As of January 2009, we offer the following products:

1. Assurance and consulting services
2. Assist in organization’s COSO self-evaluation
3. Standard departmental audits, reviews, and assessments requested by management
4. Standard system audits
5. Departmental transition audits for units with new leadership
6. Facilitate a Self-Assessment with Audit Substantiation (SAAS)
7. Investigate fraud and defalcations

The Audit team works to find the answer to questions. Some of the questions we ask are:

• Do opportunities exist to eliminate inefficient use of University funds and potential waste?
• Are controls sufficient to protect University resources?
• Are funds being spent legally, and are they accounted for accurately?
• Are fiscal responsibilities being performed in compliance with University, State, Federal or other governing rules and regulations?
• Are there better ways of achieving program objectives at lower costs?
• Are there ways to improve the quality of service without increasing costs?
• Are there organizational factors that inhibit the delivery of services?

Our audits are performed in compliance with the standards promulgated by the Institute of Internal Auditors (IIA). Our annual audit plan is developed through consultation with University management utilizing an internally developed University Risk Assessment Tool. Our annual audit schedule outlines the audits and reviews that Internal Audit will conduct based on our plan. The plan also identifies self evaluations unit mangers will be expected to conduct during a given year. Changes are made to the audit plan throughout the year, as the need arises.

Our principal project deliverable is the final report in which we express our opinions, present the audit findings, and discuss recommendations for improvements.

We encourage managers and staff to call us for advice when evaluating procedures or making procedure changes; implementing state audit recommendations; or when they need an independent opinion.

Back to top^

Our audit process and purpose is related to the COSO model in that we review:

1. The accuracy and propriety of financial transactions
2. The adequacy of security for the organization’s financial information system environment
3. The adequacy of the organization’s financial internal control structure
4. Efficiency and effectiveness of operation/ financial business structure and processes
5. The adequacy of compliance with university, state and/or federal rules and regulations

We perform a standard six step model in our routine audits. The audit process determines the way the audits are executed at the auditable unit. It was developed and standardized as follows:

1. Understand Audit, Client and Inherent Risks including initial client audit meetings
1. The audit begins with a kick-off meeting. The internal audit department, the audit methodology, the reporting style, etc., are presented to local senior management.
2. Identify High Risk Areas of Concern which becomes the Audit Focus
1. A detailed audit plan is prepared. The planning phase is necessary to understand the local operation and its business risks and to set the audit scope--if not done in advance. The end result is a preliminary risk map with a tailor-made audit approach, covering the highest business risks for the operation under review.
3. Perform Audit – Known as “Fieldwork” at the client location
1. The audit fieldwork includes the evaluation and testing of processes, internal controls, and systems and procedures in the selected areas, as well as workpaper documentation of the results.
2. Audit findings are discussed and confirmed throughout the audit and documented in "Audit Observation Memo's."
4. Prepare Deliverables, Finalize Fieldwork and Perform Audit Quality Review
1. As part of quality control, internal audit management reviews the work of the auditor to ensure that it meets the quality standards.
2. The audit report is written in the field throughout the audit process.
5. Review the Audit Deliverables with the Client
1. The audit report is finalized by means of a formal closing (exit) meeting. The purpose of the closing meeting is to ensure commitment from responsible senior management and correct prioritization of all actions. The aim is to issue the final report within a few days after the closing meeting.
6. Finalize Audit and Issue Report
1. A standardized internal audit report was developed, consisting of two parts:
1. An 'Executive Summary', designed to give top management and the audit committee an overall assessment of the business risk exposures and the risk management environment
2. The management action plan, a high level working document for local management that shows the agreed actions that will be taken to rectify any risk management weaknesses identified during the review and the due dates and persons responsible for the implementation.
1. Typical Audit Response: We agree with the audit finding. The Director agrees to implement an improved and fully documented reconciliation process by the fourth quarter of this fiscal year.
2. The standardized audit report is intended to effectively summarize the results of the particular project and inform senior University leadership of overall risks and efforts that will be taken to mitigate those issues.
3. Our standard distribution list helps ensure that the results of audits are brought to the attention of the appropriate University leadership: Chancellor, audit committee, University management, campus management, business unit management and other relevant functions.

Follow – up of the implementation of agreed actions is conducted about one year after the exit meeting. Additional monitoring may be supported by follow-up visits in cases considered necessary by internal audit management, particularly for audits where significant weaknesses were identified.

Back to top^

• SAAS Process
• SAAS Questionnaire
• SAAS Report Template

Back to top^

KU Internal Audit assesses internal control in the context of the COSO model pictured below.

COSO defines internal control as processes enacted by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

The KU model includes the additional categories of the safeguarding of assets, and the security of confidential data.

In performing our reviews, we consider the five components of internal control:

• Control Environment
• Risk Assessment
• Information and Communication
• Control Activities
• Monitoring

Our process focuses on the control activities of the units and how they contribute to, or hinder, University resource and financial management. Control activities include approvals, authorizations, verifications, reconciliations, reviews of performance, security of assets, segregation of duties, and controls over information systems including general and application controls.

Important Links

How to Evaluate Controls
Controls Training

Back to top^