Quick answers to the most common questions.
+ Why was my department selected to be audited?
A draft audit plan is developed annually based on a University-wide analysis of auditable entities, their inherent level of business risk, and input provided by senior management. Risk factors included in the analysis may include financial, compliance, public relations, physical security, health and safety, and other factors. These factors drive the frequency and intensity of audit activity in the proposed plan, which is presented to the Finance and Audit Committee of the Board of Visitors for comment at their annual June meeting. Any feedback from the committee is incorporated into the plan and it is resubmitted to the Committee for final approval at their annual August meeting.
+ What will the auditors need from me?
Routine documentation requests will include but not be limited to:
• Current organization chart
• Internally documented procedures
• Mission Statement
• Measurables/matrices/score cards
• Contact information of appropriate management and staff
• Most current annual report
• Number of laboratories
• Listing of service centers
• Funds handling, if any
• Listing of individuals having access to the systems under the auditee’s control
Additional background information that the client thinks will assist us in gaining knowledge of established controls, including any recent reviews or consultant reports, are also requested.
+ How long will the audit take?
Audit projects typically last for two to three months for areas of primary focus; however, ancillary participation may include involvement lasting for only one or two weeks. The auditor(s) assigned to your area will give you a reasonable estimate of the time they need to complete the audit, after the planning phase is finished.
+ Will the audit disrupt my department's every day activity?
Like any special project, an audit affects the department's routine to some extent. The University's Internal Audit department makes every effort to minimize this disruption and cooperate with you to ensure a smooth process.
What is the audit process? Click here to review.
+ What are audit ratings?
Internal Audit’s rating system has four tiers within which to assess the controls designed by management to reduce exposures to risk in the area being audited. In addition, the auditor can use professional judgment in constructing the exact wording of the assessment in order to capture varying degrees of deficiency or significance. Definitions and sample wordings for each assessment option follow:
The audit identified opportunities for improvement in the internal control structure but business risks are adequately controlled in most cases.
2. Improvements are Recommended (Adequate)
The audit identified occasional or isolated business risks that were not adequately or consistently controlled.
3. Significant or Immediate Improvements Are Needed
Significant or Immediate Improvements are Needed – The audit identified several control weaknesses that have caused, or are likely to cause, material errors, omissions, or irregularities to go undetected. The weaknesses are of such magnitude that senior management should undertake immediate corrective actions to mitigate the associated business risk and possible damages to the organization.
The audit identified numerous significant business risks for which management has not designed or consistently applied controls prior to the audit. Persistent and pervasive control weaknesses have caused or could cause significant errors, omissions, or irregularities to go undetected. The weaknesses are of such magnitude that senior management must undertake immediate corrective actions to bring the situation under control and avoid additional damages to the organization.
+ What authority is the University Internal Audit given by the Board of Visitors?
The internal audit function has unrestricted access to all university departments, records, reports, activities, property, and personnel that they deem necessary to discharge their audit responsibilities. The internal audit function will exercise discretion in the review of records to assure the necessary confidentiality of matters that come to its attention. Please refer to Policy 3350 for granted authority.
+ What are the types of audits?
The objective of these audits is to contribute to the improvement of risk management and the control systems within the university by identifying and evaluating exposures to business risks and the controls designed by management to reduce those risks.
University Internal Audit will perform risk-based audits of all university operations and activities to appraise:
In order to provide the Finance and Audit Committee of the Board of Visitors and Executive Management with a clear picture of university-wide business practices and compliance with key university fiscal and administrative policies, University Internal Audit began performing an ongoing series of compliance reviews in fiscal year 2003-04. University Internal Audit has concluded that the reviews are most effectively conducted and reported at the senior management (College, Vice President) level. It is at this level where the authority and resources reside to make compliance and good business practices a priority. There are approximately 25 senior management areas identified in the university’s financial system, and each will be reviewed at least once during every five-year cycle.
The ultimate objective of the reviews is to contribute to the improvement of risk management and the control systems within the various senior management areas by evaluating compliance with the following university policies and procedures:
Fiscal Responsibility (Policy 3100)
Expenditures (Policy 3200)
Fixed Asset Management (Policy 3950)
University Key Control (Policy 5620)
Emergency Preparedness (Policy 1005)
State Vehicle Maintenance (Policy 5500)
Family Educational Rights and Privacy Act (FERPA)
University policies can be located at www.policies.vt.edu, including links to the relative operational procedures. Approximately 5 of these reviews are conducted each year. For more information on the compliance review process, contact Bill Abplanalp.
University Internal Audit performs advisory service reviews at the request of management. Advisory service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the university's governance, risk management, and control processes without the internal auditor assuming management responsibility.
For more information or to determine if an advisory service review is right for your organization, contact Carolyn E. Fulk.
Fraud, Waste, and Abuse Investigations
All allegations of fraud, waste, and abuse are treated seriously and reviewed to the extent allowed by the quality of the information provided and evidence available. Click HERE to learn more about fraud, waste, and abuse.
There are three means available for reporting observations of this nature:
The identity of the individual conveying the information remains confidential in any of the above cases. University Internal Audit encourages individuals with information pertaining to potential fraud, waste, or abuse to contact University Internal Audit directly at 540-231-5883. Direct reporting enhances the ability of the reporting individual to assist University Internal Audit in gathering the evidence necessary to substantiate the claim and to initiate corrective action. For more information, please consult the University's policy 1040: Reporting Suspected Fraudulent Activities.
Download a PDF-formatted flyer for posting in departments.
University Internal Audit | Virginia Tech
firstname.lastname@example.org | (540) 231-5883 | North End Center, Suite 3200, Virginia Tech | MC 0328 | Blacksburg, Virginia