Department of Internal Audit and Compliance

Observations resulting from an internal audit will help you administer your processes and procedures more efficiently and effectively. It also helps you assess the integrity of your information systems and compliance with external regulations and University policies.

All final audit reports will be distributed to the relevant administrators of the area audited (typically a Vice President or Dean), their relevant direct reports, all direct and indirect supervisors of the addressee, General Counsel, Chief Financial Officer, and made available to the President, and Board of Trustees. The external auditors and Auditor of State may request and receive copies of any and all audit reports. Draft reports will be distributed to those employees with responsibility for replying to the report, as agreed during the entrance conference.

While Internal Audit is empowered to have unrestricted and unfettered access to all records, we are careful in respecting their confidentiality. The UToledo Internal Audit Charter states that all information obtain by the Internal Audit and Compliance department staff while performing their assigned duties shall be treated with confidentiality. It is understood that certain University items, due to their sensitive nature require additional accommodations when examining and reporting upon such items.

Since UToledo is a public university, the work papers that Internal Audit prepares may be accessible under Ohio law. As such, all public records requests, including those of Internal Audit documents, should be processed by the Legal Affairs Department. In order to obtain the fullest disclosure of information possible, one should refrain from requesting work paper documents and reports until the audit engagement has been closed and an audit report has been issued.

• Respond to our data requests fully and completely, in as timely and professional a manner as possible
• Be transparent regarding internal control deficiencies you are aware of
• Be as realistic as possible regarding the implementation of corrective actions from the audit
• Communicate with us after the audit regarding the status of implementing corrective actions
• Advise us of any major changes to your operation, including organizational changes, new system implementations, major capital projects, and changes to strategic direction
• Advise us of any external audits, examinations, or consulting projects affecting your functional area prior to them taking place, so that we can adjust our audit planning accordingly (per the approved UToledo Internal Audit Charter)

Findings arising from an internal audit should not be viewed negatively, especially if a department or business process is not audited frequently. Rarely does an audit result in no findings or opportunities for improvement. Internal Audit cannot insist that management implement the corrective action we recommend. However, with the mandate given to UToledo Internal Audit by the highest levels of the University, swiftly implementing corrective action to those issues identified during an audit makes good business sense.

Not implementing corrective actions to previously-raised internal control deficiencies is a more serious matter, as management has not taken the necessary steps to adequately protect University resources, which affects all employees, students, business partners, taxpayers, and other stakeholders.

The majority of UToledo’s internal audits are planned for well in advance. We use a risk assessment process that incorporates feedback from management and the Board on areas of concern from existing operations or new initiatives. We remain flexible to accommodating requests for new audit work within reason. Audits typically are not scheduled due to discomfort with a particular employee. The following are among the factors we in UToledo Internal Audit use to assess risk:

• Dollar Materiality
• Transaction Volume
• Internal Accounting Controls
• Loss Susceptibility/Experience

We also consider the last time an audit was conducted in your area and the dependency of the area to other UToledo departments. In addition, we consider the role of information technology within the area and other external factors, including the regulatory climate. While determining what gets audited is admittedly an inexact science, given the number of stakeholders we engage for feedback, we are confident that we audit the right areas every year. While your area may have been selected for an audit, it does not mean that you personally are in trouble or have done anything wrong.

Before we come to perform an audit an announcement is made to local and senior management of the functional area being audited, in plenty of time before our work is scheduled to begin, either by letter, electronic mail, or phone. We will ask for some background on the area being audited, to help facilitate our review. These are some the items we typically ask for, but it is not a comprehensive list.

• an organization chart
• job descriptions for key personnel
• list of employee names
• department goals and objectives
• list of recent relevant transactions, preferably in electronic format
• department budget code(s)
• department operating policies and procedures manual
• inventory listings for both equipment and software
• cell phone usage list with approved authorizations
• small purchase charge card documentation

We will also ask local management to inform their team about the upcoming audit, and that they should cooperate fully with the audit team. We will also request any information that will enable us to minimize disruptions to the department’s schedule.

Any UToledo employee or Board member can request an internal audit. However, due to headcount limitations, we must determine whether the requested audit poses a greater risk to the university than existing projects on the audit plan. Risk and exposure to the university is a determining factor in the scheduling of an unplanned internal audit.

Yes, significant findings raised in an internal audit will be re-audited to confirm that planned corrective actions were implemented by management. We strive to conduct follow-up reviews shortly after the corrective actions are implemented, typically six to nine months after the original audit. Based on significance of findings in the original audit and management’s success in implementing corrective action, Internal Audit will communicate the results of a follow-up audit via formal report or through less formal channels.

A business risk is anything that could jeopardize achieving your goals, operating effectively and efficiently, protecting the University’s assets from loss, providing reliable financial data, and complying with applicable laws, policies, and procedures.
When attempting to identify business risks, ask yourself:

• What could go wrong?
• How could someone steal from us?
• What policies are we most affected by?
• How can someone bypass the internal controls?

What could go wrong in your area? Could a fire break out in your research lab? Could a key local system/application go down? Can a key employee call in sick? Can the media become aware of procurement card fraud? Could a safety or security incident occur with faculty/student/staff member overseas? Is cash missing from departmental funds? Can faculty hire family members inappropriately? Use your imagination!

It is not enough to identify the business risks – each risk needs to also be assessed. In other words, you should estimate the chance that a risk will actually occur and the potential effect/impact.

All types of risk could be foreseeable when considering compliance with federal regulations. In the IT arena, security, privacy, and access risks should be considered. Disaster recovery planning should consider risks such as a flu outbreak or incidents like the tragedy at Virginia Tech. Functional areas that deal with student, faculty, and employment safety issues should consider stress, counseling, and workplace violence risks. And facilities and construction management processes should consider risks in managing and monitoring building construction.

Following are the key service lines currently offered by UT Internal Audit and its Compliance and Privacy Office:
Internal Audit

• Financial and Operational Audits
• Information Technology Audits
• General Testing Guidelines (advisory services to end users working to implement new systems) 
• Commercial Contract Audits (reviews of vendor compliance with terms and provisions of construction and service contracts, often resulting in the identification of billing errors) 
• NCAA (Other Regulatory) Audits
• Data Privacy Audits
• Attorney-Client Privilege Audits/Projects
• Control Self-Assessments
• Business Process Improvement (consulting projects using tools such as Six Sigma, forensic accounting, and cost accounting to perform deep operational assessments)
• Special Investigations (control-focused)
• Internal Control Consulting
• New Policy Compliance Audits/Projects
• Best Practices Consulting 
• Benchmarking Studies 
• “Best Companies” Services
• Anonymous Reporting Line
• Conflict Of Interest Reporting and Auditing
• Ethics Training (new hires, ongoing computer-based training, etc.)

A Control Self-Assessment (CSA) is a “line of business” offered by the UToledo Internal Audit Department, and is defined as a process by which a department examines and improves existing internal controls and/or implements new internal controls to mitigate risks associated with a process or function. The CSA process entails documentation of the process or function, identification of all risks related to that process or function, and identification and evaluation of all internal controls that should be in place to mitigate the risks to an acceptable level. Each CSA will have its own goals and objectives; however, every CSA will also have the following three global objectives:

• Communication and understanding of each department’s roles and responsibilities within the selected process or function, including the roles and responsibilities of each individual that is part of the process or function.
• Determination of acceptable levels of risk.
• Determination of the correct cost-benefit trade-off for establishing new internal controls.

A CSA differs from an internal audit in that the direction of a CSA is determined by operating department management; the direction of an internal audit is determined by Internal Audit department management. Also, a typical internal audit includes testing of transactions to determine whether internal controls are operating as expected – a CSA typically does not include transaction testing within its scope of work.

The following list shows key objectives for conducting University of Toledo internal audits. These performance measures pertain to the following key objectives: value adding internal audit function, highly-educated and experienced internal audit staff with diverse business backgrounds and professional certifications, internal audit function that meets stakeholder needs, complete and timely University-wide risk assessment, and efficient/cost-effective internal auditing function.

• Annual investment in internal audit training
• Average length of service with Internal Audit per internal auditor
• Average years of experience per internal auditor
• Cost savings due to internal audit recommendations, per process
• Frequency of meetings between chief audit executive and senior management
• Number and cost of anticipated risk occurrences
• Number and cost of improper or incorrect financial ledger entries
• Number of best practices identified, per Internal Audit-audited process
• Number and cost of unanticipated risk occurrences
• Number of hits to Internal Audit Intranet site
• Number of internal controls weaknesses or failures identified
• Number of revisions to the annual audit plan in response to changing risk assessments
• Percentage of annual Internal Audit budget devoted to training
• Percentage of audits initiated due to managers’ risk self-assessments
• Percentage of audits prioritized according to risk
• Percentage of employees educated about risk factors within their functional area
• Percentage of Internal Audit training budget devoted to communication skills
• Percentage of Information Technology projects in which Internal Audit advises in the planning stages
• Percentage of internal auditors with relevant business experience
• Percentage of managers aware of Internal Audit and the Internal Audit mission
• Percentage of requested internal audits performed
• Percentage reduction in external audit fees attributable to their reliance on internal audit work
• Quality improvements due to Internal Audit recommendations, per process
• Time between Internal Audit completion and issuance of Internal Audit report
• Time reduction due to Internal Audit recommendations, per process
• Total annual Internal Audit costs, per internal auditor
• Total annual external audit fees
• Total cost of internal audit co-sourcing

Please refer to the attached Policy for Dissemination of an Internal Audit Report . In short, we ensure that the findings of an internal audit are fully communicated to, and understood by, local management of the area being audited.  The draft of the report will then be presented to senior management of the affected area to determine any necessary action plans.

Internal auditing has significantly changed over the years, both in nature and by definition, as compared to the traditional approach. Similarly, the role of the internal auditor has also been redefined from that of being a “policeman” or “fault-finder” to that of an “advisor”, “consultant” and “business partner”. Today, the internal auditor facilitates effective governance and achievement of UToledo’s business objectives.

Since UToledo Internal Audit has two main clients, the Audit Committee of The Board of Trustees and UToledo senior management, part of Internal Audit’s mission will always need to be compliance with existing laws, regulations, policies, and procedures. However, UToledo Internal Audit has implemented a number of new “lines of business”, such as Control Self-Assessments, Business Process Improvement projects, and Continuous Controls Monitoring initiatives intended to position Internal Audit as the “consultant of choice” to senior management for all internal control matters.

Yes, internal audit functions may be audited and evaluated like any other business function at UToledo. The Board of Trustees receives Internal Audit's regular reports to its Audit Committee and formally evaluates our performance. In addition, after each significant audit, we request that management complete a brief customer service survey informing us of how well we did our work. Our policy is to cooperate fully with all government entities, accounting firms, external auditors, and other third parties that rely on our work.

Further, The Institute of Internal Auditors (the professional association guiding our work) requires that all internal audit organizations have a quality assurance and improvement program that includes both internal and external assessments. Internal assessments include ongoing monitoring of the performance of the internal audit activity, and an annual self-assessment of internal audit practices. External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside UToledo. UToledo Internal Audit will also participate in peer reviews of our operations using the Association of College and University Auditor’s (ACUA's) Quality Assurance Program.

Much like the diverse functional environments they audit, internal auditors may possess a broad range of educational backgrounds. However, most people that gravitate to internal auditing possess finance, accounting, and information systems degrees – persons that have deep operations-based education are also considered good auditors. Previous work experience as an internal auditor, independent accountant, or higher education or healthcare experience is helpful. Professional auditing certifications and operations and industry credentialing demonstrate a strong working knowledge of skill-sets to our client base.

Internal auditors are individuals within an organization's internal auditing department who evaluate the adequacy of business objectives, risks, and controls at a process level. External auditors are individuals that perform independent audits of the integrity and reliability of the University’s financial statements (CliftonLarsonAllen are UToledo’s external auditors). While there may be differing objectives between the two sets of auditors, it is expected that these two functions closely collaborate and share information of common interest, to minimize disruptions throughout the organization.

The University of Toledo has selected Compliance Concepts, Inc. to provide you with a simple, risk-free way to anonymously and confidentially report activities that may involve unethical or otherwise inappropriate activity or behavior in violation of the University's established policies.  The Anonymous Reporting Line phone number is 1-888-416-1308 or the online reporting tool can be accessed here.

The University of Toledo takes employee concerns very serious and desires your cooperation in resolving such issues; however, this reporting line service does not replace or supersede existing reporting methods on campus. Employees are encouraged to bring concerns to their supervisor or other campus entities as appropriate.  All other matters concerning policy breach or other behavioral and inappropriate activities may be reported using the Compliance Concepts Anonymous Reporting Line.

Protected disclosures and investigatory records will be kept confidential to the extent possible, consistent with the need to conduct an adequate investigation, and in accordance with the Ohio Public Records Act.