This document provides an overview of an internal audit presentation. It introduces the internal audit team members and discusses who internal audit is and what they do. It explains the five components of internal control - control environment, risk assessment, control activities, information and communication, and monitoring activities. It also addresses common questions about internal controls and what departments can do to prepare for an internal audit, such as reviewing operations and control self-assessments. The presentation aims to help attendees understand internal auditing and controls.
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
This is a webinar presented April 14, 2015 by Embry-Riddle Aeronautical University and featuring noted safety expert Dr. Mark Friend. Dr. Friend looks at the topic, "How to make safety work in your company."
The Science and Art of Cyber Incident Response (with Case Studies)Kroll
In this joint presentation for the ISSA-LA Summit X in Los Angeles, Jennifer Rathburn, a cybersecurity and data privacy law expert at Foley & Lardner LLP and William Dixon, Associate Managing Director in Kroll's Cyber Risk practice, highlight three incident response scenarios and tips on breach preparation and response.
To learn more, contact Jennifer or William at:
Jennifer Rathburn, Foley & Lardner LLP
jrathburn@foley.com; 414-297-5864
William Dixon, Kroll, a Division of Duff & Phelps
william.dixon@kroll.com; 213-247-3973
This is a webinar presented April 14, 2015 by Embry-Riddle Aeronautical University and featuring noted safety expert Dr. Mark Friend. Dr. Friend looks at the topic, "How to make safety work in your company."
Do you have an incident response plan to cover disasters, cyber-attacks, and other threats to your organization? How confident are you that it will work in a real-world situation? While simply having a plan will help you check the box on the audit, it doesn't guarantee effectiveness in a real situation. Assessing your incident response plans through fire drills, desk top exercises, functional scenarios, and full scale exercises will help your organization truly validate the effectiveness of the plan.
IR assessments are meant to:
- Evaluate plans, policies, and procedures
- Find weaknesses in the plan and gaps in resources
- Improve coordination and communication internally and externally
- Define and validate roles and responsibilities
- Train personnel in their roles and responsibilities
This webinar will provide practical steps for assessing your organization's plans and demonstrate ways to improve them through a methodical and proven approach. After all, whether they're big or small, internal or external, in most any organization incidents occur. Complete plans that have been tested, backed by trained resources and thorough communication, are the proven recipe to minimize the impact of incidents when they occur.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Richard White, Security Intelligence and Operations Principal, HP Enterprise Security Products
Hanrick Curran Audit Training - Internal Controls - March 2013Matthew Green
Training delivered to assisting audit staff as part of their continuing professional development/education (CPE/CPD). Provided in a 60 minute session with substantial discussion and interaction.
Do you have an incident response plan to cover disasters, cyber-attacks, and other threats to your organization? How confident are you that it will work in a real-world situation? While simply having a plan will help you check the box on the audit, it doesn't guarantee effectiveness in a real situation. Assessing your incident response plans through fire drills, desk top exercises, functional scenarios, and full scale exercises will help your organization truly validate the effectiveness of the plan.
IR assessments are meant to:
- Evaluate plans, policies, and procedures
- Find weaknesses in the plan and gaps in resources
- Improve coordination and communication internally and externally
- Define and validate roles and responsibilities
- Train personnel in their roles and responsibilities
This webinar will provide practical steps for assessing your organization's plans and demonstrate ways to improve them through a methodical and proven approach. After all, whether they're big or small, internal or external, in most any organization incidents occur. Complete plans that have been tested, backed by trained resources and thorough communication, are the proven recipe to minimize the impact of incidents when they occur.
Our featured speakers for this webinar will be:
- Ted Julian, Chief Marketing Officer, Co3 Systems
- Richard White, Security Intelligence and Operations Principal, HP Enterprise Security Products
Hanrick Curran Audit Training - Internal Controls - March 2013Matthew Green
Training delivered to assisting audit staff as part of their continuing professional development/education (CPE/CPD). Provided in a 60 minute session with substantial discussion and interaction.
Show drafts
volume_up
Empowering the Data Analytics Ecosystem: A Laser Focus on Value
The data analytics ecosystem thrives when every component functions at its peak, unlocking the true potential of data. Here's a laser focus on key areas for an empowered ecosystem:
1. Democratize Access, Not Data:
Granular Access Controls: Provide users with self-service tools tailored to their specific needs, preventing data overload and misuse.
Data Catalogs: Implement robust data catalogs for easy discovery and understanding of available data sources.
2. Foster Collaboration with Clear Roles:
Data Mesh Architecture: Break down data silos by creating a distributed data ownership model with clear ownership and responsibilities.
Collaborative Workspaces: Utilize interactive platforms where data scientists, analysts, and domain experts can work seamlessly together.
3. Leverage Advanced Analytics Strategically:
AI-powered Automation: Automate repetitive tasks like data cleaning and feature engineering, freeing up data talent for higher-level analysis.
Right-Tool Selection: Strategically choose the most effective advanced analytics techniques (e.g., AI, ML) based on specific business problems.
4. Prioritize Data Quality with Automation:
Automated Data Validation: Implement automated data quality checks to identify and rectify errors at the source, minimizing downstream issues.
Data Lineage Tracking: Track the flow of data throughout the ecosystem, ensuring transparency and facilitating root cause analysis for errors.
5. Cultivate a Data-Driven Mindset:
Metrics-Driven Performance Management: Align KPIs and performance metrics with data-driven insights to ensure actionable decision making.
Data Storytelling Workshops: Equip stakeholders with the skills to translate complex data findings into compelling narratives that drive action.
Benefits of a Precise Ecosystem:
Sharpened Focus: Precise access and clear roles ensure everyone works with the most relevant data, maximizing efficiency.
Actionable Insights: Strategic analytics and automated quality checks lead to more reliable and actionable data insights.
Continuous Improvement: Data-driven performance management fosters a culture of learning and continuous improvement.
Sustainable Growth: Empowered by data, organizations can make informed decisions to drive sustainable growth and innovation.
By focusing on these precise actions, organizations can create an empowered data analytics ecosystem that delivers real value by driving data-driven decisions and maximizing the return on their data investment.
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
2. Please silence your cell phones
Take notes – share ideas!
Feel free to ask questions throughout
the presentation.
“The only stupid question is the one
that’s never asked.”
-Ramon Bautista
2
4. 4
Who is Internal Audit?
What are internal controls?
What can I do to reduce anxiety when I get a
visit from an Internal Auditor?
5. 5
Cato Hall
3rd Floor
Your Internal Audit Team
Raheel Qureshi
7-5698 Diana Hill
7-5695
Tara Pritchett
7-5694
Tom York
7-5693
Julie Earls
7-0049
6. The Internal Audit Department is an
independent and objective assurance and
consulting activity guided by a philosophy of
adding value to improve the operations of the
University. It assists the University in
accomplishing its objectives by bringing a
systematic and disciplined approach to
evaluate and improve the effectiveness of the
University’s governance, risk management,
and internal controls.
6
7. To enhance and protect organizational
value by providing risk-based and
objective assurance, advice, and
insight.
8. Demonstrates integrity.
Demonstrates competence and due professional care.
Is objective and free from undue influence
(independent).
Aligns with the strategies, objectives, and risks of the
organization.
Is appropriately positioned and adequately resourced.
Demonstrates quality and continuous improvement.
Communicates effectively.
Provides risk-based assurance.
Is insightful, proactive, and future-focused.
Promotes organizational improvement.
9. 1. NCAA Compliance -
Transition to FBS Football
2. Capital Campaign Gift
Accounting Practices
3. Facilities Management -
Design Services
4. Technology Transfer Office
5. Office of Study Abroad
6. Human Resources
Department
7. NCAA Compliance - Football
Attendance Verification
8. Student Union, Activities and
Recreation
9. Belk College of Business
Operations Administrative
Review
10. Student Accounts Operations
11. Undergraduate Admissions
12. Financial Aid Operations
13. Internal Controls Self
Assessment
14. IT Security - Change
Management
9
Complete In Progress Not Started
10. 10
Staff Auditor
Diana Hill
Staff Auditor
Julie Earls
Staff Auditor
Tara Pritchett
Staff Auditor
Raheel Qureshi
Director
Tom York
Chancellor
Vice Chancellor for
Business Affairs
Chair, Audit,
Compliance and ERM
Committee
11. 11
Board/Audit Committee
Senior Management
1st Line of
Defense
Department Admins
Business Managers
3rd Line of
Defense
Internal Audit
2nd Line of
Defense
Risk Management
& Compliance
State
Auditors
12. That’s you!
College business offices
Business support
specialists
Department officers and
administrative assistants
Supervisors, managers,
directors
12
13. Risk Management
Compliance Functions (Research, Athletics, etc.)
RMSS – Police and Public Safety, Environmental
Health and Safety
IT Security
Controller’s Office
Director of Compliance – Sue Burgess
13
17. Internal Controls are steps within a process designed
to provide reasonable assurance regarding the
achievement of objectives:
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with applicable Laws, Regulations,
Policies & Procedures
17
18. How can the job be completed to the intended
result in an easier, faster way?
How can the job be done with accurate results?
How can the unit reach maximum productivity
using minimal resources?
18
19. University Policy 601.8 – Appropriate Use of
University Funds:
Appropriated funds
Foundation Funds
Discretionary Funds
Grant funds – University Policy 601.12
19
20. Federal laws – FERPA, Title IX
State laws – Department of Labor, Department of
Licensing
County/City laws – Waste disposal, code
enforcement
UNC System policies – Personnel, tuition
UNC Charlotte policies – legal.uncc.edu
Compliance calendar
IT Standards and guidelines – itservices.uncc.edu
20
23. Detective:
Reconciling invoices to ledger
(payments)
Comparing packing list/order contents
with purchase order
What other detective internal controls
can you think of?
23
24. • Computer username/password
• Preset time out on screen saver
• 49er Mart approval path
• Card swipe door locks
• 2 signatures on DPRs
• Gate arms in controlled parking lots
• Tickets to basketball games
24
25. What types of controls are:
University Policies?
IT configuration standards?
Error messages or reports?
Prepare data backups from current
systems?
Reconciliation of petty cash?
25
27. A situation involving exposure to danger.
(Merriam-Webster)
The hazard or chance of loss. (dictionary.com)
A probability or threat of damage, injury,
liability, loss, or any other negative occurrence
that is caused by external or internal
vulnerabilities, and that may be avoided
through preemptive action.
(businessdictionary.com)
27
28. What “bad thing” could happen in your department?
What is the consequence if it happens?
What is the chance of it happening? (Likelihood)
How big of a deal is it? (Severity)
28
29. “A process step is a task, activity… that
moves an input closer to the final
objective.”
The department admin collects timesheets and
files them
The office submits the reimbursements to the
Travel Office within 30 days
Faculty members send an email requesting supplies
and they are stored in a locked cabinet
29
30. “An internal control… is a critical step
within the process that leads to the
success of the entire process.”
Supervisors review timesheet submissions monthly
to ensure they were completed on time
Supervisors review and approve all travel
reimbursements for accuracy before submission to
the Travel Office
Department admin staff matches the purchase
order, invoice and receiving slip before marking the
supply as received in 49er Mart
30
31. The department admin
collects timesheets and
files them
The office submits the
reimbursements to the
Travel Office within 30
days
Faculty members send an
email requesting supplies
and they are stored in a
locked cabinet
Supervisors review
timesheet submissions
monthly to ensure they
were completed on time
Supervisors review and
approve all travel
reimbursements for
accuracy before submission
to the Travel Office
Department admin staff
matches the purchase
order, invoice and receiving
slip before marking the
supply as received in 49er
Mart
31
32. Test your knowledge!
32
? Takes inventory of office supplies
before submitting an order.
? Create a spreadsheet of all
laptops, desktop computers and
printers in the department.
? Verify the serial numbers on all
laptops, desktops and printers
in the department every 6
months. A director signs off on
the spreadsheet.
33. Check out the Internal Audit website at
internalaudit.uncc.edu to read more about
Internal Controls vs. Process Steps!
33
35. 35
Situation:
All supply requisitions come through Lisa (the admin assistant) and are
approved by the center director, Dr. Smith. College faculty working with the
center have had no complaints about Lisa and Dr. Smith thinks things are going
well, so he is surprised when the dean asks him why he has spent so much of
his annual budget so early in the year? He is not sure how to answer the dean
but does manage to say he will look into it. Dr. Smith calls Lisa and asks her
about the center’s spending and she tells him she doesn’t know what the dean
is talking about. She has been ordering what the faculty have asked for and it
has been approved by the college, so she believed everything was fine. He asks
for a spending report and it does show 75% spent and it is only November. He
wants to know more about what is being purchased but does not know what
to ask for or how to get it.
36. Cast:
Kelly: Lab manager and responsible for fixed assets inventory
Mary: The new office manager
Situation
When Kelly first started, keeping track of all the computers was difficult, especially the laptops.
Now that laptops are not part of the inventory, she has a much easier job. Over the years, she
has kept two laptops in the bottom drawer of a file cabinet in the department office. If a faculty
member needs one for a trip or a conference, he or she takes it out and brings it back when the
event is over. Kelly has recently been told that she would be able to attend the association of
lab mangers annual conference. She wanted to take a laptop to check her email and keep up
with 49er Mart, so she went to the file cabinet to get one. When she opened the drawer, it was
empty. She asked Mary where the laptops were. She said, “What laptops? I didn’t know we
had any.” Kelly and Mary went to see the department chair to ask what to do.
36
38. Control Environment – policies &
procedures, overall tone from management.
Risk Assessment – identify the things that
keep you from accomplishing your
objective.
Control Activities – approvals,
reconciliations, segregation of duties, etc.
Information & Communication – use
relevant information and communicate
appropriately.
Monitoring – How are you doing? Is the
process working?
38
39. How they apply to you
39
Control Environment –
department head
announcing policy changes,
how financial reporting is
handled and
communicated, and how
university standards are
discussed and enforced
40. How they apply to you
40
Risk Assessment -
considerations for security of
cash collected, evaluation of
student worker access to
department files, and the
information security
vulnerabilities posed by
maintaining a set of laptop
computers for check-out by
traveling faculty
41. How they apply to you
41
Control Activities –
authorizations, approvals,
verifications, reconciliations,
business performance
reviews, and segregation of
duties
42. How they apply to you
42
Information and
Communication - sharing
and validating requests for
information when received,
then sharing and validating
responses before their
release
43. How they apply to you
43
Monitoring Activities -
regular financial status
reports as well as progress
reports for major
department initiatives
45. 45
Who is Internal Audit?
What are internal controls?
What can I do to reduce anxiety when I get a
visit from an Internal Auditor?
46. What you can do to be proactive before a
visit from Internal Audit
How you can improve controls in your unit
46
47. Learn University standards
Review admin operations
Determine areas to be addressed in
more detail
Take the Control Self – Assessment
workshop (tomorrow or October 25)
Check out internalaudit.uncc.edu
for more information!
47
48. We schedule an entrance meeting with the
Director of the department being audited
We provide a list of items that we need for
review, based on the nature of the audit
A timeline is established – typically 6 – 10 weeks
During the course of the audit, we will contact
you regularly with questions and updates – we
encourage you to ask questions, too!
48
49. Used by Internal Audit to prepare the
work program
“Brain storming” of potential risks
56. A. Compliance with applicable
laws, regulations, policies &
procedures
B. Prevention of fraud
C. Incorporating ethical
business practice standards
D. Periodic reviews by Internal
Audit
56
57. A. The one you used last.
B. All assigned funds.
C. Only the petty cash fund.
D. The monthly phone bill.
57
59. A. A means to an end.
B. Authorized procedures.
C. The particular category in which a control
is placed.
D. Steps within a process designed to
provide reasonable assurance regarding
the achievement of your objectives.
59
60. A. Segregation of Duties
B. Reconciliations
C. Security of Assets
D. All of the Above
60
62. A. Review Internal Audit’s website for
articles and presentations
B. Attend a Controls Self Assessment
workshop
C. Ask lots of questions
D. All of the above!
62
63. 63
Cast:
Brittany: Primary admin assistant in the department
for over 10 years. “Go to” person for the faculty
members with reputation as someone who gets the job
done.
Christina: The new staff member
64. 64
Situation:
Due to an unexpected illness of her mother, Brittany was out on sick
leave for two weeks during the time fee payments for lab supplies were
being collected. The chair asked Christina to follow up with those
students who still owed the fee and to give him a status report. As
Christina reviewed the spreadsheet that she found on the shared drive,
some things did not add up. The amount of money on the spreadsheet
did not match what was showing in Banner as deposited. When she
contacted several students listed as still owing the fee, each one said
they had already paid and had a receipt from Brittany. After hearing
and seeing all of this, Christina took her concerns to the chair, who
called Internal Audit.
65. What’s happened here?
What are the first steps to take? How bad is this
situation?
What could the department have done to
prevent or detect this?
What do you do now?
67. Segregation of Duties - Does any one person have too
much control?
Goals and Objectives – Every unit has them. Do you
know yours?
New Employee Onboarding - How do you welcome
someone new?
Policies and procedures – Do you know which ones
apply to you and your department?
Faith, hope and trust are not internal controls - What
are the words most often said after a fraud is
uncovered?
67
68. Find us on the web at: http://internalaudit.uncc.edu/
University homepage Faculty & Staff Tools & Resources
68
Editor's Notes
First published in July 2015, these principles articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively.
The first line of defense in risk management implements and manages internal controls. The second line of defense monitors internal controls, as well as provides direction and guidance. The 3rd line of defense is when audit gets involved! The Board, Audit Committee and senior management provide oversight, with senior management overseeing the 1st line and 2nd line, and the Board of Trustees and Audit Committee providing oversight to the 2nd and 3rd lines of defense.
The business units/operational management are responsible for finding out what the risks are in the department, and putting controls in place to make sure those risks don’t happen.
The risk management line of defense assists the business units in implementing controls and monitors the controls that are in place. UNCC also has a compliance director – Sue Burgess – who is in place to monitor separate compliance risks.
Internal audit is the 3rd line of defense. We look at the processes and controls that are in place and make sure that they 1) mitigate the risks identified in the department, and 2) improve efficiency and operations. We don’t write the controls, we don’t implement the controls, we review and make recommendations to improve the controls that are in place.
Controls are in place to provide REASONABLE ASSURANCE. Why do we say that? Because nothing is 100% guaranteed! No process is ever fail-safe – internal controls are in place to increase effectiveness and efficiency of operations, as well as reliability of financial reports and to ensure we are compliant with laws and policies from the federal level, all the way to the University level and all policies and laws in between.
Preventive controls literally prevent errors from happening in the first place. Other examples – passwords, matching invoices to purchase orders, contract review
Detective internal controls find errors after they happen. Other examples: reviewing card swipes on doors for abnormal entry times, reviewing Banner access lists to make sure people who are no longer employed with the university do not have access.
So, in plain english…
Control or Process?
COSO – Committee of Sponsoring Organizations of the Treadway Commission