- What if I suspect fraud?
Any person who suspects or has knowledge of fraud or unethical activities at the University should contact the Director in the Internal Audit Office, Campus Safety, or Legal Affairs, to make a confidential report. If you are a University employee, you have a responsibility to report any known or suspected fraud.
You will not be required to identify yourself, but you will be asked to provide as much detailed information as you can about the alleged wrongdoing, so that an adequate and appropriate investigation can be performed.
Additional information on Fraud is available on-line.
Back to the top
- How do you decide what to audit?
Internal Audit schedules audit and consulting projects according to its annual plan, which is reviewed with the Board of Trustees.
We begin the planning process by identifying possible audits. Certain programs may be subject to audit by policy or regulatory requirements. External auditors may raise questions or report findings that suggest the need for detailed internal reviews. University administrators often request audits of specific programs or operations. Our own Internal Audit group also suggests audits based on its broad knowledge of the University, its projects and risks, prior audit findings and related audit work in another area.
Because of time and staff constraints, we cannot audit all possible areas identified. So, the next step in creating our annual audit plan is to evaluate the risks and possible benefits of each possible project. We give priority to higher-risk and higher-benefit projects, required audits, new initiatives, and Board requests, subject to our skills and resources. We also allocate a percentage of available time to unanticipated audits so that we can effectively respond to such needs.
Back to the top
- What are good internal controls? Why should I be concerned?
Good internal controls safeguard or make more efficient and effective use of University assets. They are good business practices that assist you in achieving your objectives. Good internal controls are cost effective, timely, and flexible. Good controls are placed where they are most effective and identify both the problem and its cause.
Senior administrators are responsible for developing a good system of internal controls, but all employees should be concerned about maintaining good internal controls because they are concerned about achieving their objectives.
Our Internal Controls Reference Guide is available on-line.
Back to the top
- What are business risks?
Business risks are simply those circumstances (events or activities) that can adversely affect the achievement of the University's objectives. Some examples include: misappropriation or unauthorized use of funds or assets, false entries to payroll or expense accounts, receipt of substandard supplies, purchases made from suppliers related to buyers or other employees, or negative publicity from Halloween or daylight savings time change disturbances.
More information about Risk Assessment is available on-line.
Back to the top
- Who audits the auditors?
Everyone audits the auditors - there is no single person or group with that responsibility. For example, the Board of Trustees evaluates Internal Audit's performance and receives our report on the progress and results of our plan. The University's external auditors assess the effectiveness and adequacy of our operations during their annual examination of the financial statements. Our clients evaluate us and provide feedback on our performance by completing customer service surveys at the conclusion of our projects.
Ohio University's Internal Auditors are members of several professional organizations, including the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), and the Association of College and University Auditors (ACUA). The Office has adopted the IIA's Standards for the Professional Practice of Internal Auditing and its Code of Ethics as part of its charter. Finally, the Office will request a peer review of its compliance with professional standards as outlined in ACUA's Quality Assurance Program.
Back to the top
- Who gets copies of the audit report?
All final audit reports will be distributed to the relevant administrators of the area audited, and made available to the President, Provost, and Board of Trustees. The external auditors and Auditor of State may request and receive copies of any and all audit reports. Draft reports will be distributed to those employees with responsibility for replying to the report, as agreed during the entrance conference.
Back to the top
- What about confidentiality?
Internal Auditors have access to all records and assets of the University, and we know we have an obligation to maintain the confidentiality of that information. Our charter states that:
"Documents and information given to Internal Auditors during a periodic review will be handled in the same prudent manner as by those employees normally accountable for them. "It is understood that certain University items are confidential in nature and the Internal Auditors will make special arrangements when examining and reporting upon such items."
Each student auditor receives specific instruction on confidentiality requirements and all Internal Auditors sign confidentiality agreements. Back to the top
- How long do I need to keep receipts?
Copies of original documents may be retained for any amount of time; supervisors must use their discretion in determining how long the document will be needed for internal purposes. When the document is no longer needed, it may be discarded.
Original documents, however, must generally be kept for a length of time set forth by various authoritative organizations (IRS, Grants). The Inter-University Council created an official record retention schedule, based on legal and tax requirements, and to which Ohio University subscribes.
In applying the retention requirements, remember that only original source documents must be retained. Therefore, there are no retention requirements for departmental copies of documents that are kept by another department, in original format (e.g., Payroll maintains all time sheets so no other department must).
Additional information about Records Retention is available on-line.
Back to the top
- I have been told that employees must maintain logbooks for every vehicle provided by the University or the Foundation. What information do I need to maintain in my vehicle use logbook?
Logbooks should be updated every time the vehicle is used. They should include the date of the trip, the odometer readings at the beginning and end of the trip, the name of the employee driving the vehicle, the purpose of the trip and any supporting documents that further prove the purpose, i.e. receipts. Keeping all of this information will enable the Finance division to decide whether or not the vehicle was used for personal use, which is considered a taxable benefit.
Back to the top
- How do I ensure that duties performed in my department are properly segregated if there are only two employees in the department?
It can often be difficult for small departments to properly segregate specific functions that it performs. For example, if a department only has three employees and it bills, collects, records, and deposits revenue, it can be a challenge to ensure proper controls over these procedures. In situations such as these, management oversight becomes very important. Management should review all invoices prepared and thoroughly review monthly financial reports and reconciliations. Management should also sign off on any documents they review.
Back to the top
- What qualifications are required to become an auditor?
Auditors have a variety of experience and educational backgrounds, depending upon the nature of the work they perform. It is, perhaps, most common for auditors to pursue accounting, MIS and business degrees in college, because they frequently work with financial data and IT systems. Auditors often acquire professional certifications, including CPA, CIA, CISA, CFE, and CGAP, to evidence their knowledge, understanding and ability to apply professional auditing principles and standards.
Back to the top
- Can anyone see the auditors' report?
Because Ohio University is a public institution, auditors' working papers and reports are subject to public record requests made according to Ohio's sunshine laws. Current policy requires such requests be made via the Office of Legal Affairs. To provide the most accurate and complete information possible, one should refrain from requesting workpaper documents and reports until the audit engagement is complete.
Back to the top
