Frequently Asked Questions
Who determines what Internal Audit audits?
Planning for most audits begins many months before an audit is assigned. During the spring or summer of every year, Internal Audit goes through an extensive process to determine which topics are high risk and may warrant review in the coming fiscal year. Audits are focused on the areas that we believe pose the greatest risk of financial or other loss to the organization. We ask constituents from across campus and all related entities to identify and rank major risks to the organization. That data, along with other financial, human resource, industry, and risk data, is used to determine how to utilize audit resources most effectively. The result is an annual Audit Plan. Some operations of the organization are considered high risk and thus, so important that they get reviewed routinely. Audits may also come about from requests or tips by the Board of Trustees, the President, management, and employees.
Who gets the audit reports?
We usually present audit reports to responsible operating management first and subsequently to the Board of Trustees and executive management. Follow-up reviews are performed to verify the implementation of management’s action plans resulting from the audit. The Board of Trustees and executive management also receive follow-up reports.
What kind of audits do you perform?
Most of our audits are compliance or operational - we examine internal controls, test for compliance with state and federal laws and other regulations and guidance, and look for ways to improve operational efficiencies.
Other audits include investigations (to determine the validity of allegations received) and consulting (review or gather information or provide advice on some specific problem management has asked for our assistance in solving).
Who do you work for?
We provide internal audit services for the University, the Authority, UMA, and the affiliated Foundations.
Why is it important for MUSC to have an Internal Audit Department?
Internal Audit assists the Board of Trustees (Audit Committee) and management in assessing the effectiveness and efficiency of operations, the ethical climate, and compliance with policies, procedures, regulations, and overall best business practices. An independent internal auditing activity provides a systemic approach to assessing high risk operational areas throughout the organization. Internal audit provides an objective assessment of internal controls, and risk management processes. Internal auditors also have expertise in understanding organizational risks and internal controls available to mitigate those risks. Organizations that do not have an internal audit function may not be in the best position to provide skilled, independent, and objective opinions on internal controls. Our goal is to benefit the organization. Therefore, we pledge the following to our audit clients:
- Internal Audit staff will be professional, independent, and objective.
- We will communicate with our clients throughout the audit process.
Why is segregation of duties important?
Good internal controls prevent an employee from performing more than one phase of any business transaction. The four phases of a transaction include approval, execution, custody, and recording. Often, especially in small entities, it is not possible to adequately segregate duties. In these cases, it is important to employ mitigating controls to ensure that the effect of segregation occurs. When duties are properly segregated the potential for loss or inappropriate use of assets is minimized. A lack of segregation of duties is often a contributing factor in occurrences of fraud. Supervisory review of work is essential, but it does not replace the need for the proper segregation of duties.
Can I request a review or audit?
Yes. Internal Audit’s key responsibility is to assist the organization in improving its internal controls and operations. As such, we will attempt to comply with all audit requests, but keep in mind that Internal Audit resources are limited and requests must be prioritized.
Why is Information Technology (IT) Auditing important?
Consider how many of our business processes are dependent on or use information technology resources. An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of evidence obtained from an IT audit helps determine if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. With so much reliance on information technology in business today, the need for IT audit is ever increasing.
What are IT controls?
IT controls provide for assurance related to the reliability of information and information services. IT controls help mitigate the risks associated with an organization’s use of technology.
Who audits the auditor?
Internal Audit follows Government Auditing Standards which require a peer review every three years. Additionally, we conduct an annual quality self-assessment.