Internal Auditor

Internal Auditor


Welcome to PSU's Internal Audit Department website. This website was developed to provide you with information about our department and the services we provide to the University. These pages will tell who we are, what we do, and how we can help you. We hope to demystify the role of Internal Audit and increase the lines of communication. If you have any suggestions, concerns, or questions about the department or need help in finding some specific information on our website, please feel free to call us at (620) 235-6167. We value your feedback.

A robust internal auditing department is beneficial to an organization on many levels. Our professionals help identify strengths and opportunities for improvement in the daily operations of a department or office, identify and communicate risk and risk exposure, offer solutions to improve efficiency, present catalysts for positive change and provide cost effective management advisory services.

LaDonna FlynnInternal Audit

LaDonna Flynn, Director

201 Russ Hall

Pittsburg State University

1701 S. Broadway

Pittsburg, KS. 66762

Phone: 620-235-6167

Email: lflynn@pittstate.edu

Report Concerns: internalaudit@pittstate.edu

Department Information


  • Mission, Vision & Values
  • Types of Audits
  • Audit Process
  • External Audit
  • Internal Controls

Mission Statement:

Internal Audit at Pittsburg State University is an independent, objective assurance and consulting activity designed to add value and improve the organization's operations.   Internal Audit aims to assist Pittsburg State University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.  Internal Audit assists university management and the Board of Regents Fiscal Affairs and Audit Standing Committee in identifying, avoiding, and mitigating risks.

Vision Statement:

The Internal Auditor strives to continually add value and mitigate risk through evaluations of the university’s operations.  The Internal Auditor will partner with management to identify areas of risk and work collaboratively with management to improve processes, efficiencies, and the control environment.  The Internal Auditor is concerned with any University activity where it can be of service to management, faculty, and staff.

Core Values:

  • Customer Service – Provide uncompromised services and build relationships
  • Value Added – Initiate activities which result in added value
  • Integrity – Communicate and act with honesty, fairness, openness, respect, and empathy
  • Trustworthiness – Keep promises and follow through on commitments

We perform a wide range of audit services at the University, including: financial audits, compliance audits, operational audits, informational technology audits, consulting/advisory services, and special investigations. Most audits are integrated encompassing financial, operational, compliance and information technology audits. Should you have any questions or concerns regarding types of audits, we encourage you to contact us.

  • Financial Audits address questions regarding internal controls, accounting and the propriety of financial transactions.
  • Compliance Audits determine the degree of adherence to laws, regulations, policies, and procedures of the University, the State of Kansas Board of Regents, the Federal government, and other regulatory agencies such as the NCAA.
  • Operational Audits review the use of resources and procedures/practices in the department being audited to determine if goals and objectives are being met in the most effective and efficient manner. A key component of operational audits is to assess the internal control environment of the unit to manage and mitigate inherent risks.
  • Information Technology Audits evaluate system processing controls, data security, physical security, systems development procedures, contingency planning, and systems requirements.
  • Consulting and Advisory Services are requested by management and encompass a wide range of activities. We will facilitate risk assessments, business process analysis, data analysis or information technology assessments. We are also available to consult on new system implementations, process and system redesign initiatives, and policy changes.
  • Special Investigations are performed in response to allegations received by our office through internal and external sources. Allegations are prioritized and investigated based on a an assessment of potential risk to the University.
Audit Goals:
  1. Risk based auditing
  2. Address stakeholders (supervisor, department chair, dean, executive management) concerns
  3. No surprises to the client
Introduction:

You hear that the auditors are coming to conduct an entrance conference or fieldwork at your department.  You may ask,

  • What will I have to do? 
  • How was my department selected for an audit?
  • How much of a disruption will this be to my normal operations?
  • Should I show the auditor everything I do?

The most successful audit projects are those in which you, the audit client, and Internal Audit have a constructive working relationship.  Our objective is to have your continued involvement at every phase so you understand what we are doing and why, while trying to minimize disruptions of your daily activities.

Although every audit project is unique, the audit process is similar for most audits and consists of the same phases.  There are five phases of our audit process, each one requiring the involvement from you, our audit client.  In the annual audit plan phase, your supervisors, department chairs, deans, and executive management complete a risk assessment questionnaire.  During planning, we work with you to understand and learn about your area so that we can develop step to evaluate the processes and controls currently in place.  Fieldwork consists of specific testing steps we perform to identify whether the controls are mitigating the risks.  Reporting of our results takes place through a transparent reporting process involving you, the audit client.  Finally, follow-up is where we come back to you after a period of time to reassess the progress made against your agreed upon management responses.  Each of the following sections describes the above phases in more detail.

Annual Audit Plan:

Every other year we conduct a University-wide risk assessment in the spring.  We interview the supervisors, department chairs, and deans of each department utilizing a standardized questionnaire. This questionnaire identifies specific risk criteria within six general areas of risk:

  1. Financial Risk
  2. Management Control & Operations Risk
  3. Strategic Risk
  4. Compliance & Public Interest Risk
  5. Information Technology Risk
  6. Audit History & Judgment Risk

We have developed the questions to attempt to objective determine the amount of risk in the department relative to each risk criteria.  Each individual criteria is given a score from one (low risk) to five (high risk) and the sum of all those scores determines the department’s risk ranking.  We evaluate those departments with high-risk rankings and develop the annual audit plan.  We present the proposed annual audit plan to the President and the Fiscal Affairs and Audit Committee of the Kansas Board of Regents for review and approval.

Planning:

The planning phase is extremely important to the success of the overall audit.  During the planning phase we:

  • Gather relevant background information about your department via: your strategic plan, your policies and procedures, your job descriptions, ACUA resources, Google searches, and e-mail discussion lists
  • Review the background information we gathered to understand your department’s goals and objectives  
  • Conduct an opening meeting with you to provide education about the audit process,  obtain your list of high risks effecting your department, and obtain your general concerns about your department
  • Develop a department level risk assessment to determine which risks are high and what processes should be reviewed during fieldwork,
  • Develop the audit scope and objectives for your audit and provide you with the audit scope and objectives
  • Develop the audit program – an outline of the fieldwork steps necessary to achieve the audit objective
Fieldwork:

It is during this phase that we gather relevant information about your department in order to obtain a general overview of your operations and internal controls and perform transaction testing.  During fieldwork, we determine whether the controls identified are operating efficiently and are adequately controlling the risks identified during the planning phase.  During the fieldwork we:

  • Conduct inquiry interviews with you and/or your staff to obtain an understanding and documentation of your departmental policies, processes, and related internal controls
  • Observe you and/or your staff performing their daily operations and obtain copies of your documentation
  • Review supporting documentation for your historic transactions based on a sample selection
  • Keep you informed of the process and any finding we may have, if possible
Reporting:

During the reporting phase, we schedule several meetings, preliminary close meetings and a final close meeting.

  • 1st preliminary close meeting – includes us and you and your staff; your staff is included in this meeting at your discretion
  • 2nd preliminary close meeting – includes us and your direct supervisor; you are included in this meeting at your supervisor’s discretion
  • Final close meeting – includes us, the President, and the associated Vice President; you may be asked by your Vice President to attend this meeting
  • By having the first meeting with you and not your supervisors, there should be no surprise to you once we discuss the audit with your supervisors. 
1st preliminary close meeting:

When the fieldwork is complete, we schedule the first preliminary closing meeting with you and your staff to discuss the audit results.  During this meeting, we discuss our findings and recommendations.  Typically, this information is in the format of a finding spreadsheet.  This is an opportunity to help us better understand any results that require more context or to explain those we may have misinterpreted.  Our recommendations are just that, recommendations based on our knowledge of the subject or a best practice we identified during our research of the audit area. 

At the conclusion of this meeting, we request that you provide us with your management responses to our audit findings and suggested recommendations.  Your management responses are usually required back to us within 2 weeks.  Your management response is either:

  • Acceptance of our recommendation and how you will implement the recommendation
  • Partial acceptance of our recommendation and how you will implement the recommendation
  • A new recommendation you developed to resolve the finding and how you will implement the recommendation
  • Or a statement that you, the management, accept the risk and will not be making any changes to your process and why

As you can see, this meeting is very important because we seek your agreement or disagreement to each audit finding and recommendation, and your opinion as to the reasonableness of each recommendation.  We do not want a recommendation of which the cost outweighs the risk.  We want the recommendations to mitigate the risk identified but also for them to work with you, not against you. 

Between the first and second preliminary meeting, we draft the audit report based on the information in the audit finding spreadsheet.  At this point, we adjust the wording if necessary to make the report sound more like an audit report and less like a spreadsheet.  We also give an overall opinion regarding the audit results.  Once we receive your management responses, we include them in the draft audit report.   We send you the draft report for your review.

2nd preliminary close meeting:

Once we have received your management responses and you have reviewed the draft report, we meet with your direct supervisor to discuss the draft audit report.  We discuss the audit findings, recommendations, and your management responses.  We make any revisions recommended during the second preliminary close meeting to the draft audit report. 

Final close meeting:

The final close meeting is very similar to the second preliminary meeting except the President and Vice President of your area are in the meeting to discuss the draft audit report.  We discuss the audit findings, recommendations, and your management responses.  At the conclusion of the meeting, we request the approval of the draft audit report.  We receive the approval of the draft audit report via email.  We change the draft report into a final report and send it electronically to you, your supervisor, your Vice President, and the President.

As part of our self-evaluations program, we ask you and/or your staff to comment on our performance.  We send you an email with a link to our post-audit survey after the final close meeting.  This survey helps our department evaluate our strengths and weaknesses and foster future improvements in our audit process.

Follow up:

Once a year in April or May, we perform audit follow up.  During audit follow up, we send you an email requesting you provide us with the status of your management responses.  We want to know if you have implemented the recommendations.  Sometime we request more information from you to test whether you have completely implemented the recommendations.  We create a report of the number of outstanding recommendations.  The report is issued to the President. 

As we have pointed out, during each phase in the audit process you have the opportunity to participate.  There is no doubt that the process works best when we have a solid working relationship based on clear and continuing communication.  Many departments extend this working relationship beyond the initial audit.  Once we have worked with you on a project, we have an understanding of the unique characteristics of your department’s operations.  As a result, we can help evaluate future changes or modifications in your operations.

External auditors are auditors who are not employed by the University and are performing an audit or review of any of the following:

  • The University's financial statements
  • Specific programs within the University (e.g., NCAA, Financial Aid, etc.)
  • Grants

When a department is notified by an external auditor about an upcoming audit or review, the department should:

  • Ask and obtain answers to the following:
  1. What audit organization do you represent?
  2. What type of audit is this?
  • Then perform the following:
  1. Notify Internal Audit department of the audit
  2. Invite Internal Audit to the opening meeting

How should I handle an external auditor?

Do's:

  • Be courteous, cooperative, and professional. An angry auditor is not a friendly auditor
  • Obtain a written notification of the audit or review. The notification letter should outline:
  1. The audit scope
  2. The name of the auditor in charge
  3. Timing of the audit
  4. Requirements and expectations of the university
  • Forward a copy of the notification letter to the Internal Audit department
  • Obtain an Information Request List outlining all of the documentation needed by the auditors complete with due dates
  • Attend the audit entrance meeting scheduled with Internal Audit and the external auditors
  • Ask questions about anything requiring clarification at the entrance meeting
  • Provide all of the documentation requested on the Information Request List on time (e.g., or before the due date)
  • Be proactive. Notify the auditor of any request that cannot be met and the reason(s) therefore.
  • Some examples may include:
  1. Other significant deadlines (e.g., year-end closure, other reporting deadlines, student registration, etc.)
  2. Staff shortages
  3. Document no longer used or available (but provide a viable substitute)
  4. System contingencies or restrictions for data (but discuss other viable alternatives)
  • If the auditor knows about any possible issues up front, they can deal with them more effectively as they proceed with the audit rather than reacting to them as they arise.
  • Assist the auditors with their specific requests. The longer it takes the auditors to complete their work, the longer they will be on campus.
  • Answer only the questions asked by the auditors.
  • Forward copies of all written communications received from the auditor to the Internal Audit department.
  • Contact the Internal Audit department if any issues arise concerning the audit, the auditors, or possible findings as soon as they arise.
  • Be positive.
  • Send the Internal Audit department a copy of the final report.
  • Attend the audit closing meeting scheduled with Internal Audit and the external auditors.

Don'ts:

  • Don't be rude. An angry auditory is not a friendly auditor.
  • Don't spring any surprises on the auditor. Auditors don't like surprises, particularly if they have a potentially significant impact on the audit scope, potential findings, or the audit report.
  • Don't provide any extraneous, unrequested information. If you are unsure about the information and how it may relate to the audit, but the auditor has not specifically requested it, consult with Internal Audit first and find a decision will be made on how to respond.

Internal controls are broadly defined as processes, affected by an organization's people, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures, and contracts.

Control Categories:

  • Effectiveness and efficiency of operations
  1. Processes run smoothly and help us meet our objectives
  • Reliability of financial reporting
  1. Numbers are accurate and are an aid to decision-making
  • Compliance with laws and regulations
  1. Stay out of trouble
  • Safeguarding of assets

We believe everyone uses internal controls in their typical daily activities such as the following:

  • Did you lock your doors at home before leaving for work?
    Probably so because you wanted to protect the assets in your home from theft.
  • Do you write your PIN number on your debit card?
    Probably not because you know if you lose your card, you would also most likely lose your money.
  • Do you balance your bank statement each month?
    Hopefully, because it ensures you know the correct balance in your account, ensures no one has inappropriately accessed your funds, and ensures that the bank hasn't’t made mistakes in their records.

Most internal controls can be classified as preventive or detective. Preventive controls are designed to discourage errors or irregularities.

  • A computer application which checks validity prevents the entry of an invalid account number.
  • Reading and understanding University Human Resource policies, such as Work Hours [for PA Staff], helps prevent violations of the Federal Fair Labor Standards Act. [Human Resources Professional Staff Policy 2.14]
  • A manager's review of purchases for propriety and validity prior to approval prevents inappropriate expenditures.

Detective controls are designed to identify an error or irregularity after it has occurred.

  • An exception report detects and lists incorrect or invalid entries or transactions.
  • A comparison of validated Cash Receipt Vouchers to monthly financial statements will detect deposits posted to erroneous accounts.
  • The manager's review of long distance telephone charges will detect improper or personal calls that should not have been charged to the account.

Internal Audit assists the University in maintaining effective controls by evaluating their effectiveness and efficiency, making recommendations for improved controls, and by promoting continuous improvement as part our internal auditing and consulting activity. Every employee play a role in either strengthening or weakening our University's internal control system.

Below is a list of typical best business practices in maintaining an effective control environment:

  • Set a strong example for the expectation of ethical behavior, compliance with laws/policies, and communicate your expectations routinely to your unit's personnel.
  • Never sign something you do not understand.
  • Limit signature authority and do not let anyone sign your name (an employee should sign their own name). Never use a signature stamp.
  • If something does not make sense ask questions about it until it does. Pay attention to what your employees are doing.
  • Be familiar with University policies and procedures. Be willing to call and ask questions.
  • Consider unique risks your unit may have (i.e. cash collections, contracts and grants, etc.) and ensure additional oversight is provided.
  • Ensure level reports are reconciled monthly and review this reconciliation for any unusual transactions.
  • Do not let one employee have complete control of any process.
  • Keep offices and labs locked to protect property, data, and other resources. (Remember to shred paper documents with identifying information.)
  • Ensure University assets are used for University business.
  • Internal Audit Charter
  • Keys to a Successful Audit
  • Post Audit Survey
  • Policies & Resources
  • Compliance and Ethics
Purpose:

Internal Audit has been established at Pittsburg State University as an independent, objective assurance and consulting activity designed to add value and improve to the organization's operations.  The objective of an internal audit activity is to help an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.  To this end, internal auditing furnishes analysis, appraisals, recommendations, counsel, and information concerning the activities reviewed.  The Internal Auditor is concerned with any phase of University activity where it can be of service to management.

Scope:

The scope of activities of the Internal Auditor encompasses examining and evaluating the adequacy and effectiveness of the University’s systems of internal control and the operating efficiency of those controls against established higher education standards.

  • The scope of the examination and evaluation performed in divisions of the University includes:
  • Reviewing the reliability and the integrity of financial and operating information and the means used to identify, measure, classify and report such information.
  • Reviewing the systems established to ensure compliance with relevant policies, plans, procedures, laws, and regulations which could have a significant impact on a particular division’s operations or reports, and determining the extent to which Pittsburg State University is in compliance.
  • Reviewing the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
  • Appraising the economy and the efficiency with which resources are employed.
  • Reviewing operations or programs to ascertain that the procedures of those operations or programs are being implemented as intended, and that results of that implementation are consistent with established objectives and goals. 
Authority and Responsibility:

The responsibility of the Internal Auditor is to serve Pittsburg State University in a manner that is consistent with the International Standards for the Professional Practice of Internal Auditing and with professional standards of conduct such as the Code of Ethics of the Institute of Internal Auditors, Inc.  This includes coordinating activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts in order to best achieve the audit objectives of the organization.

Internal Audit is an integral part of the University and reports directly to the President and indirectly to the Kansas Board of Regents.  The Internal Auditor shall remain independent and objective with the ability to report directly to the Kansas Board of Regents Audit Committee any situation wherein the auditor perceives a conflict of interest with, or on the part of, the President’s involvement with the subject of an audit. 

In performing audits, the Internal Auditor shall assert no direct responsibility or authority over the activities being reviewed.  Therefore, the review and appraisal of an activity does not in any manner relieve other persons within the institution of responsibilities assigned to them. 

The Internal Auditor is to be advised of all external auditors from firms and Federal or State agencies who are performing audits on University or related corporation records, systems, or procedures.

All University offices and employees are expected to cooperate fully with Internal Audit in the performance of its duties.  The Internal Auditor shall have full, free, and unrestricted access to any and all University functions, records, personnel, and properties deemed relevant to the activity under review.  Audits of related corporations will only be authorized by invitation only, as the University and any affiliated corporations are separate legal entities.

 

Updated and Approved 2/1/2007

The most important items needed form you for a successful audit are cooperation and good communication with us. Here are some specific examples of what you can do to facilitate the audit process:

  • Schedule personnel for audit activities such as interviews observation, or walkthroughs;
  • Makes the pertinent data, records, and technology resources available to us;
  • Make the pertinent data, records, and technology resources available to us;
  • Review preliminary findings and provide written responses regarding corrective actions and specified time frames;
  • Establish and maintain required controls;
  • Share your concerns with us;
  • Review the audit objectives and scope presented for your area, and ask questions if you don't understand why certain activities have been included or excluded;
  • Be proactive, monitor and report progress of your corrective actions to us.
The purpose of this survey is to solicit your feedback regarding the services we provided during your recent audit. This feedback will be used to evaluate our strengths and weaknesses and foster future improvements in our audit processes.

We request that you, or the staff member most familiar with your recent audit, complete and submit the survey. Please be candid. We sincerely appreciate your feedback.

At Pittsburg State University, we believe that our core values of honesty, integrity, respect and cooperation, are not simply words written in a strategic plan or on a website page. They are something that we all live by each and every day while striving to provide transformational experiences for our students and the community.

Learn More