditee’s corrective action plan, including a timetable for anticipated completion of action to be taken, and an explanation for any recommendations not addressed will be included in the final report.
- Copies of the final report will be distributed as appropriate.
- Management of the area receiving the report is responsible for ensuring that progress is made toward implementing their corrective action plans. If Management proposes alternative actions other than the recommendations provided by Internal Audit, then Internal Audit is responsible for determining whether the action taken is adequate to mitigate the risks associated with the initial audit findings.
- Internal Audit will perform follow-up reviews, as deemed necessary.
- Internal Audit will provide the auditee with a Post Audit Survey (i.e. customer survey) at the conclusion of the audit and will continually strive to improve the Internal Audit Department and the services provided.
The Internal Auditor should use reasonable audit skill and judgment and exercise due professional care in performing every audit. The Internal Auditor is required to conduct examinations and verifications of the activity under audit to a reasonable extent, but is not required to perform detail audit testing of all transactions. Accordingly, the internal auditor cannot give absolute assurance that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance should be considered whenever an internal auditor undertakes an auditing assignment.
The activities of Internal Audit will meet The Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing and Code of Ethics. Internal Audit will also abide by generally accepted government auditing standards and applicable college district policies and procedures.
The Internal Auditor should periodically assess whether the purpose, authority, and responsibility, as defined in this charter, continue to be adequate to enable the internal auditing activity to accomplish its objectives. The result of this periodic assessment should be communicated to the Vice Chancellor of Fiscal Affairs, Chancellor and the Board Finance Committee of the Board of Trustees.
Risk Assessment Process
How are College Departments Chosen for Audit?
The Internal Audit Department conducts an annual risk assessment to identify the major areas and departments within the San Jacinto College District that require audit attention.
The risk assessment consists of three phases:
Identify auditable entities
We review the College structure to identify administrative and academic units. We evaluate organizational charts and financial information in order to determine how to organize the units into auditable entities. We also identify processes which apply to all departments such as payroll, purchasing, etc.
Risk Assessment Questionnaire
Utilizing a standardized questionnaire we obtain information about each of the College’s auditable units.
Analyze information and develop a risk matrix
We utilize responses to the questionnaire to rate each entity based on eleven risk factors, which are given a weighted percentage value. The risk factors include:
- Quality of internal controls (20%)
- Financial Impact (10%)
- Frequency/Complexity/Volume of Transactions (10%)
- Regulatory/Legal Impact (10%)
- Changes in Area/Management/Systems or Business Processes (10%)
- Competency of Management/Staff (10%)
- Opportunity of Fraudulent Activity/Waster or Abuse (10%)
- College Image/ Reputation or Market / Participant / Customer Impact (5%)
- Time Since Last Audit (5%)
- Last Audit Results (5%)
- Management Discretion (5%)
The risk factors for a given audit unit are assigned weights from 1 (less significant) to 5 (more significant) based on the weighted scale. The weighted sum determines the total risk score for each entity.
Audit projects are scheduled based on the highest risk entities and the available internal audit resources. The risk assessment is updated annually as part of the audit planning process.