FAQs - Quick answers to the most common questions
+ Why was my department selected to be audited?
A draft audit plan is developed annually based on a University-wide analysis of auditable entities, their inherent level of business risk, and input provided by senior management. Risk factors included in the analysis may include financial, compliance, public relations, physical security, health and safety, and other factors. These factors drive the frequency and intensity of audit activity in the proposed plan, which is presented to the Compliance, Audit, and Risk Committee of the Board of Visitors for comment at their annual June meeting. Any feedback from the committee is incorporated into the plan and it is resubmitted to the Committee for final approval at their annual August meeting.
+ What will the auditors need from me?
Routine documentation requests will include but not be limited to:
• Current organization chart
• Internally documented procedures
• Mission Statement
• Measurables/matrices/score cards
• Contact information of appropriate management and staff
• Most current annual report
• Number of laboratories
• Listing of service centers
• Funds handling, if any
• Listing of individuals having access to the systems under the auditee’s control
Additional background information that the client thinks will assist us in gaining knowledge of established controls, including any recent reviews or consultant reports, are also requested.
+ How long will the audit take?
Audit projects typically last for two to three months for areas of primary focus; however, ancillary participation may include involvement lasting for only one or two weeks. The auditor(s) assigned to your area will give you a reasonable estimate of the time they need to complete the audit, after the planning phase is finished.
+ Will the audit disrupt my department's everyday activity?
Like any special project, an audit affects the department's routine to some extent. The Office of Audit, Risk, and Compliance makes every effort to minimize this disruption and cooperate with you to ensure a smooth process.
What is the audit process? Click here to review.
+ What are audit ratings?
The Office of Audit, Risk, and Compliance’s rating system has four tiers within which to assess the controls designed by management to reduce exposures to risk in the area being audited. In addition, the auditor can use professional judgment in constructing the exact wording of the assessment in order to capture varying degrees of deficiency or significance. Definitions and sample wordings for each assessment option follow:
The audit identified opportunities for improvement in the internal control structure but business risks are adequately controlled in most cases.
2. Improvements are Recommended (Adequate)
The audit identified occasional or isolated business risks that were not adequately or consistently controlled.
3. Significant or Immediate Improvements Are Needed
Significant or Immediate Improvements are Needed – The audit identified several control weaknesses that have caused, or are likely to cause, material errors, omissions, or irregularities to go undetected. The weaknesses are of such magnitude that senior management should undertake immediate corrective actions to mitigate the associated business risk and possible damages to the organization.
The audit identified numerous significant business risks for which management has not designed or consistently applied controls prior to the audit. Persistent and pervasive control weaknesses have caused or could cause significant errors, omissions, or irregularities to go undetected. The weaknesses are of such magnitude that senior management must undertake immediate corrective actions to bring the situation under control and avoid additional damages to the organization.
+ What authority is the Office of Audit, Risk, and Compliance given by the Board of Visitors?
The Office of Audit, Risk, and Compliance has unrestricted access to all university departments, records, reports, activities, property, and personnel that they deem necessary to discharge their audit responsibilities. OARC will exercise discretion in the review of records to assure the necessary confidentiality of matters that come to its attention. Please refer to Policy 3350 for granted authority.
+ What are the types of audits?
The objective of these audits is to contribute to the improvement of risk management and the control systems within the university by identifying and evaluating exposures to business risks and the controls designed by management to reduce those risks.
The Office of Audit, Risk, and Compliance will perform risk-based audits of all university operations and activities to appraise:
Approximately 20 of these types of audits are planned each year. For more information on the risk-based assurance process, contact Sharon Kurek at firstname.lastname@example.org or 540-231-7496.
Policy Compliance Reviews
In order to provide the Compliance, Audit, and Risk Committee of the Board of Visitors and Executive Management with a clear picture of university-wide business practices and compliance with key university fiscal and administrative policies, the Office of Audit, Risk, and Compliance began performing an ongoing series of policy compliance reviews in fiscal year 2003-04. The Office of Audit, Risk, and Compliance has concluded that the reviews are most effectively conducted and reported at the senior management (College, Vice President) level. It is at this level where the authority and resources reside to make compliance and good business practices a priority. There are approximately 25 senior management areas identified in the university’s financial system, and each will be reviewed at least once during every five-year cycle. The ultimate objective of the reviews is to contribute to the improvement of risk management and the control systems within the various senior management areas by evaluating compliance with the following university policies and procedures:
Fiscal Responsibility (Policy 3100)
Expenditures (Policy 3200)
Fixed Asset Management (Policy 3950)
Funds Handling (Policy 3600 and University Bursar procedures)
University Key Control (Policy 5620)
State Vehicle Maintenance (Policy 5500)
Family Educational Rights and Privacy Act (FERPA)
University policies can be located at www.policies.vt.edu, including links to the relative operational procedures. Approximately five of these reviews are conducted each year. For more information on the policy compliance review process, contact Sharon Kurek at email@example.com or 540-231-7496.
The Office of Audit, Risk, and Compliance performs advisory service reviews at the request of management. Advisory service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the university's governance, risk management, and control processes without the internal auditor assuming management responsibility.
Examples of advisory services include:
For more information or to determine if an advisory service review is right for your organization, contact Ryan Hamilton at firstname.lastname@example.org or 540-231-2530 and Sharon Kurek at email@example.com or 540-231-7496.
Fraud, Waste, and Abuse Investigations
All allegations of fraud, waste, and abuse are treated seriously and reviewed to the extent allowed by the quality of the information provided and evidence available.
There are three means available for reporting observations of this nature:
The identity of the individual conveying the information remains confidential in any of the above cases. The Office of Audit, Risk, and Compliance encourages individuals with information pertaining to potential fraud, waste, or abuse to contact The Office of Audit, Risk, and Compliance directly at 540-231-5883. Direct reporting enhances the ability of the reporting individual to assist The Office of Audit, Risk, and Compliance in gathering the evidence necessary to substantiate the claim and to initiate corrective action. For more information, please consult the University's policy 1040: Reporting Suspected Fraudulent Activities.
+ What is the Enterprise Risk Management Program?
The purpose of the ERM program is to strengthen the university’s ability to achieve its mission and strategic objectives by effectively managing key risks and seizing opportunities related to the achievement of strategic objectives. The ERM program is a collaborative effort between the ERM Committee, Risk Advisory Committee and the Office of Audit, Risk, and Compliance. For questions regarding the ERM program, please contact Sharon Kurek, Executive Director Office of Audit, Risk, and Compliance at (540) 231-5883.
+ What is the Institutional Compliance Program?
The charge of the compliance function within the Office of Audit, Risk, and Compliance is to be a resource and serve as a catalyst for the achievement of university best practices in compliance-related subject matter areas. While the Office of Audit, Risk, and Compliance does not own any discrete compliance subject matter area, it will assist in promoting a culture of compliance and ethical behavior by:
For questions regarding the Institutional Compliance program, please contact Sharon Kurek, Executive Director Office of Audit, Risk, and Compliance at (540) 231-5883.
+ What should I do if my department has found inappropriate material on a work computer?
See further information on Unacceptable Computer Use Guidance.
Office of Audit, Risk, and Compliance | Virginia Tech
firstname.lastname@example.org | (540) 231-5883 | North End Center, Suite 3200, Virginia Tech | MC 0328 | Blacksburg, Virginia