Your Guide to Internal Audit

Audit Services

Operational Audits
Operational auditing is a current analysis of an organization's mission, goals, and objectives. An operational audit also evaluates the effectiveness and efficiency of operations. Operational audits result in an assessment of compliance, efficiency, economy, and effectiveness of management practices and controls associated with these operational functions.

Compliance Audits
Compliance auditing is a comprehensive review of operations to determine whether they comply with internal policies and procedures, established laws, regulations and standards. Compliance audits may also examine standards of conduct and ethics.

Information System / Technology Audits
Information systems auditing examines risk management, control, and governance. The framework of application controls, general computer controls, and systems controls are also addressed.

Financial Audits
Financial auditing is a retrospective analysis intended to determine whether an organization's financial information was properly recorded and adequately supported. A financial audit also provides an assessment as to the accuracy, fairness, and reliability of information provided in the preparation of the financial statement.

Follow-Up Audits
Follow-up auditing is a means of monitoring the disposition of audit results that have been previously communicated to management. The follow-up audit assesses implementation of management response to audit recommendations, and evaluates the adequacy and timeliness of corrective action.

Advisory Services, Special Requests, and Investigations
Advisory services are typically client-requested activities, with scope and objectives are agreed upon in advance with the client, intended to add value and improve an organization's effectiveness. Other special requests may include limited scope reviews of operational and financial activities or investigations of suspected improprieties.

What is Internal Control?

Internal control is a process designed to provide reasonable assurance regarding achievement of objectives in the following categories:

• Operations relating to effective and efficient use of UT Permian Basin resources
• Financial reporting relating to preparation of reliable published financial statements
• Compliance relating to UT Permian Basin's compliance with applicable laws and regulations

Internal control consists of the following five interrelated components:

1. Control environment Control environment factors include the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by management.
2. Risk assessment Risk assessment is the identification and analysis of risks that have the ability to impede the achievement of stated goals and objectives. It is a precursor for determining how risks should be managed. Preconditions to a risk assessment is the establishment of goals and objectives.
3. Control activities Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity's objectives. They include a range of activities such as approvals, authorizations, verifications, reconciliation, reviews of operating performance, security of assets, and segregation of duties.
4. Information and communication Pertinent information must be identified, captured, and communicated in a form and time frame that enables employees to carry out their responsibilities. Information systems produce reports, containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal not only with internally-generated data, but also with information about external events, activities, and conditions necessary for informed business decision-making and external reporting.
5. Monitoring Internal control systems need to be monitored. This is accomplished through ongoing monitoring activities or separate evaluations. It includes regular management and supervisory activities, and other actions personnel take when performing their duties.

When looking at any one category (Operations, Financial Reporting, Compliance), all five of the components, listed above, must be present and functioning effectively to conclude that internal control over operations is effective.

What are the key concepts for internal controls?

• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is affected by people. It is not merely policy manuals and forms, but people at every level of an organization.
• Internal control can be expected to provide only reasonable assurance, not absolute assurance, to management.
• Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

When is internal control effective?

Internal control can be judged effective in each of the three categories, respectively, if management has reasonable assurance that they understand the extent to which:

• the entity's operational objectives are being achieved,
• published financial statements are being prepared reliably, and
• applicable laws and regulations are being complied with.

What are factors limiting internal controls?

• Judgment – Managers in a well-controlled organization can make bad decisions.
• Breakdowns – People with control responsibilities may not carry them out effectively.
• Management Override – Managers may intentionally go outside established practices for illegitimate purposes.
• Cost vs. Benefit – When resources are limited, managers properly accept a degree of risk when the cost of controlling the risk exceeds the benefit

The Audit Process

Each year Internal Audit and Advisory Services prepares an Annual Internal Audit Work Plan. Audits and advisory engagements are selected through a risk assessment process that focuses on areas of greatest risk and opportunity for improvement in areas such as internal control, cost savings, revenue enhancement, and increased efficiency. Additional audit and advisory areas are selected based on management requests, external requirements, and legislative focus. At the beginning of each audit engagement, meetings are held with management to discuss the scope, objectives, and timing of the work to be performed.

Audits are performed in four phases:

1. Planning involves research performed to assess risks and determine existing controls in place. The team may survey the department, conduct interviews, flowchart processes, and review other documentation in order to obtain a complete understanding of the audit area and finalize the scope and objectives of the engagement.
2. Fieldwork generally involves evaluating and testing the activities being audited. The audit team will determine whether controls are adequate and whether operations are conducted in an efficient and effective manner. Sufficient evidence will be developed to support audit observations and recommendations may be made for improving processes.
3. Reporting begins with preliminary observations that are discussed with management near the conclusion of the audit. During this meeting, the audit team reviews and discusses all observations and potential actions management may take to enhance operations or correct any deficiencies. A draft report is then prepared and provided to management for review. The final report includes details of the audit observations and actions planned by management to address each.
4. Follow-up is a periodic review in which the progress and implementation status of the management action plans resulting from audits are assessed and verified.