System-Wide Audit Manual

System‐WideAuditManual



OfficeofInternalAudit

Updated2023

P a g e



Contents

Introduction .............................................................................................................................. 4

Purpose Statement ................................................................................................................... 4

Manual Changes and Updates ................................................................................................ 4

SECTION 1000 PURPOSE, AUTHORITY, RESPONSIBILITY, AND ORGANIZATION .............. 5

1100 Internal Audit Charter and Vision ............................................................................. 5

Mission, Vision, Values ............................................................................................................ 5

Vision Statement ...................................................................................................................... 5

Values ........................................................................................................................................ 6

Strategic Priorities ................................................................................................................... 6

Audit Charter ........................................................................................................................... 6

1200 Reporting, Authority, Proficiency and Due Professional Care ............................... 7

Authority ................................................................................................................................... 7

Organization and Applicability .............................................................................................. 8

Independence and Personnel .................................................................................................. 9

Personnel and Training ......................................................................................................... 10

1300 Quality Assurance, Improvement, and Assessment................................................ 12

Quality Assurance and Improvement Program .................................................................. 12

Communicating Quality and Assessment Results ............................................................... 13

1400 Professional Standards, Ethics, and Disclosures ..................................................... 15

Employee Conduct and Ethics .............................................................................................. 15

Mandatory Disclosures .......................................................................................................... 16

1500 Request for Information ............................................................................................ 17

SECTION 2000 INTERNAL AUDIT FUNCTION, THE

ENGAGEMENT, AND

COMMUNICATING RESULTS .................................................................................................. 18

2100 Internal Audit Function ............................................................................................ 18

Audit Services ......................................................................................................................... 18

2200 Engagement Planning ................................................................................................ 22

Planning the Audit ................................................................................................................. 22

Engagement Objectives ......................................................................................................... 22

Engagement Scope ................................................................................................................. 22

Work Program ....................................................................................................................... 23

2300 Performing the Engagement ..................................................................................... 24

Examining & Evaluating Information ................................................................................. 24

P a g e



Fieldwork ................................................................................................................................ 24

Working Papers ..................................................................................................................... 24

Engagement Supervision ....................................................................................................... 25

2400 Communicating Results ............................................................................................. 27

Report Overview .................................................................................................................... 27

Working Draft Report ........................................................................................................... 27

Discussion Draft Report ........................................................................................................ 27

Final Report ............................................................................................................................ 28

Audit Report Distribution ..................................................................................................... 28

Audit Issues ............................................................................................................................ 29

Audit Observations Rating .................................................................................................... 29

Overall Opinions .................................................................................................................... 30

Criteria for Communicating ................................................................................................. 30

Elements of Audit Report ...................................................................................................... 30

Use of Conformance with IIA Standards............................................................................. 32

Disclosure of Nonconformance with IIA Standards ........................................................... 32

2500 Follow-Up Reporting ........................................................................................................ 33

Reporting on Management Acceptance of Risk .................................................................. 33

APPENDIX AND SUPPLEMENTAL INFORMATION........................................................... 34

Appendix A: Sample System-wide Audit Charter .................................................................. 34



P a g e



Introduction

Internal Auditing is conducted in diverse legal and cultural environments within organizations

that

vary in purpose, size, complexity, and structure; and by persons within or outside the

organization.

The Internal Audit (IA) is an independent, objective assurance and consulting

activity designed to

add value and improve an organization's operations. IA consists of both

system-office employees

and institutional audit staff who collectively make-up the University

System of Georgia (USG) IA.

IA staff across the system accomplish their objectives by bringing

a systematic, disciplined approach to evaluate and recommend improvements, the effectiveness

of risk management, control, and governance processes. IA is authorized by the Board of Regents

(BOR) and the Chancellor in the effective fulfillment

of their responsibilities and in meeting the

objectives of the University’s or institutional strategic

plans.

Purpose Statement

This manual is intended to be a basic reference document for all IA organizations across the USG.

For interpretation of this manual, the words shall and must mean that the area or topic included in

the manual is applicable to all audit departments across the system. Conversely, the word should

used to convey that an area, although strongly suggested, the particular topic or area may

not

be applicable or implemented across all audit departments. To ensure the manual's usefulness, it

should be kept up to date to reflect changes in audit standards, organizational needs, and the overall

audit environment. The purpose of this manual is to further supplement existing USG policies and

rules. Information in this manual does not replace or supersede existing laws, rules, or other USG

policies.

Manual Changes and Updates

Suggestions for revisions or discrepancies to the manual are welcomed and should be brought to

the attention of the

USG Chief Audit Officer (USG CAO) or appropriate designee. All updates

will be disseminated for comment or review prior to publication.

P a g e



SECTION 1000 PURPOSE, AUTHORITY, RESPONSIBILITY,

AND ORGANIZATION

1100 Internal Audit Charter and Vision

Mission, Vision, Values

Mission Statement

The IA function within the USG mission is to support management in meeting its governance,

risk

management, compliance, and internal control responsibilities while helping to improve

organizational and operational effectiveness and efficiency. The IA function is a core activity that

provides management with timely information, advice and guidance that is objective, accurate,

balanced and useful. The IA function promotes an organizational culture that encourages ethical

conduct.

Individuals in IA across the USG accomplish the mission by:

 Reviewing the accuracy and propriety of financial and operating information and the

means used to identify, measure, classify and report such information.

 Examining established systems to ensure compliance with policies, plans, procedures,

laws,

and regulations which could have a significant impact on operations.

 Validating the means of safeguarding assets and, as appropriate, verifying the existence

of such assets.

 Assessing operational practices and organizational efficiencies.

 Evaluating operations or programs to ascertain whether results are consistent with

established objectives and goals and whether the operations or programs are being

carried out as planned.

 Reviewing the status of information technology policies and procedures, verifying

that

required hardware, software and process controls have been implemented and

that the

controls are functioning properly.

 Consulting and providing guidance on financial and operational processes, controls,

risks, and exposure; providing guidance and advice on control and risk aspects

of new

policies, systems, processes, and procedures.

 Conducting special audits and/or reviewing specific operations at the request of the

institutional presidents, the BOR, or other individuals.

Vision Statement

The vision of the USG audit function is to create an integrated team of assurance, consulting and

compliance professionals that significantly contributes to the improvement of governance, risk

P a g e



management, compliance, and internal control within the USG.

Values

IA departments with the USG adhere to core values of integrity, excellence, accountability and

respect. Additionally, audit staff promote competence and maintain confidentiality while adhering

all professional standards.

Strategic Priorities

Audit teams within the USG have three strategic priorities:

Anticipate and help to prevent and to mitigate high risk and significant issues

Foster enduring cultural change that results in consistent and quality management of

USG operations

Build and develop a comprehensive system-wide team of highly qualified audit professionals

Audit Charter

The IA charter is a formal document that defines the IA activity's purpose, authority, and

responsibility. The IA charter establishes the IA activity's position within the organization,

including the nature of the chief audit executive’s functional reporting relationship with the

board; authorizes access to records, personnel, and physical properties relevant to the

performance of engagements;

and defines the scope of IA activities. Final approval of the IA

charter resides with the board. Annually, the USG Chief Audit Officer (CAO) will obtain

approval for the OIA audit charter. Institutional Chief Auditors (ICA) will obtain the USG

CAO’s approval for and signature on institutional audit

charters.

The nature of assurance services provided to the organization must be defined in the IA charter.

assurances are to be provided to parties outside the organization, the nature of these assurances

must also be defined in the IA charter. The nature of consulting services or other services

provided by the IA department must be defined in the IA charter. Audit departments across the

USG must

develop an internal charter. The USG CAO is responsible for establishing the USO

audit charter and institutional audit directors must establish the audit charter for perspective

institutions. A sample audit charter can be found in the Appendix.

P a g e



1200 Reporting, Authority, Proficiency and Due Professional Care

Authority

Governing Authority

There are four primary documents that govern the practice of IA within the USG.

Board Policy 7.9 Auditing

https://www.usg.edu/policymanual/section7/C474

Committee on IA, Risk, and Compliance Charter

https://www.usg.edu/assets/audit/documents/IARC_-_Compliance_and_Ethics_Charter_-

_Signed.pdf

USG OIA Charter

https://www.usg.edu/assets/audit/documents/IARC_-_Internal_Audit_Charter_-

_Signed.pdf

Business Procedures Manual Section 16

http://www.usg.edu/business_procedures_manual/section16/.

Collectively, these documents outline the purpose and authority of the IA function, key roles and

responsibilities,

core processes, and senior management expectations and guide the USG IA team

in conducting the

independent appraisal function.

Other relevant governing documents pertaining to enterprise risk management and compliance

include:

 Board Policy 7.11 Risk Management

https://www.usg.edu/policymanual/section7/C480

 Board Policy 7.12 Compliance Policy

https://www.usg.edu/policymanual/section7/C490

 Board Policy 8.2.18.1 University System of Georgia Ethics Policy

https://www.usg.edu/policymanual/section8/C224/#p8.2.18_personnel_conduct

All IA staff should be familiar with these documents and ensure compliance with the

enumerated requirements.

Scope of Authority

IA functions under the policies established by the BOR of the USG and by institutional management

under delegated authority. In accordance with the authority granted by approval of the BOR and

applicable federal and state statues, IA is authorized to have full, free and unrestricted access

information including records, computer files, property, and personnel. Except where limited

by law,

the work of IA is unrestricted. The authority of IA may be restricted by federal classified

P a g e



document

rules, which may restrict access in certain cases until required security checks have

been performed;

by various Federal or State work rules, which may restrict physical access for your

individual personal safety and protection (i.e., clean labs or labs with radiation isotopes); and other

State authorities (such

as the State Attorney General or the Georgia Bureau of Investigation).

Any identified restrictions

should be noted in the working papers or in the audit report.

In performing the audit function, IA has no direct responsibility for, nor final authority over any

of the activities reviewed. The IA review does not in any way relieve other persons in the

organization of the responsibilities assigned to them. The USG CAO and ICAs have the authority

to require a written response to audit observations and recommendations contained in audits.

Organization and Applicability

Scope and Applicability

IA reports to a level within the enterprise that allows the IA activity to fulfill its responsibilities.

Auditors will maintain independence and objectivity and avoid conflicts of interest when

performing audit work. All auditors within the USG are required to implement and follow policies,

procedures

and other requirements consistent with the policies and guidelines outlined is this

manual.

Organization

One of the goals of the USG and institutional IA teams is to establish an effective IA program and

maintain an internal independent appraisal function. Individuals in the IA function assist

management by assessing the effectiveness of organizational practices, evaluating organizational

policies and procedures, and by making recommendations that add value to the organization. IA

examines and evaluates business and administrative activities in order to assist all levels of

management and members of the BOR in the effective discharge of their responsibilities. IA teams

may furnish management with analyses or recommendations and might provide counsel or other

appropriate information concerning activities, processes, and records reviewed.

The Governor appoints members of the BOR to a seven-year term and Regents may be reappointed

t o subsequent terms. The BOR elects a Chancellor who serves as its chief executive officer and

the

chief administrative officer of the USG. IA is led by the USG CAO who reports to the BOR /

Committee on IA, Risk, and Compliance and to the Chancellor. University System Office audit

staff

report to the USG CAO. To maintain independence, ICAs have a dual reporting relationship

and report to the USG CAO and institutional presidents. Listed below is a high-level

organizational chart that depicts the reporting structure of the IA department.

P a g e



Independence and Personnel

Independence and Reporting Structure

To be effective in performing audit engagements, the audit staff must be independent and objective

both in actuality and perception. Also, auditors will take great care to prevent even a perception

of partiality by maintaining a professional distance from the staff of a USG entity/department

while performing an engagement. Any conflicts of interest/relationships with auditees or potential

auditees should be

fully disclosed to the appropriate parties to include engagement clients and IA

leadership. In addition, as a general expectation, auditors will not accept any gifts from an

employee of the

institution which would impair or be perceived to impair their professional

independence or objectivity. Employees must adhere to the State of Georgia Gratuity Clause and

abide by

requirements outlined in the Human Resources Practices Manual and Board Policy

8.2.18.4

concerning gifts.

IA may provide assurance services where they had previously performed consulting services,

P a g e



provided the nature of the consulting did not impair objectivity, and provided individual

objectivity

is managed when assigning resources to the engagement. The chief audit executive

may have roles and/or responsibilities that are outside of internal auditing, safeguards must be in

place to limit

impairments to independence or objectivity.

Dual Reporting

To permit the rendering of impartial and unbiased judgment essential to the proper conduct of

audits, IA will be independent of the activities they audit. This independence is based primarily

upon organizational status and objectivity and is required by industry standards. Independence and

accountability is essential to the IA function to have credibility and will be paramount in resolving

conflicts or issues arising in the implementation of the dual reporting relationships. The IA function

is free from interference in determining the scope of engagements, performing work, and

communicating results. The USG CAO must disclose any interference of duties to the audit

committee chair and/or the entire committee. ICAs must disclose any interference to the USG CAO.

Appointment Changes

Action to appoint, demote or dismiss the USG CAO requires the approval of the BOR. Action to

appoint, demote, or dismiss the ICA require the concurrence of USG CAO.

Personnel and Training

Professional Certifications and Continuing Professional Education

To increase the professionalism and credibility of the IA function, employees in the IA department

are encouraged to achieve professional certifications, particularly the following designations:

Certified Internal Auditor (CIA), Certified Public Accountant (CPA), Certified Information

Systems

Auditor (CISA), Certified Management Accountant (CMA), Certified Fraud Examiner

(CFE), or other appropriate certifications or skills. Employees are encouraged to become

members of and participate in the activities offered by

professional organizations, particularly the

Institute of Internal Auditors (IIA) and the Association of College and University Auditors

(ACUA). Employees are also encouraged to pursue advanced degrees that increase and

strengthen their skills.

Employee Involvement, Satisfaction and Commitment

IA strives to ensure employees are involved in decisions, are committed to the organization and

team, and are adequately supported in their job responsibilities. IA seeks to ensure employees are

respected and feel their contributions are valued.

Performance Evaluation and Review

IA fosters an environment where all employees should recognize the importance of their individual

contributions and understand the impact that their contributions have on the

achievement goals and

objectives. The performance evaluation process is an opportunity to highlight

the importance of

P a g e



each employee’s individual contributions and provide valuable feedback that can enhance the

opportunity for ongoing professional growth.

Personnel & Human Resources Information

Auditors within the USG should be aware of any policies and procedures applicable to managing

various aspects of personnel and human resources.

Performance Management

Each employee’s immediate supervisor will assess performance and the assessment might include

input from other supervisors within the department. In addition to an annual assessment, each

employee may also have a mid-year review. Minimally, IA employees will meet with appropriate

management to review and discuss planned goals and objectives and should meet at least annually

review performance results. The USG CAO will provide feedback into the performance

evaluations of ICAs and discuss performance goals and expectations. Additional information

regarding the performance assessment process

can be found at https://www.usg.edu/hr/manual/.

Training and Professional Development

Internal auditors are expected to enhance their knowledge, skills, and other competencies through

continuing professional development. The minimum continuing professional education

requirements for auditors should be consistent with the requirements of other professional

certifications, such as the IIA, ISACA, or similar organizations. Staff of the IA department shall

complete 40 hours of professional education each year (internal audit functions may adopt a

calendar year, fiscal year, or other consistent measure; however, the year used for a particular

staff

member will default to their certifying authority’s CPE year when applicable). This

continuing education should be in a field directly related to the job duties of the staff member,

and can include

topics other than auditing, such as computer technology, ethics training, fraud

identification,

leadership, process improvement or other topics deemed timely and pertinent to

their job duties at

the time the class is taken. Additionally, inorder to enhance employee

development, employees are encouraged to participate in professional and community

organizations that promote the profession of accounting and auditing or help support the mission

of the University in some way. Audit functions shall track CPE completion by all audit staff.

P a g e



1300 Quality Assurance, Improvement, and Assessment

Quality Assurance and Improvement Program

Requirements of the Quality Assessment and Improvement Program

The Chief Audit Officer must develop and maintain a quality assurance and improvement program

(QAIP) that covers all aspects of the IA activity. A quality assurance and improvement program is

designed to evaluate the IA activity’s conformance with the Definition of Internal Auditing, the

Standards, and the Code of Ethics. The program also assesses the efficiency and effectiveness of the

IA activity and identifies opportunities for improvement.

The scope, maturity, and complexity of the QAIP may vary across the USG. However, each IA

function is expected to have a QAIP that includes periodic self-assessments, or assessments by other

persons within the organization with sufficient knowledge of IA practices, and ongoing monitoring

of the performance of the IA activity.

Sufficient knowledge of IA practices requires at least an understanding of all elements of the

International Professional Practices Framework (IPPF). Ongoing monitoring of the performance of

the IA activity is conducted by USG internal auditors via several activities which may include:

Internal Risk Assessments combined with the Annual Audit Plan and the delivery of value-added

reports to the audit client. Periodic self-assessments shall be documented and completed at least

annually. ICAs may partner with other ICAs within the USG to complete this activity. Results from

the self-assessments along with any corrective plans will be communicated to USG CAO at the

annual performance evaluation.

The QAIP assessment will be updated periodically and communicated with appropriate institutional

leadership and the USG CAO. The QAIP assessment may answer the following questions:

 How have the ICAs assessed the efficiency and effectiveness of the IA activity?

 What opportunities for improvement has the audit department identified and what is the

plan for capitalizing on those opportunities?

External Assessments of the Internal Audit Function

External assessments must be conducted by each IA function at least once every five years by a

qualified, independent

assessor or assessment team from outside the organization. The USG

CAO must discuss with the

Board:

 The form and frequency of external assessment; and

 The qualifications and independence of the external assessor or assessment team,

including

any potential conflict of interest.

External assessments can be in the form of a full external assessment, or a self-assessment with

independent external validation. A qualified assessor or assessment team demonstrates

competence

in two areas: the professional practice of IA and the external assessment process.

P a g e



Competence can be demonstrated through a mixture of experience and theoretical learning.

Experience gained in organizations of similar size, complexity, sector or industry, and technical

issues is more valuable

than less relevant experience. In the case of an assessment team, not all

members of the team need to have all the competencies; it is the team as a whole that is qualified.

The USG CAO uses professional judgment when assessing whether an assessor or assessment

team

demonstrates sufficient competence to be qualified. An independent assessor or assessment

team

may not have a real or an apparent conflict of interest and may not being a part of, or under

the control of, the organization to which the IA activity belongs.

Assessors may not be currently serving in a USG IA role. The ICA will coordinate with

the USG

CAO on the selection of the QAR team.

All QAR working papers, reports and commentary may be stored in USG Onspring.

Communicating Quality and Assessment Results

Reporting on the Quality Assurance and Improvement Program

The Chief Audit Executive must communicate the results of the quality assurance and improvement

program to senior management and the Board. The form, content, and frequency of communicating

the results of the quality assurance and improvement program is established through discussions

with senior management and the Board and considers the responsibilities of the IA activity and

Chief

Audit Executive as contained in the IA charter. To demonstrate conformance with the

Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and

periodic internal assessments are communicated upon completion of such assessments and the

results of ongoing monitoring are communicated at least annually. The results include the

assessor’s or assessment team’s evaluation with respect to the degree of conformance. Upon final

release of the QAR report, all results will be communicated to the USG CAO and appropriate

management.

Conformance with the International Internal Audit Standards

IA departments may note that organizations “conforms to the International Standards for the

Professional Practice of Internal Auditing”. The USG CAE may state that the IA activity conforms

with the International Standards for the Professional Practice of Internal Auditing only if the results

of the quality assurance and improvement program support this statement. The IA activity

conforms

to the Standards when it achieves the outcomes described in the Definition of Internal

Auditing,

Code of Ethics, and Standards. The results of the quality assurance and improvement

program

include the results of both internal and external assessments.

Audit Quality and Disclosure of Nonconformance

When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the

Standards impacts the overall scope or operation of the IA activity, the Chief Audit Executive

must

disclose the nonconformance and the impact to senior management and the Board. Prior

to any disclosures of nonconformance, the ICA should consult with the USG CAO to discuss

P a g e



all issues

related of nonconformance. As a result of the external assessments, ICAs may also

disclose any

non-conformance of the IIA standards with management and the Board.



P a g e



1400 Professional Standards, Ethics, and Disclosures

Employee Conduct and Ethics

Standards and Employee Conduct

IA activity must be formally defined in an IA charter, consistent with the Core Principles for the

Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics,

and the Standards. IA shall adhere to the International Professional Practices Framework as issued

by the Institute of Internal Auditors (IIA) (https://na.theiia.org/standards-guidance/mandatory-

guidance/Pages/Standards.aspx) as well as

system or institutional policies and standards related to

professional or ethical conduct.

Professional Code of Ethics

Auditors must adhere to the IIA Code of Ethics and where applicable should adhere to any

institutional or system-wide Code of Ethics requirements. The most current version of the Code

of Ethics

is located at (https://na.theiia.org/standards-guidance/mandatory-

guidance/Pages/Code-of-Ethics.aspx) In addition, auditors shall consider the Federal Sentencing

Guidelines for an effective compliance

and ethics program when conducting their work.

http://www.ussc.gov/guidelines/2015-guidelines-manual/archive

Confidentiality

Employees may typically have access to information of a sensitive or confidential nature.

Employees must be prudent in their use of information acquired in the course of their duties, as

well as other information which is available to them. They must not discuss any confidential

information with any parties except for official purposes. Employees shall not use confidential

information for any personal gain or in a manner which would be detrimental to the institution or

any employee or student of an institution.

Employees should not improperly disclose sensitive or otherwise confidential information.

Employees must take adequate measures to prevent the unauthorized release of confidential

materials or information in any medium, including paper copies or computer files. Sensitive,

personal, or confidential information should be adequately secured from theft, reproduction, or

casual observation as prescribed by the USG BPM manual and USG IT Handbook.

Employee Conduct

In the course of their work, employees may likely be in contact with personnel at all levels of

authority and will have responsibilities to both individuals being audited and management.

Auditors are expected to exhibit professional skill, maturity of behavior, and tact in their relations

with all of these parties. Employees should guard against any conduct or mannerisms

which may

impair their objectivity or independence. Auditors should not engage in any acts that

might

discredit the profession of IA, USG, or an individual institution.

P a g e



Mandatory Disclosures

Introduction and Purpose

USG CAO and ICAs must disclose to senior management and the Board nonconformance with

the

Code of Ethics or the Standards that impacts the overall scope or operation of IA activity.

Auditors must disclose anything that prohibits or restricts non-conformance to audit

standards.

Effective implementation of this procedure will help to ensure ongoing compliance with

professional standards. Adherence to this standard normally will occur through ICA’s disclosure

to the USG CAO and, as needed, the USG CAO’s disclosure to the audit committee chair and/or

the entire audit committee.

Definition

“Mandatory Disclosures” refer to those limitations, constraints, impairments, conflicts of

interests,

or other situations that materially impact an individual’s ability to achieve the mission,

objectives, or scope of the audit. All items that may materially impact the audit team member

must be disclosed

under the IA professional standards issued by the IIA.

Errors, Irregularities, or Wrongdoing

Management is responsible for establishing and maintaining controls to discourage

perpetuation

of fraud. Auditors may examine and evaluate the adequacy and effectiveness of controls.

However, audit procedures alone are not designed to guarantee the detection of fraud. An error

is an unintentional mistake in financial statements which includes mathematical or clerical

mistakes in the underlying records and accounting data from which the financial statements or

other reports are prepared, mistakes in the application of accounting principles and oversight or

misinterpretation of facts that existed at the time the reports were prepared. If IA believes that a

material error or an irregularity exists in an area under review, the implications of the error or

irregularity and its disposition should be reviewed with the responsible management. If it has

been determined that an irregularity does exist, IA will notify appropriate management that an

irregularity

has been identified and the audit steps needed to determine the extent of the problem.

If the auditor suspects that an act of malfeasance has occurred, he or she must follow appropriate

malfeasance reporting procedures outline in the BPM 16.4 Reporting Wrongdoing.

Responsibility

IAs are responsible for the final determination as to whether a particular situation rises to the level

of a mandated disclosure. The USG CAO is also responsible for making the disclosure to the

Chancellor and/or the Committee on IA, Risk, and Compliance. The USG CAO shall determine

the

methods by which the disclosure is made. Employees are required to bring matters that may

potentially generate a mandated disclosure to the attention of the USG CAO, ICA, or other

appropriate individuals.



P a g e



1500 Request for Information

Public Records Request

According to O.C.G.A. §50-18-71. (a) All public records shall be open for personal inspection

and copying, except those which by order of a court of this state or by law are specifically exempted

from disclosure. Records shall be maintained by agencies to the extent and in the manner required

by Article

5 of this chapter. (b)(1)(A) Agencies shall produce for inspection all records responsive

to a request

within an OPEN RECORDS ACT 2012 -2- reasonable amount of time not to exceed

three business

days of receipt of a request; provided, however, that nothing in this chapter shall

require agencies to

produce records in response to a request if such records did not exist at the

time of the request. In those instances, where some, but not all, records are available within three

business days, an agency

shall make available within that period those records that can be located

and produced. In any instance

where records are unavailable within three business days of receipt

of the request, and responsive

records exist, the agency shall, within such time period, provide

the requester with a description of such records and a timeline for when the records will be

available for inspection or copying and provide the responsive records or access thereto as soon

as practicable.

In accordance with the Georgia statute, any copies would be provided at the cost provided for in

O.C.G.A. §50-18-71(b). The USG CAO and institutional audit personnel will respond to Open

Records Act Requests in the spirit expected of public servants and with the openness the Open

Records Act anticipates; it tries to be helpful to those who are endeavoring to gain information from

the government. IA must respond and maintain records documenting the response to all public

records requests in accordance with state law and institutional procedures. The USG CAO and, if

applicable, the ICA shall be made aware of all public records requests pertaining to audit work and/or

records. Requests for sensitive or high profile information shall be coordinated through the

appropriate counsel.

Contact with Outside Auditors, Legal Counsel, or Media

Generally, all initial/formal contact with outside auditors, legal counsel, or media is to be referred

the USG CAO or appropriate designee. The USG CAO or appropriate designee may work with

or have general contact with outside agents. The USG CAO or designee will coordinate the

retrieval and release of information with appropriate counsel, designated institutional

representatives, or other institutional personnel.

P a g e



SECTION 2000 INTERNAL AUDIT FUNCTION, THE

ENGAGEMENT, AND COMMUNICATING RESULTS

2100 Internal Audit Function

Audit Services

The scope of the audit work across the organization is to determine whether USG ‘s internal

systems of risk management, control, and governance processes, as designed and represented by

management at all levels, and operating policies, procedures, and practices are adequate and

functioning in a manner to ensure:

 Risk management processes are effective and significant risks are appropriately identified

and managed.

 Ethics and values are promoted within the organization.

 Financial and operational information is accurate, reliable, and timely.

 Individual actions are in compliance with policies, standards, procedures, and applicable

laws

and regulations.

 Resources are acquired economically, used efficiently, and adequately protected.

 Programs, plans, and objectives are achieved.

 Quality and continuous improvement are fostered in the organization’s risk management

and control processes.

 Significant legislative or regulatory compliance issues impacting the organization

are recognized and addressed properly.

 Effective organizational performance management and accountability is fostered.

 Coordination of activities and communication of information among the various

governance

groups occurs as needed.

 The potential occurrence of fraud is evaluated and fraud risk is managed.

 Information technology governance supports USG’s strategies, objectives, and

the organization’s privacy framework.

 Information technology security practices adequately protect information assets and are

in compliance with applicable policies, rules, and regulations.

 Opportunities for improving management control, quality and effectiveness of services,

and the organization’s image identified during audits are communicated by IA to the

appropriate

levels of management.

Generally, audit activities consist of three types of projects:

 Audits – are assurance services defined as examinations of evidence for the purpose

of providing an independent assessment on governance, risk management, and control

processes for the organization. Examples include financial, performance, compliance,

P a g e



systems security and due diligence engagements.

 Special Request, Consulting and Advisory Services – the nature and scope of which are

agreed with the client, are intended to add value and improve an organization’s

governance, risk management, and control processes without the auditor assuming

management

responsibility. Examples include reviews, recommendations (advice),

facilitation, and training.

 Investigations – are independent evaluations of allegations generally focused on

improper activities including misuse of university resources, fraud, financial

irregularities, significant control weaknesses and unethical behavior or actions. These

investigations are not conducted in accordance with IIA Standards.

Risk Assessment, Planning, Selection and Schedule of Engagements

The ICA at each institution submits an audit plan to the USG Office of Internal Audits (OIA)

the prescribed format provided by the USG CAO. Based upon this input and a risk-based

audit

model, the OIA develops a system-wide audit plan. The implementation of the system-wide

audit

plan is coordinated with the institutional IA plans to

ensure major risks are addressed while

minimizing duplication of effort and disruption of auditee

operations. Engagements may be

pursued at the system-level or at an institutional-level. The USG

CAO has the authority to direct

the ICAs to audit specific functions at their institutions.

IA professional standards mandate an audit risk assessment and audit plans. IA will meet these

professional standards through maintaining a risk assessment. The OIA risk assessment will focus

on issues that present a high degree of risk

to the USG and/or USG institutions. The OIA risk

assessment will be ongoing and will include

input from the BOR, USG and institutional

leadership, the Audit, Risk, and Compliance Committee and other sources as appropriate.

During the risk assessment process, auditors may consider:

 Prior Audit Result Risk

 Regulatory & Compliance Risk

 Financial Impact Risk

 Quality and Stability of Control Environment Risk

 Reputation Risk

 Information Confidentiality Integrity and Availability Risk

 Fraud Risk

 General Management Concern Risk

IAs continually maintain a risk assessment in the mandatory audit software and provides an audit

plan for the annual presentation to the Audit Committee in May. All audit plans are reviewed for

appropriateness and effectiveness by the USG CAO prior to submission to the Committee for

approval. As part of this process, ICAs and/or OIA may recommend new engagements or revised

timing for planned engagements. The USG CAO will consider these recommendations and may

authorize revisions to the audit plan and engagement schedule as needed.

It is understood that not every key risk will be included in audit plan for a given year due to resource

P a g e



constraints and the expectation to audit certain functions or areas that are not captured in the risk

assessment process.

The USG IA function conducts operational, financial and information technology assurance

engagements of USG institutions and the USO, performs system-wide reviews of specifics programs

and processes, provides consulting services to the USO and to USG institutions, and conducts special

reviews and investigations. Audit and assurance provided by IA can take the form of various

engagement types:

 Operational Audit- Operational audits are comprehensive examinations of an operating

unit or a complete organization to evaluate its performance, as measured by

management’s objectives. An operational audit focuses on the efficiency, effectiveness,

and economy of operations.

 Financial Audit - Financial audits determine the accuracy and propriety of financial

transactions and reporting.

 Compliance Audit - Compliance audits determine whether, and to what degree, there is

conformance to certain specific requirements of policy, procedures, standards, or laws

and governmental regulations. The auditor must know what policies, procedures,

standards, etc., are required. Compliance audits require little preliminary survey work or

review of internal controls, except to outline precisely what requirements are being

audited. The audit focuses almost exclusively upon detailed testing of conditions.

 Presidential Transition Audit - Presidential Transition audits are used to inform an

incoming President at an institution of any major control, financial, and/or operational

issues and risks that may need to be addressed at the outset of the new institutional

administration.

 Information Technology Audit - Information Technology audits evaluate the accuracy,

effectiveness, efficiency and security of electronic and information processing systems

that are in production or under development.

 Consulting - Advisory and related client service activities, the nature and scope of which

are agreed with the client, are intended to add value and improve an organization’s

governance, risk management, and control processes without the internal audit assuming

management responsibility. Examples include counsel, advice, facilitation, and training.

 Special Investigations- Investigations that are designed to identify responsibility for and

measure the impact of an act of wrongdoing that has allegedly occurred. This act often

will be a violation of state laws/regulations, BOR policies/procedures; or

waste/inefficient use of resources.

P a g e



Directing the IA Activity

The USG CAO and the ICAs will establish policies and procedures for guiding and directing the

IA activities of the USG. The identification purpose, authority and responsibility of IA should

come primarily from the Audit Charter, the IIA Standards of Professional Practice, the definition

of Internal Auditing and the IIA’s Code of Ethics.

Reporting to Senior Management and the Board

The USG CAO will meet periodically with the BOR and the Audit Committee to provide updates.

Furthermore, the CAO and ICA’s must keep management informed of significant risk exposures and

control issues, including fraud risks.

External Service Providers

The USG CAO and ICAs are responsible for providing assurance to the BOR and audit committee

that any form of IA activity, even with externally provided in part or in whole, must ensure the work

meets with the quality standards of the professional practice of IA.

P a g e



2200 Engagement Planning

Internal auditors must develop and document a plan for each engagement, including the

engagement’s objectives, scope, timing, and resource allocations.

Planning the Audit

Prior to conducting fieldwork, IA develops and documents an engagement plan that includes the

project objectives, scope, timing, and resource allocations.

In addition, IA considers relevant systems, records, personnel, and the resources need for the audit,

as well as the following:

 The objectives of the activity being reviewed and how the activity manages performance

 Significant risks to activity objectives, resources and operations and how risk is maintained

at an acceptable level

 The adequacy and effectiveness of the activity’s governance, risk management and control

processes, compared to a relevant control framework or model; and

 The opportunities for making significant improvements to the activity’s governance, risk

management and control processes.

Engagement Objectives

During engagement planning, IA conducts a risk assessment of the activity under review and sets

the objectives of the engagement based on this assessment. When setting objectives, IA considers

the following:

 The probability of significant errors, fraud, noncompliance, and other exposures; and

 The extent to which management and/or the board has established adequate criteria to

determine whether objectives and goals have been accomplished.

In the event IA determines adequate criteria have not been established to determine whether goals and

objectives have been accomplished, IA will identify adequate criteria through discussions with

management and/or the board.

Engagement Scope

Once the engagement objectives have been established, IA will set the engagement scope and ensure

it is sufficient to achieve the objectives of the engagement. Considerations for setting scope include

relevant systems, personnel, and physical properties, including those in control of third-parties. In

addition, considerations when setting scope may include, but is not limited to:

 Policies, plans, procedures, laws, regulations and contracts having significant impact

on operations

 Organizational information, such as number and names of employees, job descriptions,

process flowcharts, or recent changes in the environment

P a g e



 Budget information, operating results and financial data

 Prior audit work papers and audit reports (including reports of external auditors and other

external parties), correspondence files and relevant authoritative and technical literature

Work Program

IA creates work programs based on the scope, objectives and engagement risks to ensure the

achievement of the engagement objective. Work programs contain the following information:

 Scope, sampling methodology and degree of testing required to achieve the audit objectives

in each phase of the audit

 Procedures for identifying, analyzing, evaluating and documenting information during the

audit

 Technical aspects, risks, processes and transactions which should be examined

Work programs are reviewed and approved prior to beginning engagement fieldwork. For single

person audit departments at the individual institution level, work programs should be reviewed by the

USO OIA prior to the commencement of fieldwork.



Consulting Engagements

Documents an understanding with the client(s) related to objectives, scope, responsibilities, and

other expectations. IA may perform engagements that are consulting in nature. These engagements

generally follow the planning steps outlined above and in addition, IA performs the following steps:

 Ensures the scope is sufficient to address the agreed upon objectives

 Addresses controls consistent with the objectives and considers significant control issues

 Discusses scope related reservations with the client(s) to determine whether to continue with

the engagement

P a g e



2300 Performing the Engagement

Examining & Evaluating Information

When performing engagements, IA will analyze sufficient, reliable, relevant, and useful

information to achieve the engagement’s objectives. Conclusions and engagement results will be

based on appropriate analyses and evaluations and documented in the working papers. The

procedures performed during most engagements may include reviewing applicable laws,

regulations, policies and procedures; interviewing selected employees and others; examining

selected documents and records; comparing relationships among financial and nonfinancial

information; and performing observations.

Fieldwork

Fieldwork is the process of gathering evidence and analyzing and evaluating that evidence as

directed by the approved audit program. Evidential matter obtained during the course of the audit

provides the documented basis for the auditor's opinions, observations, and recommendations as

expressed in the audit report. As internal auditors, we are obligated by our professional standards

to act objectively, exercise due professional care, and collect sufficient, competent, relevant, and

useful information to provide a sound basis for audit observations and recommendations.

Throughout fieldwork, professional judgment should be used to (a) determine whether evidence

gathered is sufficient, relevant, competent, and useful to conclude on the established objectives; and

(b) based on the information available, reassess the audit objectives, scope, and procedures to ensure

efficient use of audit resources (e.g., should the remaining audit steps be eliminated, should the

objective or scope be modified, have more efficient procedures been identified, or should additional

hours be allocated to achieve an expanded audit objective). Fieldwork includes:

• Gaining an understanding of the activity, system, or process under review and the prescribed

policies and procedures, supplementing and continuing to build upon the information already

obtained in the preliminary survey.

• Observing conditions or operations.

• Interviewing appropriate personnel.

• Examining assets and accounting, business, and other operational records.

• Analyzing data and information

• Reviewing systems of internal control and identifying internal control points.

• Evaluating and concluding on the adequacy (effectiveness and efficiency) of internal controls.

• Conducting compliance testing.

• Conducting substantive testing.

• Determining if appropriate action has been taken in regard

Working Papers

Working papers (audit evidence) are the connecting link between the objectives and the auditor’s

report. All pertinent information obtained by internal audit must be documented. Engagement

working papers serve the following purposes:

P a g e



• Provide a systematic record of work performed;

• Provide a record of the sufficient, reliable, relevant, and useful information and evidence

obtained and developed to support findings, conclusions, and recommendations;

• Provide information to the Project Lead to enable him/her to supervise and manage assignments

and to evaluate auditor performance; and

• Provide a record of information for future use in planning and carrying out subsequent

assignments.

The working papers document various aspects of the engagement process to include planning, risk

assessment, evaluation of the system of internal control, engagement procedures performed,

information obtained, conclusions reached, supervisory review, communication of results, and

follow-up.

Working papers must be neat, competent, relevant, useful, and accurate. Anyone using the working

papers should be able to readily determine their source, purpose, procedures performed, findings,

conclusions and the auditor's recommendations.

The following will be documented on each working paper or referenced to the working paper where

documented:

• The source of the documents utilized to conduct the procedures outlined in the working paper.

Document the individuals contacted and their title.

• The purpose of working paper will be recorded.

• Procedures performed will be sufficient to fulfill the audit scope and objectives. Procedures

should be prepared in a logical and sequential manner, directly related to the purpose of the

working paper.

• Relevant findings from testing. This should be a short summary of the finding. The finding will

include the condition, criteria, cause, and recommendation.

• Conclusions and recommendations should relate to the purpose. Working papers should be

complete and include support for the conclusions reached. Recommendations should relate to

the nature of the findings and work performed.

Relative to the body of the working paper, the following should be considered:

• Keep the working paper neat and legible.

• Keep in mind that the working paper is being prepared for someone other than you. Assume

they know nothing about the subject matter and write accordingly.

• Whenever you refer to data appearing elsewhere in the working papers, cross-reference both

working papers.

Engagement Supervision

As detailed in other sections of this manual, the Project Lead/CAO/EAD and IT ED provides daily

supervision of staff and performs detailed reviews of all working papers performed by staff. Evidence

of supervision in the form of review checklists, and/or initials/dates on working papers are prepared

P a g e



and retained in the working papers.

Engagement Record Access -The USG CAO must control access to engagement records.

Onspring (USG IA Enterprise System)has been selected as the mandatory platform for storing

engagement records and observations.

Record Retention - Records will be kept and managed in accordance with USG Records Retention

Policy.

Quality Assurance and Improvement - Quality Assurance Policies and Procedures can be found

in Section 3000 of this manual

P a g e



2400 Communicating Results

IA must communicate the results of engagements. (IPPF 2400)

Report Overview

USG Policy Manual 7.9.2 assigns the Committee on Internal Audit, Risk and Compliance of the

BOR the responsibility for reviewing audit results, reports and recommendations.

The audit report is a tool to communicate the results of the engagement. Based on the nature of

work, audit subject and needs of the client, the engagement team decides the best report format

to present the engagement results. The audit report generally has the following three phases:

 Working Draft Report

 Discussion Draft Report

 Final Report

Working Draft Report

The working draft report is the initial or first version of the audit report. The engagement team,

specifically, the Project Lead completes the working draft report and submits to the Audit Director

and/or Chief Audit Officer for further review and edits. Since the working draft is only a working

version of the audit report, it is an internal document that must not be distributed or shared outside

of IA.

ICAs are encouraged to share their draft reports with OIA personnel prior to release, to

enhance the report quality.

Single person audit departments, are required to share their draft for

feedback with USG CAO as a means to enhance the report quality.

Discussion Draft Report

The discussion draft report is the next or second version of the audit report. The Project Lead edits

the working draft report into the discussion draft report. The final reviewer in the IA shop

completes a final review and approves the discussion draft for sharing with the audit client.

The engagement team solicits feedback on the discussion draft report from the audit client.

Feedback from the audit client can be obtained through face to face discussion, email discussion,

edits on the face of the draft report, virtual meeting, teleconference or other suitable means.

USG BPM 16.4.4 - Engagement Close-Out and Report Preparation - states “at the conclusion of

the end of engagement, the engagement team will prepare a draft report that details the engagement

executive summary, background, issue ratings (for assurance engagements), engagement

observations, and recommendations. This draft report will be shared with the client’s management

prior to conducting a formal exit conference. At the exit conference, the engagement team will

review the draft report with management, focusing on ratings, observations and recommendations

with specific emphasis on areas where improvement is needed.”

The discussion draft is formally released to the audit client as draft report. The audit client in turn

submits a formal management response to the audit shop. The ICA evaluates the management

P a g e



response whether it satisfactorily addresses the audit recommendations. If the management response

is not acceptable and further discussion proves unproductive, escalation to senior leadership may

necessary.

Final Report

The ICA incorporates the management response into the

draft report and releases it as the final

audit report.

USG BPM 16.4.4 - Closing the Engagement – states “After the exit conference, the engagement

team will prepare a final report, taking into account any revisions resulting from the exit

conference and other discussions.”

The USG IA Charter states “OIA and institutional auditors across the system work closely with

senior leadership, departmental directors, institutional leadership committee members, institutional

department heads, and other appropriate personnel as required to conduct audit procedures and

determine final audit results. The President of the institution receiving an IA report from audit

directors will respond within 30 days. This response will indicate agreement or disagreement,

proposed actions, and the dates for completion for each specific finding and recommendation. If a

recommendation is not accepted, the reason should be given. A final written report will be prepared

and issued by the USG CAO or appropriate designee.”

Audit Report Distribution

The USG CAO’s approval is required for release of all OIA reports. Institutional engagement

reports must be submitted to the OIA. All significant and material issues are summarized for

reporting to the BOR Committee on Internal Audit, Risk, and Compliance.

The USG CAO and ICAs must communicate results to the appropriate parties. The CAO and

I C A s are responsible for reviewing and approving the final engagement communication before

issuance and for deciding to whom and how it will be disseminated. When the USG CAO and

ICAs

delegate these duties, they retain overall responsibility. The USG CAO and ICAs are

responsible for communicating the final results to parties who can ensure that the results are given

due

consideration. If not otherwise mandated by legal, statutory, or regulatory requirements, prior

releasing results to parties outside the organization the USG CAO and ICAs:

 Assess the potential risk to the institution;

 Consult with senior management and/or legal counsel as appropriate; and

 Control dissemination by restricting the use of the results.

The USG CAO and ICAs are responsible for communicating the final results of consulting

engagements to clients. During consulting engagements, governance, risk management, and control

issues may be identified. Whenever these issues are significant to the institution, they must be

communicated to senior management and the board.

P a g e



Audit Issues

The issues in the audit report generally have the following sections:

 Condition–What is? (Opportunity for improvement supported by facts and test

results)

 Criteria–What should be (Standards)

 Effect–So what? (Impact/Risk)

 Cause–Why did it happen?

 Recommendation–What should be done? (Auditor suggestion)

 Management Response–What you will do and when? (Your plan)

Audit Observations Rating

USG BPM 16.4.6 - Exception Ratings - States “individual ratings are assigned to each assurance

engagement observation contained in reports issued.” ICAs must use the USG Internal Audit rating

system. All issues would be included in the audit report but “Comments” would not be presented

in a full audit finding format. The scales for the USG Internal Audit rating systems are listed below.

Report Item Rating Scale

 Advisory (Consulting Engagements only)

o Categorized by area reviewed

o Used to identify recommendations contained in a consulting engagement report

Assurance Engagements Rating Scale

 No Issue

o Engagement Team did not identify any reportable issue

 Comments

o Nominal or minor violations of procedures, rules, or regulations.

o Issue(s) identified are not likely but could have a medium impact on the organization.

o Minor opportunities for improvement.

o Not included in report but are communicated to management during the exit

conference or at the end of the engagement.

 Moderate

o Violation of policies/procedures/laws and/or lack of internal controls that either does

or could pose a notable level of exposure to the organization.

o Issue(s) identified are (a) either not likely but could have a high impact or are (b)

likely and could have a low impact on the organization.

Likelihood Impact/Magnitude

Low Medium High

Not Likely No Issue Comment Moderate

Likely Moderate Si

nificant Material

P a g e



o Notable opportunities to improve effectiveness and efficiency exist.

o Corrective action is needed by management in order to address the noted concern

and reduce risks to a more desirable level.

 Significant

o Violation of policies/procedures/laws, and/or lack of internal controls that either does

or could pose a substantial level of exposure to the organization.

o Issue or issues identified are likely and could have a medium impact on the

organization.

o Substantial opportunities to improve effectiveness and efficiency exist.

o Prompt corrective action by management is essential in order to address the noted

concern(s) and reduce the risk to the organization.

 Material

o Violation of policies/procedures/laws and/or unacceptable level of internal controls

that either does or could pose an unacceptable level of exposure to the organization.

o Issue or issues identified are likely and could have high impact on the organization.

o Major opportunities to improve effectiveness and efficiency exist.

o Immediate corrective action by management is required.

Overall Opinions

When an overall opinion is issued, it must take into account the strategies, objectives, and risks of

the institution; and the expectations of senior management, the board, and other stakeholders. The

overall opinion must be supported by sufficient, reliable, relevant, and useful information

including:

 Scope, the time period to which the opinion pertains and scope limitations.

 Consideration of all related projects, including the reliance on other assurance providers.

 A summary of the information that supports the opinion.

 The risk or control framework or other criteria used as a basis for the overall opinion;

and

 The overall opinion, judgment, or conclusion reached.

 The reasons for an unfavorable overall opinion must be stated.

Criteria for Communicating

Audit engagement communications must include the engagement’s objectives and scope as well as

applicable conclusions, recommendations, and action plans.

Elements of Audit Report

The audit report may include some or all of the following elements:

 Purpose/Objective, Scope and Methodology

P a g e



 Background

 Executive Summary

 Table of Contents

 Findings and Recommendation

 Conclusion

 Management Response

 Exceptions Rating Criteria

 Appendix

The USG CAO and ICAs identify the audience for the audit report. To identify the audience, the

USG CAO and ICAs consider who will be the most important readers of the report and how such

readers will use the report. The audience for USG IA reports generally are:

 State of Georgia Stakeholders, including the Public

 USG Board of Regents (BOR)

 BOR Committee on Audit and Compliance

 Chancellor

 USG Senior Executives

 Institution President and Senior Management

 Audit Client and Staff

 Federal Government cognizant Agency

In addition, the USG CAO and ICAs should consider how much the audience knows about the audit

subject, how the audit issues impact the audience, and why the audience should care about the audit

and its recommendations. In writing the audit report, the USG COA and ICAs keep the audience as

the central focus viewing the audit subject from the audience’s perspective.

Considerations for Audit Reporting



In finalizing the audit report, the USG CAO and ICAs perform overall evaluation of the

engagement’s objectives, scope and results as well as the conclusions, recommendations, and action

plans. Other considerations include the following.

 The final communication of engagement results must, where appropriate, contain the

auditors’ opinion and/or conclusions. When issued, an opinion or conclusion must take

account of the expectations of senior management, the board, and other stakeholders and

must be supported by sufficient, reliable, relevant, and useful information.

 Opinions at the engagement level may be ratings, conclusions, or other descriptions of the

results. Such an engagement may be in relation to controls around a specific process, risk,

or business unit. The formulation of such opinions requires consideration of the

engagement

results and their significance.

 When releasing engagement results to parties outside the organization, the communication

must include limitations on distribution and use of the results.

Communication of the progress and results of consulting engagements will vary in form and content

depending upon the nature of the engagement and the needs of the client.

P a g e



Attributes of Audit Report

The USG CAO and ICAs issue audit reports that are accurate, objective, clear, concise,

constructive,

complete, and timely.

 Accurate communications are free from errors and distortions and are faithful to

the

underlying facts.

 Objective communications are fair, impartial, and unbiased and are the result of a

fair-

minded and balanced assessment of all relevant facts and circumstances.

 Clear communications are easily understood and logical, avoiding unnecessary

technical language and providing all significant and relevant information.

 Concise communications are to the point and avoid unnecessary elaboration,

superfluous

detail, redundancy, and wordiness.

 Constructive communications are helpful to the engagement client and the

organization and lead to improvements where needed.

 Complete communications lack nothing that is essential to the target audience and include

all significant and relevant information and observations to support recommendations and

conclusions.

 Timely communications are opportune and expedient, depending on the significance of

the

issue, allowing management to take appropriate corrective action.

Correcting Audit Report Previously Released

If a final report that has been released is subsequently detected to contain a significant error or

omission, the USG CAO and ICAs communicate corrected information to all parties who received

the report.

Use of Conformance with IIA Standards

Stating an audit engagement is “conducted in conformance with the International Standards for

the Professional Practice of Internal Auditing” is appropriate only if the results of the quality

assurance and improvement program support the statement.

Disclosure of Nonconformance with IIA Standards

When nonconformance with the Definition of Internal Auditing, the Code of Ethics or the

Standards impacts a specific engagement, communication of the results must disclose the:

 Principle(s) or rule(s) of conduct of the Code of Ethics or the standard(s) with which

full

conformance was not achieved.

 Reason(s) for nonconformance.

 Impact of nonconformance on the engagement and the communicated engagement results.



P a g e



2500 Follow-Up Reporting

The USG CAO and ICAs utilize Onspring (USG IA Enterprise System) to monitor the disposition

of results communicated to management. The USG CAO and ICAs develop a follow-up process to

monitor and ensure that management actions have been effectively implemented or that senior

management has accepted the risk of not taking action.

USG BPM 16.4.5 - Follow-Up Review - states “follow-up is required of all issues classified as

material. Each material issue shall be reviewed by appropriate internal audit personnel until issue

is closed or resolved. Significant issues may be reviewed after being reported as closed but this

review is not required. The actions taken to resolve the issues are to be reviewed and may be tested

to ensure that the desired results were achieved. In some cases, managers may choose not to

implement an issue recommendation and to accept the risks associated with the issue reported. The

follow-up review will note this as an unresolved exception. The CAO shall periodically report the

status of material issues to the IAR Committee to include the status of issues not closed in a timely

manner. Open or partially resolved engagement issues/findings will be maintained and periodically

updated in Onspring, theUSG Internal Audit function enterprise system.”

USG IA Charter states “the USG CAO monitors the implementation of audit recommendations

system-wide. Chief Business Officers and/or ICAs will prepare a report of the implementation

status of all audit recommendations, have it approved by the institutional President and submit it to

the USG CAO on a periodic basis using the procedures established by the USG CAO.

Implementation status of significant and material audit recommendations will be reported

periodically to the Committee.”

Reporting on Management Acceptance of Risk

When the USG CAO and ICAs conclude that management has accepted a level of risk that may be

unacceptable for the institution, the USG CAO and ICAs discuss the matter with senior

management. If they determine that the matter has not been resolved, the USG CAO and ICAs

communicate the matter to the Board. The identification of risk accepted by management may be

observed through an assurance or consulting engagement, monitoring progress on actions taken by

management as a result of prior engagements, or other means.

P a g e



APPENDIX AND SUPPLEMENTAL INFORMATION

Appendix A: Sample System-wide Audit Charter

UNIVERSITY SYSTEM OF GEORGIA (USG)

SYSTEM-WIDE INTERNAL AUDIT CHARTER

Introduction

Internal Audit (IA) within the USG system provides independent and objective assurance and

consulting services to the BOR, the Chancellor, and institution leadership in order to add value and

improve operations. The IA activity helps USG institutions accomplish their objectives by bringing a

systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk

management, compliance, and internal control processes.

Role of the Internal Audit Function

In order to add value and improve operations, the system-wide audit function provides independent

and objective assurance and consulting services to across the system. IA professionals accomplish

their objectives by bringing a systematic, disciplined approach to evaluate and improve the

effectiveness of governance, risk management, compliance, and internal control processes. Audit

staff provide recommendations to improve systems, processes, and internal controls designed to

safeguard resources, promote system and institutional mission toward academic excellence, and

ensure compliance with state and federal regulations. Audit teams evaluate and assess established

policies, procedures, and sound business practices.

OIA and the institutional IA staffs will provide IA services for the USG. All ICAs at institutions

having an IA function shall have a direct reporting relationship to the President of that institution and

to the USG CAO. The USG CAO shall have the authority to direct the institutional IA functions to

audit specific areas at their institutions as needed to fulfill the system-wide audit plan. The USG

CAO will report all significant audit issues directly to the Chair of the Committee on Internal Audit,

Risk, and Compliance (Committee) and to the Chancellor.

Organizational Responsibilities

The USG CAO has the responsibility to develop a system-wide audit plan for approval by the

Committee based on a documented risk assessment that encompasses all components of the System.

The system-wide IA plan includes input from ICA. The Committee will approve this plan while the

USG CAO may approve minor changes to the Audit Plan as needed. The USG CAO will coordinate

audit plan implementation with ICAs and with the State Department of Audits and Accounts.

The USG CAO is responsible for providing functional coordination and guidance for System-wide

audit activities to include:

 Meet with appropriate component officials to review the status of institution audit work and

available resources.

P a g e



 Approve institutional IA charters.

 Review audit results from all institutional internal audits and the State Department of Audits

and Accounts.

 Monitor the implementation of audit recommendations system-wide. Chief Business Officers

and/or ICAs will prepare a report of the implementation status of all audit recommendations,

have it approved by the institutional President and submit it to the USG CAO on a periodic

basis using the procedures established by the USG CAO. Implementation status of significant

and material audit recommendations will be reported periodically to the Committee.

 Periodically prepare a summary of IAs and highlight matters of interest for audits conducted

at each institution and present such data to the Committee and to the Chancellor.

 Attend meetings of the Committee and Board as required.

 Ensure that all audits conducted by the University System Office have been thoroughly

reviewed and discussed with appropriate institutional officials prior to being released to the

Chancellor or to the Committee Chair.

 Provide formal input to the performance evaluations of institutional chief auditors in

consultation with the respective institutional president.

Institutional IA function may also include the following:

 Conduct audits for management in order to contribute to the improvement of governance, risk

management, internal controls, and compliance;

 Perform audit planning and quality assurance activities in order to ensure their contributions

to the improvement of governance, risk management, internal controls, and compliance;

 Manage and oversee professional and administrative audit staff;

 Coordinate audits involving external auditors and other regulatory personnel to help ensure

appropriate cooperation with external agencies;

 Recommend policy, business procedures, and other process improvements impacting the

institutional operations.

 Prepare and submits audit findings and reports to appropriate management;

 Perform special investigations, management reviews, special projects, or other assignments

as assigned by institution management or the USG CAO;

 Assist senior management and administrators in the interpretation and application of policies,

rules, and regulations;

 Analyze operational issues impacting enterprise-wide processes and organizational areas;

 Advise on issues pertaining to financial management and fraud prevention;

 Manage and investigate hotline and ethics complaints consistent with procedures outlined in

the BPM.

All IA professionals and system-wide IA functions shall comply with the International Standards for

the Professional Practice of Internal Auditing as published by the Institute of Internal Auditors (IIA).

All USG internal auditors, including institutional and System Office auditors, shall comply with the

IIA Code of Ethics.

P a g e



Definition of Audit Engagement Scope

The scope of internal auditing encompasses the examination and evaluation of the adequacy and

effectiveness of the organization’s system of governance, risk management, compliance, internal

control and the quality of performance in carrying out assigned responsibilities. The scope will vary

by institution or area and may include:

 Review the effectiveness of governance processes to include the:

o Promotion of ethical behavior within the organization;

o Efficiency of organizational performance management and accountability;

o Communication of risk and control information to appropriate areas of the

organization; and,

o Coordination of activities and information among the Board, external and internal

auditors, and management.

 Review the effectiveness of risk management processes to include the:

o Alignment of organizational objectives in support of the system-wide and

institutional missions;

o Identification and assessment of significant risks;

o Alignment of risk responses with the acceptable level of risk appetite; and,

o Capturing and communication of relevant system-wide or institutional risk to enable

staff, management, and the Board to carry out their responsibilities.

 Review the reliability and integrity of financial and operating information and the means

used to identify, measure, classify, and report such information.

 Review established systems and processes to ensure compliance with those policies, plans,

procedures, laws, and regulations which could have a significant impact on operations and

reports and whether the System is in compliance.

 Review the means of safeguarding assets and, as appropriate, verify the existence of such

assets.

 Review and appraise the economy and efficiency with which resources are employed.

 Review operations or programs to ascertain whether results are consistent with established

objectives and goals and whether the operations or programs are being carried out as planned.

 Review the status of Information Technology policies and procedures, verifying that required

hardware, software and process controls have been implemented and that the controls are

functioning properly.

 Conduct special audits at the request of the Committee Chair, the Chancellor or institution

presidents.

 Investigate reported occurrences of fraud, waste, and abuse and recommend controls to both

prevent and detect such occurrences.

 Analyze and review institutional or system-wide public private ventures and cooperative

organizations.

 Provide consulting services at the request of institution management consistent with the IIA

standards governing consulting engagements that contribute to the improvement of

governance, risk management, compliance, and/or internal controls within the USG or within

a USG institution.

P a g e



Reporting Procedures

ICAs across the system work closely with senior leadership, departmental directors, institutional

leadership committee members, institutional department heads, and other appropriate personnel as

required to conduct audit procedures and determine final audit results. The President of the institution

receiving an IA report from audit directors will respond within 30 days. This response will indicate

agreement or disagreement, proposed actions, and the dates for completion for each specific finding and

recommendation. If a recommendation is not accepted, the reason should be given. A final written report

will be prepared and issued by the USG CAO or appropriate designee.

Authorization

To the extent permitted by law, the OIA/institutional IA has full access to all activities, records,

properties, and personnel within the USG. The OIA/institutional IA is authorized to review and

appraise all operations, policies, plans, and procedures. Documents and other materials provided to the

OIA will be handled in the same prudent manner as handled by those employees normally accountable

for them.

Appointment Changes

Action to appoint, demote or dismiss the USG CAO requires the approval of the BOR. Action to appoint,

demote, or dismiss ICAs require the concurrence of the USG CAO.

Approved by the Board of Regents of the University System of Georgia on insert approval date here:

Sachin Shailendra. Date

Chair of the Board of Regents

Philip A. Wilheit Sr. Date

Chair of the Committee on Internal

Audit, Risk, and Compliance

Henry “Hank” M. Huckaby Date

