Why does WFU have an Office of Internal Audit (OIA) function ?
OIA exists by charter from the Board of Trustees  to assist University management and the Audit/Compliance Committees of the Board (Trustees and Directors) to fulfill their responsibilities. We are charged with reviewing the reliability and integrity of information; compliance with policies, plans, laws, and regulations, safeguarding of assets, and the economical and efficient use of resources.  OIA is a part of the Compliance Office.

Who are internal auditors?
As defined by the Institute of Internal Auditors (IIA), "internal auditors are "business generalists" who specialize in efficiency and effectiveness for the good of the organization”.

Their roles include monitoring, assessing, and analyzing organizational risk and control; reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are held at bay and that the organization’s corporate governance is strong and effective.

When there are opportunities for improvement anywhere within the organization, internal auditors make recommendations for enhancing internal controls and procedures.

What are Internal Controls and Who is Responsible for Them?
Internal controls are processes designed to provide reasonable assurance regarding the achievement of objectives. Internal controls can be categorized as either accounting controls or administrative controls. Accounting controls are designed to safeguard University assets and ensure the accuracy of financial records. Administrative controls are designed to promote operational efficiency, effectiveness, and adherence to University policies and procedures.

Management, not OIA,  is responsible for designing and maintaining an adequate system of internal control.

What’s the difference between external and internal auditors?
External auditors are independent public accounting firms (e.g. KPMG) with which WFU enters into a contract.  They review the University’s annual financial statements to ensure the information presented accurately portrays WFU’s financial condition.   

Internal auditors generally perform all other types of reviews, often in much more detail. Traditionally OIA has assisted the external auditors on various testwork and procedures.

Where are WFU internal auditors located?
We have two offices currently that our 7 auditors use.  Piedmont Plaza II Suite 305 houses our main office with a satellite office in Reynolda Hall.  Our It auditor also has office space in the Reynolda campus IS building.  Typically auditors spend  much time out “in the field” on site. 

What expertise or professional certifications do OIA staff have?
CPA (Certified Public Accountant)
CFE (Certified Fraud Examiner)
CISA (Certified Information Systems Auditor)
CIA (Certified Internal Auditor)
CISSP (Certified Information System Security Professional)
CHC (Certified in Health Care Compliance)
CBM (Certified Business Manager)
CICA (Certified Internal Controls Auditor)
CFF (Certified Financial Forensics)
CRP (Certified Risk Professional

Average related-work experience of current staff is 21 years.

How are internal auditors selected/recruited?
When we have a job opening we post through the normal WFUHS (HR) process.  A four year degree is required but not everyone must be an accounting/finance major or computer security expert.  Experience in related work, especially at WFU or WFUHS, is considered very valuable.

What is the diversity of OIA work?
We review various risk areas and associated controls that mitigate these risks.  Our work is interesting because we provide wide coverage in many areas such as  revenue collections, computer security, research grant compliance, clinic billing and receipt, athletic ticket sales, travel reimbursements, credit card compliance, asset tracking, conflicts of interest, fraud, construction projects, physical security, EH&S, tax law compliance, payroll, HR, bookstore inventory, dialysis centers, etc. 

What organizations does OIA serve?
Our scope includes the Reynolda campus, Medical school and WFUP, subsidiaries such as downtown research, Reynolda House, Graylyn Conference Center, etc.  NCBH has their own internal auditors

How are audit areas selected?
We perform an annual risk assessment, create a draft of potential projects based on risk, and present these to the President and Boards for approval.  We consider $$ flow, changes affecting that area, lessons learned from peer entities, time since last audit, new laws, management surveys, OIA judgment, etc.

How can I report a concern to OIA?
Call us at 716-9419 or call the confidential/anonymous Hotline at 1-877-880-7888.

If chosen for an audit, what can I do to cooperate?
Provide information timely, make your staff and documents and systems available as needed.  Also when writing a response to a recommendation, please describe an action plan to address identified risks, including a target date for completion.

What are internal auditors looking for?
Internal auditors are primarily concerned with compliance with policies and adequate and a reasonable level of internal controls.  Protection of assets is also important.  All of these help protect the University from unnecessary risks and help to ensure sound business practices are consistent throughout the University.

Can a department/unit request an audit?
Yes.  We take requests for audit work, although our ability to perform the audit may be affected by our staffing levels, annual audit plan, or year-end deadlines..

Also, to be pro-active you may print out and complete the Internal Controls Questionnaire (ICQ) found on this website and send it to us for evaluation.  We can give you informal feedback without issuing a report.

What does a typical internal audit include?
Common elements of an internal audit engagement include the following:

• Sending an introductory letter to the responsible individual(s) of the unit/department/area.
• Scheduling an entrance meeting to discuss audit objectives, timing, and intended report distribution.
• Evaluating internal control systems
• Testing to ensure proper operation of internal control systems
• Developing conclusions based on test results and other assessments
• Reviewing audit issues and draft audit reports with management and staff
• Preparing and distributing an audit report which generally include management's responses to the issues identified
  

We try to be as non-intrusive and non-disruptive as possible.  We ARE on the same side and try to work together with you to make you successful.  A follow up review on the status of improvements will be performed within six months.

Are auditors encouraged to write up lots of control weaknesses?
No.  We do not get paid based on the number of audit findings.  Some reports have no findings !  Often verbal suggestions are made for less significant observations.

Who will receive copies of the audit report?
After we meet with you to discuss our observations and  go through a draft of the memo,  we insert your responses to each observation (if any) and then send copies of audit reports to the individual responsible for the area under review and his or her direct supervisor,  and typically the Executive VP for that area, depending on the type of audit.

If I disagree with an audit finding, what recourse do I have?
Hopefully we can agree on the facts of a situation and then come up with a mutual solution.  However differences of opinion sometimes exist.  You may explain your position in your written response and we will include it in the final memo, word for word.

You should explain any plans to implement compensating controls and affirm acceptance of any residual risks.  If we think the residual risk is significant, we are required to report this concern.

Does the Board get audit reports?
Typically no.  We prepare a report for the two Audit Committees annually, summarizing the most significant findings from our audits.