What standards guide the work of internal audit professionals?
As part of The Institute of Internal Auditors' International Professional Practices Framework (IPPF), the International Standards for the Professional Practice of Internal Auditing (Standards) outline the tenets of the internal audit profession. Other applicable guidance, pronouncements, and regulations also may have an impact on how internal auditing is performed; and may provide clarification and delineation of acceptable and recommended processes.
What is the difference between an internal auditor and an external auditor?
As internal auditors, we are employed by Georgia Tech and uphold the same organizational mission, values, and goals. External auditors are independent of Georgia Tech and generally have a narrower scope on their audits depending on what entity they represent. For example, external auditors from Certified Public Accounting firms may only review Georgia Tech's financial statements or external auditors from federal agencies may only review compliance on sponsored projects with their specific regulations.
Who does Internal Auditing report to?
The Chief Audit Executive has a dual-reporting relationship with the President at Georgia Tech and the Vice Chancellor for Internal Audit at the University System of Georgia.
Who audits Internal Auditing?
The Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing (Standards) requires an assessment of the internal audit function, at least once every five years, by a qualified, independent assessor or assessment team from outside the Institute. Our Chief Audit Executive will discuss with the Vice Chancellor for Internal Audit at the University System of Georgia the form and frequency of external assessment, and the qualifications and independence of the external assessor or assessment team, including any potential conflict of interest. The results of the assessment will be communicated to the President at Georgia Tech and the Vice Chancellor for Internal Audit at the University System of Georgia.
My department received a notification that we are being audited. Did we do something wrong?
No. The Department of Internal Auditing takes a risk-based approach to audit planning. Annually, an Institute-wide risk assessment is conducted with leadership across campus to identify areas that our audit resources should be prioritized for. This risk assessment develops our audit plan for each fiscal year.
Our department just had an audit. Why is DIA performing another audit?
Depending on the nature and extent of the audit performed by external auditors, DIA may conduct another audit of the same processes and transactions. Generally, the audit scope of these external audits is very limited and are not as in-depth or substantial as those performed by DIA. We, however, consider the results of these audits and/or coordinate with these other auditors to eliminate or reduce duplication of effort.
Will an auditor show up at my department unannounced?
No. During the planning stage of an audit, a notification letter is sent to the audit client and an entrance conference is held so that timing is discussed and confirmed.
How long does an audit take?
An audit can vary in length depending on the complexity of the audit and the amount of time if may take for a department to provide information that is requested.
What about confidentiality?
Our auditors do not share detailed information of audits with each other. We have access to all records of the Institute, and we maintain confidentiality with all information in our possession.
Will I be kept informed during the audit process and will I have a chance for input before the audit report is issued?
Yes. During the audit, the assigned auditor(s) will keep you and your employees informed of progress. Auditors may discuss some audit issues with you or your staff during the fieldwork. However, all issues will be discussed with you during the exit meeting at the end of field work.
During the fieldwork, please ask questions and talk to the auditors. Please make time for them while they are performing your audit. Our auditors understand you are busy and have jobs to do. They will try to stay out of your way as much as possible. If you would like more frequent updates or are simply curious, just ask.
Take advantage of the exit meeting. Ask questions and don't be afraid to disagree with an audit observation. The purpose of the exit meeting is to communicate issues and make sure they are accurately resolved. We will make reasonable efforts to work with you.
Is having an audit observation bad?
Having an observation in your report is not necessarily bad. Our audit observations are meant to provide you with information so that you can effectively manage risks in your area of responsibility that may prevent you from achieving your objectives. Observations generally assist you in performing your responsibilities more adequately and effectively.
My report had a lot of observations. Are my operations that bad?
Not necessarily. The list of observations we provide to you prior to the exit meeting are opportunities we have identified to help you manage risks more adequately and effectively. We take the view that you are our client, and we strive to provide you with the best and most comprehensive information for to you to make decisions to improve the procedures and controls in your area of responsibility.
What should we include in our management response?
When we send the draft report, there are three sections in the report we will request from you to fill-out:
- Whether you agree or disagree with the issues and recommendations
Management action plans to correct and prevent the recurrence of the issue
Name and Title of Employee(s) Responsible for Implementing Corrective Action
Target Date for Implementing Corrective Action
Can my department ask for assistance if we are not being audited?
Yes, we are happy to assist – contact us. We will meet (virtually or in-person) to discuss your department's needs. Our staff will work to understand all aspects of your department in order to create a long-term working partnership.
How can our department help the Department of Internal Auditing?
You can help by doing the following:
Document and maintain procedures in easily accessible manuals. Include current organizational charts, detailed position descriptions, and duty lists.
Develop an understanding of internal control structures: why, when, and how to separate duties; how to cross-check to ensure the accuracy of records; how to keep control accounts and reconcile data; and how to control automated systems for processing data.
Maintain "audit trails" – the documents or evidence accompanying and supporting references to transactions or actions authorized by management. Adequate audit trails include:
Requiring signature approvals
Developing efficient forms or computerized processes to document important, routine decisions
Maintaining memoranda documenting important and unusual decisions.
Conduct and document your own quality control reviews, including action taken to address problems and adhere to requirements to retain documents.
Finally, if you receive a notification of audit, please review "Audit Preparation".
What should I do if I suspect someone is committing fraud, waste, or misconduct?
Bring it to the attention of your supervisor. Tell them what you are noticing, and you wanted to let them know. If you do not feel comfortable reporting it to your supervisor, you may report it anonymously at https://secure.ethicspoint.com/domain/media/en/gui/7508/index.html.