OFFICE OF INTERNAL AUDITS

APPALACHIAN STATE UNIVERSITY

AUDIT
MANUAL
December, 2013

AUDIT MANUAL
SECTION 100
100.1:
100.2:
100.3:
100.4:
100.5:
100.6:
100.7:
100.8:
100.9:
100.10:
100.11:
100.12:

SECTION 200
200.1:
200.2:
200.3:
200.4:

SECTION 300
300.1:
300.2:
300.3:
300.4:
300.5:

SECTION 400
400.1:
400.2:

SECTION 500
500.1:
500.2:
500.3:
500.4:

TABLE OF CONTENTS

THE INTERNAL AUDIT ACTIVITY

Audit Activity Charter
Mission and Scope of Work
Definition of Internal Auditing
Role and Accountability
Professionalism
Authority
Organization
Independence and Objectivity
Responsibility
Reporting and Monitoring
Periodic Assessment
Audit Types and Services

THE INTERNAL AUDITOR

Preserving Objectivity
Proficiency and Due Professional Care
Continuing Professional Development
Personal Conduct, Objectivity, and Confidentiality

QUALITY ASSURANCE AND IMPROVEMENT PROGRAM

Quality Assurance and Improvement Program
Internal Assessments
External Assessments
Reporting on QAIP
OIA Performance Metrics

ANNUAL AUDIT PLAN

Development Process
Approval Process and Annual Certifications

AUDIT PROCESS
Planning
Entrance Conference
Risk Assessment in Engagement Planning
Establishing Objectives

SECTION 500
500.5:
500.6:
500.7:
500.8:
500.9:
500.10:
500.11:
500.12:
500.13:
500.14:

SECTION 600
600.1:
600.2:
600.3:
600.4:
600.5:
600.6:
600.7:

SECTION 700
700.1:
700.2:

SECTION 800

AUDIT PROCESS - CONTINUED

Engagement Supervision
Audit Program
Fieldwork
Use of Personal Information in Conducting Engagements
Work Papers
Audit Report
Exit Conference
Audit Report Follow-Up
Granting Access to Engagement Records
Retention of Records

PERSONNEL
Resource Management
Minimum Training and Experience
Chief Audit Officer
Assistant Director
Auditor
IT Auditor
Audit Assistant

IDENTIFICATION OF FRAUD
Identification of Fraud
Internal Audit Activities and Fraud

AUDIT COMMITTEE CHARTER

GLOSSARY

December, 2013

Page 2 of 2
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(SECTION 100)

THE INTERNAL AUDIT ACTIVITY

(100.1) AUDIT ACTIVITY CHARTER
Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

IIA IPPF Standard 1000

The Office of Internal Audits (hereafter referred to as OIA) Audit Activity Charter is a
formal document that defines the internal audit activitys purpose, authority, and
responsibility. The internal audit charter establishes the internal audit activitys position
within the organization; authorizes access to records, personnel, and physical properties
relevant to the performance of engagements; and defines the scope of internal audit
activities. Final approval of the internal activity resides with the Board. The Chief Audit
Officer (hereafter referred to as CAO) must periodically review the internal audit charter
and present it to senior management and the ASU Board of Trustees for approval.
The most recent activity of the OIA was formally documented and updated by the CAO
and approved by the Chancellor, the Chair of the ASU Board of Trustees (hereafter
referred to as the ASU Board), and the Chair of the ASU Board Audit Committee
(hereafter referred to as the Audit Committee) on March 22, 2013. (See Section 100.2100.11 for discussion of the components of the OIA Audit Activity Charter.)

(100.2) MISSION AND SCOPE OF WORK

Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

NC GS 143.79143-745 through 749

The mission and scope of the OIA is consistent with The Institute of Internal Auditors
International Professional Practices Framework (IPPF) definition of Internal Auditing.
Internal Auditing is an independent and objective assurance and consulting activity that
is designed to add value to improve the operations of Appalachian State University (the
University). The OIA assists the University in accomplishing its objectives through a
systematic and disciplined approach to evaluate and improve the effectiveness of the
organization's risk management, control, and governance processes.
Also, as a State Agency, the University is required by NC General Statute to establish a
program of internal auditing meeting the requirements of the statute and in
compliance with the current IIA International Standards for the Professional Practice of
Internal Auditing (the Standards). The University has established a program of internal
auditing that:
1. Promotes an effective system of internal controls that safeguards public funds
and assets and minimizes incidences of fraud, waste, and abuse.

(Section 100) General

2. Determines if programs and business operations are administered in compliance
with federal and state laws, regulations, and other requirements.
3. Reviews the effectiveness and efficiency of the University and program operations
and service delivery.
4. Periodically audits the Universitys major systems and controls, including:
a. Accounting systems and controls.
b. Administrative systems and controls.
c. Information technology systems and controls.

(100.3) DEFINITION OF INTERNAL AUDITING

Reference:

IIA IPPF

Internal auditing is an independent, objective assurance and consulting activity designed

to add value and improve an organizations operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes

(100.4) ROLE AND ACCOUNTABILITY

Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

The internal audit activity is established by the Audit Committee.

The OIAs
responsibilities are defined by the Audit Committee as part of its oversight role.

(100.5) PROFESSIONALISM
Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

IIA IPPF

The OIA activity will be governed by The Institute of Internal Auditors mandatory
guidance including the Definition of Internal Auditing, the Code of Ethics, and the
International Standards for the Professional Practice of Internal Auditing (Standards).
This mandatory guidance constitutes principles of the fundamental requirements for the
professional practice of internal auditing and for evaluating the effectiveness of the
internal audit activitys performance. A Quality Assurance and Improvement Program
(QAIP) is required to ascertain compliance with these Standards. The CAO is responsible
for implementing this program by conducting a thorough self-assessment to be followed
by an external independent validation.
The IIA Practice Advisories, Practice Guides, and Position Papers will also be adhered to
as applicable to guide operations. In addition, the OIA will adhere to Appalachian State
Universitys relevant policies and procedures and the standard operating procedures
manual (Audit Manual).

December, 2013

Page 2 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 100) General

THE INSTITUTE OF INTERNAL AUDITORS

The Institute of Internal Auditors (IIA) is an international association established
in 1941, dedicated to the continuing professional development of the individual
internal auditor and the internal auditing profession, with members in the US and
around the world.
The IIA is the internal audit professions global voice,
standard-setter, and resource for professional development and certification.
The IPPF is the conceptual framework that organizes authoritative guidance
promulgated by The IIA. The IPPF consists of Mandatory Guidance and strongly
recommended guidance. The first category, Mandatory Guidance, consists of the
Definition of Internal Auditing, the Code of Ethics, and the Standards. The
second category, Practice Advisories (PA), consists of Attribute and Performance
Standards.
For further information
(www.theiia.org).

on

the

IPPF,

please

visit

The

IIA

website

THE IIA CODE OF ETHICS

Principles
Internal auditors are expected to apply and uphold the following principles
from The IIA.
1. Integrity: The integrity of internal auditors establishes trust and thus
provides the basis for reliance on their judgment.
2. Objectivity: Internal auditors exhibit the highest level of professional
objectivity in gathering, evaluating, and communicating information
about the activity or process being examined. Internal auditors make
a balanced assessment of all the relevant circumstances and are not
unduly influenced by their own interests or by others in forming
judgments.
3. Confidentiality: Internal auditors respect the value and ownership of
information they receive and do not disclose information without
appropriate authority unless there is a legal or professional obligation
to do so.
4. Competency: Internal auditors apply the knowledge, skills, and
experience needed in the performance of internal auditing services.

Rules of Conduct
1. Integrity: Internal auditors
1.1. Shall perform
responsibility.

their

work

with

honesty,

diligence,

and

1.2. Shall observe the law and make disclosures expected by the law
and the profession.
December, 2013

Page 3 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 100) General

1.3. Shall not knowingly be a party to any illegal activity, or engage in
acts that are discreditable to the profession of internal auditing or
to the organization.
1.4. Shall respect and contribute to the legitimate and ethical
objectives of the organization.

2. Objectivity: Internal auditors

2.1. Shall not participate in any activity or relationship that may
impair or be presumed to impair their unbiased assessment. This
participation includes those activities or relationships that may be
in conflict with the interests of the organization.
2.2. Shall not accept anything that may impair or be presumed to
impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not
disclosed, may distort the reporting of activities under review.

3. Confidentiality: Internal auditors

3.1. Shall be prudent in the use and protection of information
acquired in the course of their duties.
3.2. Shall not use information for any personal gain or in any manner
that would be contrary to the law or detrimental to the legitimate
and ethical objectives of the organization.

4. Competency: Internal auditors

4.1. Shall engage only in those services for which they have the
necessary knowledge, skills, and experience.
4.2. Shall perform internal auditing services in accordance with the
Standards for the Professional Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness
and quality of their services.
The CAO will annually ask for written verification by the Auditor's Annual Code of Ethics
Statement from the OIA staff as to their understanding that they are expected to apply
and uphold the Code of Ethics as outlined above.
Upon commencement of employment with the University, all employees will complete an
online Statement of Confidentiality, indicating that he/she agrees to keep confidential
all student education records, employee personnel records, and other personally
identifiable information which is deemed to be confidential in accordance with applicable
state and federal law and standards, as well as ASU policies and regulations, and will
require that its officers, employees, subcontractors, and agents comply with the same.
ASU
Password
Manager
(https://password.appstate.edu/pswdchgform/
UniversityPolicies) requires the ASU employee to review and agree to the Statement of
Confidentiality when establishing a campus network secure password for the first time,
December, 2013

Page 4 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 100) General

and annually thereafter. Students, faculty, and staff at ASU must also read and agree to
the Computer User Policy to receive access to campus electronic services.

S TANDARDS
The OIA adheres to the Standards of The IIA.
requirements consisting of:

The Standards are mandatory

Statements of basic requirements for the professional practice of internal auditing

and for evaluating the effectiveness of performance, which are internationally
applicable at organizational and individual levels.

Interpretations, which clarify terms or concepts within the Statements.

For further information on the Standards, please visit The IIA website (www.theiia.org).
Best Practice recommendations of the Information Systems Audit and Control
Association (www.isaca.org), the Association of College and University Auditors
(www.acua.org) and the National Associations of College and University Business
Officers (www.nacubo.org) are also considered in internal audits and reviews.

(100.6) AUTHORITY
Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

The OIA, with strict accountability for confidentiality and safeguarding records and
information, is authorized full, free, and unrestricted access to any and all records,
physical properties, and personnel pertinent to carrying out any engagement in
accordance with NC General Statute 147-64.7 and Session Law 2010-194, Section 21.
All university employees are directed to assist the OIA in fulfilling its roles and
responsibilities upon request. The OIA will also have free and unrestricted access to the
Audit Committee.
The OIA is not authorized to perform operational duties for the University, initiate or
approve accounting or other transactions external to the internal audit office, nor direct
the activities of any university employee not employed by the OIA.

(100.7) ORGANIZATION
Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

The CAO will report functionally to the Chair of the Audit Committee and administratively
(i.e., day to day operations) to the Chancellor. The CAO will communicate and interact
directly with the Audit Committee, including in executive sessions and between Audit
Committee meetings, as appropriate.
The Audit Committee shall be composed and organized in accordance with the Audit
Committee Charter (see section 800) as approved by the ASU Board from time to time.

December, 2013

Page 5 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 100) General

(100.8) INDEPENDENCE AND OBJECTIVITY

Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

The OIA should be free from interference in determining the scope of internal auditing,
performing work, and communicating results. To provide for the independence of the
OIA, its personnel should report to the CAO, who reports administratively to the
Chancellor and functionally to the Audit Committee. The CAO shall have full and
independent access to the Chancellor and the Audit Committee. The CAO will confirm to
the Audit Committee and the ASU Board, at least annually, the organizational
independence of the OIA.
Internal Auditors must exhibit the highest level of professional objectivity in gathering,
evaluating, and communicating information about the activity or process being
examined. Internal auditors must make a balanced assessment of all the relevant
circumstances and not be unduly influenced by their own interests or by others in
forming judgment.
Objectivity and independence are crucial to the duties of the OIA. Either may be
compromised if auditors participate directly in preparing records or accounting
transactions, designing systems and operations, or directing activities of any
organization personnel not employed by the OIA. Therefore, the OIA staff will serve
only in an advisory capacity in these matters.
The CAO will annually ask for written verification by the Auditor's Annual Independence
Statement from the OIA staff that they have reviewed their personal situations for any
possible personal impairment to their independence with respect to ASU. OIA staff
should understand their responsibility to make timely written notification to the CAO in
the event that any circumstance arises during the course of the year that might impair
or appear to impair their independence with respect to any audit.

(100.9) RESPONSIBILITY
Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

The OIA is responsible for:

Evaluating the means of safeguarding assets and, as appropriate, verifying the

existence of such assets.

Evaluating operations or programs to ascertain whether results are consistent

with established objectives and goals and whether the operations or programs
are being carried out as planned.

Monitoring and evaluating

management processes.

Evaluating the systems established to ensure compliance with those policies,

plans, procedures, laws, and regulations which could have a significant impact on
the organization.

the

effectiveness

of

the

organization's

December, 2013

risk

Page 6 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 100) General

Assessing information security and information technology controls in all

appropriate projects.

Performing consulting and advisory services related to

management and control as appropriate for the organization.

Maintaining a professional audit staff with sufficient knowledge, skills, experience,

and professional certifications to meet the requirements of the Audit Activity
Charter.

Establishing a quality assurance and improvement program by which the CAO

assures the operation of internal auditing activities.

Issuing periodic reports summarizing results of audit activities to management,

the Chancellor, and the Audit Committee.

Keeping the Chancellor and Audit Committee informed of emerging trends and
successful practices in internal auditing.

Assisting and/or conducting the investigation of suspected fraudulent activities

within the organization and notifying the Chancellor and the Audit Committee of
the results.

Serving as a liaison between University management and external auditors.

As appropriate, providing consulting services to management that add value and

promote the best interests of the organization.

Developing a flexible annual audit plan using an appropriate risk-based

methodology, including any risks or control concerns identified by management,
and submitting that plan to the Chancellor and Audit Committee for review and
approval as well as periodic updates.

Implementing the annual audit plan, as approved, including any special tasks or
projects requested by management and the Audit Committee.

governance,

risk

(100.10) REPORTING AND MONITORING

Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

A written report will be prepared and issued by the CAO or audit designee following the
conclusion of each internal audit engagement and will be distributed as appropriate.
Internal audit results will also be communicated to the Audit Committee and the ASU
Board. The OIA is responsible for appropriate follow-up on engagement findings and
recommendations.
The internal audit report may include managements response and corrective action to
be taken in regard to the specific findings and recommendations. Managements
response, whether included within the audit report or provided thereafter (e.g., within
thirty days) by management of the audited area, should include a timetable for
anticipated completion of action to be taken and an explanation for any corrective action
recommendations that will not be implemented.
The OIA will be responsible for appropriate follow-up on audit findings and
recommendations. All significant findings will remain in an open issues file until they are
cleared.
December, 2013

Page 7 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 100) General

(100.11) PERIODIC ASSESSMENT

Reference:

Audit Activity Charter - Updated/Approved - 3/22/2013

The CAO will periodically report to the Chancellor and the Audit Committee on the OIAs
purpose, authority, and responsibility, as well as performance relative to its plan.
Reporting will also include significant risk exposures and control issues, including fraud
risks, governance issues, and other matters needed or requested by senior management
and the Audit Committee.
In addition, the CAO will communicate to the Chancellor and the Audit Committee on the
OIA quality assurance and improvement program, including results of ongoing internal
assessments and external assessments conducted at least every five years.
The most recent Quality Assurance Review (QAR) independent validation was completed
in July 2013 where the OIA received the most favorable rating of Generally Conforms.
Internal quality assessment will occur annually, and the next external quality
assessment is scheduled for July 2018.

(100.12) AUDIT TYPES AND SERVICES

In order to meet the responsibilities and objectives as set forth in the OIA Audit Activity
Charter, it is necessary for the OIA to perform reviews and audits of varying types and
scopes depending on the circumstances and requests from management.
Each fiscal year an annual audit plan is developed and submitted to the Audit Committee
for review and approval. The audit plan is based on a risk assessment methodology, as
well as requests from management (see Section 400). Audit services can be requested
by members of the University community through memos or email. The following types
of audit services are provided by the OIA.

A UDIT L IAISON O FFICER

The CAO serves as Audit Liaison Officer. In accordance with UNC General Administration
(UNCGA) requirements [Memorandum 8/14/2013], the CAO will notify the GA Deputy
Program Management Officer in the UNC FIT Program whenever any external audits or
other regulatory reviews are to be performed. This applies to audits from the Office of
State Auditor, external audits of Foundations and other associated entities of the
University, program reviews from the State Educational Assistance Authority, federal
compliance audits, and reviews by other regulatory entities. The CAO will be informed
by the Chancellor, deans, department heads, and officers of all Foundation and
associated entities of all external audits and reviews being conducted. Any reports and
related work papers resulting from these reviews will be accessible to the CAO for
follow-up.
Copies of all University audit findings and recommendations issued to management by
external auditors and investigators along with University responses shall be forwarded to
the OIA in a timely manner. During the period of resolution, the OIA monitors the
progress of the corrective action being implemented. Upon implementation of the
December, 2013

Page 8 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 100) General

recommendation or other alternative action by management, the CAO performs
verification procedures to ensure that the stated plan of action has in fact been
implemented and issues a status report.

F INANCIAL A UDITS /R EVIEWS

A financial audit is a review intended to serve as a basis for expressing an opinion
regarding the fairness, consistency, and conformity of financial information with
generally accepted accounting principles. Financial audits can be full or limited in scope,
depending on the objectives.
Financial audits that are limited in scope are normally performed by the OIA. These
audits can include a transaction cycle review of administrative systems such as
purchasing, payroll, and payables or a special examination of the financial activities of a
decentralized University department.
The North Carolina Office of the State Auditor normally performs the Universitys
financial audit. The State Auditors perform a full scope financial audit which consists of
a review of the financial statements of an entity of sufficient extent to express an
opinion on those statements. Such an audit is conducted in accordance with auditing
standards generally accepted in the United States of America and the standards
applicable to financial audits contained in Government Auditing Standards, issued by the
Comptroller General of the United States. Also, other external accounting firms perform
Foundation audits and other associated entity audits.

PERFORMANCE/OPERATIONAL AUDITS AND/OR R EVIEWS

Performance/operational audits or reviews have a direct relationship to the University
departmental operations and activities. These audits/reviews assess risks and evaluate
internal controls of operational systems for departments, units, and functions of the
University. Operational audit objectives include determining whether operations are
functioning efficiently, effectively, and in accordance with managements intent. The
operational audit evaluates the use of resources available to the department, unit or
function to determine if managements objectives and goals are being met in the most
effective and efficient manner. Some areas of operational audits include: organizational
structure, asset management and security, staffing, and productivity.

C OMPLIANCE A UDITS
A compliance audit measures the compliance of the client with Federal and State laws
and regulations, and/or University policies, such as Travel guidelines or Procurement
Card (P-Card) purchasing policies.

I NFORMATION S YSTEM C ONTROLS A UDITS

Information System Controls audits or reviews include reviews of information systems,
including general controls, application controls, and disaster recovery.
They are
conducted to evaluate the quality of the controls and safeguards over the information
technology resources of the University. These audits normally consist of reviewing the
effective use of information technology resources, adherence to managements policies,

December, 2013

Page 9 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 100) General

and encouraging the design and implementation of adequate controls over computer
applications and the computing environments in which they are used.

A UDITS /R EVIEWS OF I NTERNAL C ONTROLS

Audits and reviews of internal control systems and processes include assessments and
testing of 1) UNC FIT required reporting (e.g., Departmental Budget Reconciliations), 2)
Campus-wide Fixed Assets, 3) Travel Disbursements, 4) Procurement Card Data
Analysis and Departmental Activity, and 5) Foundation Expenditure review.

A UDIT F INDINGS F OLLOW - UP

This includes reviews and procedures related to addressing and correcting audit findings
as a result of external audits as well as those from internal audit activity.

S PECIAL I NVESTIGATIONS
These audits include investigations of internal and external hotline reports as well as any
similar types of investigations, regardless of the source. They are often requested by
management and focus on alleged, irregular conduct. Reasons for investigative audits
include: internal theft, misuse of State property, and/or conflicts of interest.

C ONSULTATION /A DVISORY S ERVICES

The OIA also provides routine consultation and advisory services to University
management.
This may include, but is not limited to, interpreting policies and
procedures, participation on standing committees, limited-life projects, ad-hoc meetings,
and routine information exchange. Advisory and consulting engagements include review
of existing business processes and strategies, as well as implementations. It also
includes evaluation and advice on policies, procedures, process enhancements, and any
management requests for reviews of areas considered mutually critical.

Y EAR - END W ORK S TATE A UDITORS

The OIA provides assistance to the NC State Auditors and other external auditors
conducting audits of the University, Foundation, and other associated entities of the
University. The OIA conducts and/or compiles the following:

Petty Cash Counts and Bank Certifications

Listing of Audit Engagements

Receipt Book Inventory Testing and Verifications

Fixed Assets Inventory Verifications

Foundation Expenditure Reviews

O THER
Other special projects may be performed by the OIA as delegated by the UNCGA, the
ASU Board, the University Chancellor, or other University management.

December, 2013

Page 10 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(SECTION 200)

THE INTERNAL AUDITOR

(200.1) PRESERVING OBJECTIVITY
Reference:

PA-1120-1, PA-1130-1, PA-1130.A1.1, PA-1130.A2.1

IIA IPPF Standard 1100 states, The internal audit activity must be independent, and
internal auditors must be objective in performing their work. Standard 1120 states that
the individual auditor achieves objectivity when they have an impartial, unbiased
attitude and avoid any conflict of interest. The following steps should be taken to help
preserve objectivity:
1. Internal auditors should not be placed in situations where they feel unable to
make objective professional judgments.
2. The CAO should query the internal audit staff on a yearly basis concerning
potential conflicts of interest and bias and make staff assignments accordingly to
avoid potential problems.
3. Staff assignments should be rotated periodically.
4. Audit results should be reviewed to provide reasonable assurance that the work
was performed objectively before communications resulting from the engagement
are released.
5. Internal auditors should not accept fees or gifts from employees, clients,
vendors, or business associates. To do so is considered unethical and may create
the appearance of impaired objectivity. Internal auditors should report the
receipt of all material fees or gifts immediately to the CAO.
6. The internal audit staff should notify the CAO if at any time they determine or
perceive their objectivity has been impaired. If the CAO determines a staff
members objectivity has been impaired, the CAO will notify the appropriate
parties and will reassign the auditor.
7. Internal auditors are required to wait at least one year before providing
assurance in areas for which they were previously responsible. This includes
persons who are transferred to or temporarily engaged by internal audit.
8. Internal auditors should not assume operating responsibilities of the University.
9. Internal auditors should inform the CAO about any relatives or close friends that
might impair their independence when starting an audit of a particular area.

(Section 200) Operating Policy

(200.2) PROFICIENCY AND DUE PROFESSIONAL CARE

Reference:

PA-1210-1, PA-1220-1

IIA IPPF Standard 1200 requires that engagements must be performed with proficiency
and due professional care. Proficiency refers to the internal auditors possession of the
knowledge, skills, and other competencies needed to fulfill their individual
responsibilities. Due professional care is described in terms of applying the care and
skill expected of a reasonably prudent and competent internal auditor and does not
imply infallibility.
1. Professional proficiency is the responsibility of the CAO and each internal auditor.
The CAO should ensure that persons assigned to each engagement collectively
possess the necessary knowledge, skills, and other competencies to conduct the
engagement properly.
2. Internal auditors should
competencies to include:

possess

certain

knowledge,

skills,

and

other

a. Proficiency in applying internal auditing standards, procedures, and

techniques without extensive recourse to technical research and assistance.
b. Proficiency in accounting principles and techniques when working with
financial records and reports.
c. Knowledge to identify the indicators of fraud.
d. Knowledge of key IT risks and controls and available technology-based audit
techniques.
e. An understanding of management principles to recognize and evaluate the
materiality and significance of deviations from good business practices.
f.

An appreciation of the fundamentals of subjects such as accounting,

economics, commercial law, taxation, finance, quantitative methods, and
information technology.

g. Skill in dealing with people and in communicating effectively.

Internal
auditors should understand human relations and maintain satisfactory
relationships with engagement clients.
h. Skill in oral and written communications in order to clearly and effectively
convey such matters as engagement objectives, evaluations, conclusions, and
recommendations.
3. Due professional care calls for the application of the care and skill expected of a
reasonably prudent and competent internal auditor in the same or similar
circumstances.
Professional care should, therefore, be appropriate to the
complexities of the engagement being performed. In exercising due professional
care, internal auditors should be alert to the possibility of intentional wrongdoing,
errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of
interest. They should also be alert to those conditions and activities where
December, 2013

Page 2 of 4
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 200) Operating Policy

irregularities are most likely to occur.
In addition, they should identify
inadequate controls and recommend improvements to promote compliance with
acceptable procedures and practices.
4. Due care implies reasonable care and competence, not infallibility or
extraordinary performance.
Due care requires the auditor to conduct
examinations and verifications to a reasonable extent, but does not require
detailed reviews of all transactions. Accordingly, internal auditors cannot give
absolute assurance that noncompliance or irregularities do not exist.
Nevertheless, the possibility of material irregularities or noncompliance needs to
be considered whenever an internal auditor undertakes an internal audit
assignment.

(200.3) CONTINUING PROFESSIONAL DEVELOPMENT

Reference:

PA-1230-1

Internal auditors must enhance their knowledge, skills, and other competencies through
continuing professional development.
1. Internal auditors are responsible for continuing their education in order to
maintain their proficiency. They should keep informed about improvements and
current developments in internal auditing standards, procedures, and techniques.
Continuing education may be obtained through membership and participation in
professional societies and attendance at conferences, seminars, college courses,
and in-house training programs.
2. Internal auditors not presently holding certifications are encouraged to pursue an
educational program that supports their effort to obtain professional
certifications; and to demonstrate their proficiency by obtaining appropriate
professional certification, such as CIA, CISA, CPA, or CFE.
3. Internal auditors with professional certifications should obtain sufficient
continuing professional education to satisfy requirements related to professional
certifications held.
4. The internal audit staff is required to record any training they receive such as
seminars, conferences, and in-house training programs for each fiscal year.

(200.4) PERSONAL CONDUCT, OBJECTIVITY, AND

CONFIDENTIALITY
Reference:

The IIAs Code of Ethics

In the promotion of a sound ethical culture in the internal audit activity, all internal
auditors are expected to abide by The IIAs Code of Ethics, specifically including the four
principles of Integrity, Objectivity, Confidentiality, and Competency as set out in the
Code. [See Section 100.5.]

December, 2013

Page 3 of 4
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 200) Operating Policy

In addition, the following guidelines are established for the internal auditor regarding
personal conduct and objectivity, and the confidentiality of internal audit or business
information acquired through internal audit assignments.

As a member of the internal auditing staff, you are representing the highest level
of management. Conduct yourself in a manner that reflects favorably upon you
and those you represent.
You are expected to exercise professional skill,
integrity, maturity of behavior, and tact in your relations with others.
In general, you are encouraged to be friendly, yet professional, with all university
employees without affecting your objectivity. You should guard against any
conduct or mannerisms that present an impression that you consider yourself
superior to any employee. Acknowledge that the client is an expert concerning
their job and area of operations and never imply or communicate that you know
the clients work better than they do. As far as possible, take the position of an
independent/objective analyst and advisor. Avoid the image of policing.

In the course of your assignments, you will be in contact with personnel at all
levels of authority and position. At all times, independence in mental attitude is
to be maintained. Reports resulting from your efforts should always contain full
and unbiased disclosure of all but minor audit findings. Although you report to
the internal auditing activity, you have responsibilities to both management and
the personnel being audited.

Much of your work is confidential; therefore, be discreet on and off the job in
discussing current or past audits or your assessments of internal audit clients.
Judgment should be exercised in the security of internal audit workpapers,
programs, company records, and information at all times.

Never indiscreetly discuss confidential information learned in general job duties

such as system changes, reduced working hours, or possible personnel layoffs.

December, 2013

Page 4 of 4
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(SECTION 300)

QUALITY ASSURANCE AND

IMPROVEMENT PROGRAM
(300.1) QUALITY ASSURANCE AND IMPROVEMENT PROGRAM
Reference:

PA-1310-1

A Quality Assurance and Improvement Program (QAIP) is an ongoing and periodic

assessment of the entire spectrum of audit and consulting work performed by the
internal audit activity. These ongoing and periodic assessments are composed of
rigorous, comprehensive processes; continuous supervision and testing of internal audit
and consulting work; and periodic validations of conformance with the Definition of
Internal Auditing, the Code of Ethics, and the Standards. This also includes ongoing
measurements and analyses of performance metrics (e.g., internal audit plan
accomplishment, cycle time, level of staff training and certification, recommendations
accepted, and customer satisfaction). If the assessments results indicate areas for
improvement by the internal audit activity, the CAO will implement the improvements
through the QAIP.
The CAO is ultimately responsible for the QAIP, which covers all types of OIA activities,
including consulting.

(300.2) INTERNAL ASSESSMENTS

Reference:

PA-1311-1
Quality Assessment Manual - 6th Edition pg. 79-80

Internal assessments must include:

1. Ongoing monitoring of the performance of the internal audit activity; and
2. Periodic reviews conducted to evaluate conformance with the Definition of
Internal Auditing, the Code of Ethics, and the Standards.
Ongoing monitoring is conducted through:
Supervision of engagements by the CAO.

Development of audit policies and procedures to be used for each

engagement to ensure compliance with applicable planning, fieldwork and
reporting standards.

Feedback from engagement evaluations submitted by clients.

Circulation of completed work papers and reports for peer review and
comment.

(Section 300) QAIP

Discussion of work progress at each internal staff meeting, to include sharing

of ideas and concerns.

Approval of all final reports and recommendations by the CAO.

Periodic assessments will be conducted through:

Annual risk assessments for purposes of annual audit planning.

Semi-annual work paper reviews for performance in accordance with internal

audit policies and with the Standards (using Tool 17 of IIA QAR Manual).

Periodic activity and performance reporting to the Chancellor and the Audit
Committee.

Development of metrics and benchmarks to assess performance relative to

expectations and standards.

(300.3) EXTERNAL ASSESSMENTS

Reference:

Quality Assessment Manual - 6th Edition pg. 80

External assessments will appraise and express an opinion about OIAs conformance
with the Standards and include recommendations for improvement, as appropriate.
An external assessment is required by IIA Standards to be performed, at a minimum,
every five years. The CAO will coordinate with the appropriate university and external
agencies to fund, plan, prepare and execute the QAR.
The external assessment will consist of a broad scope of coverage that includes the
following elements of OIAs activity:

Conformance with the Standards, the Code of Ethics, and the OIAs audit activity
charter, policies, procedures, practices, and any applicable legislative and
regulatory requirements.

Expectations of Internal Audit as expressed by the Board of Trustees, Chancellor

and Vice Chancellors, and other senior leaders of the University.

Integration of the OIA activity into Universitys governance process (including

alignment of audit plans with University goals).

Tools and techniques used by OIA.

The mix of knowledge, experiences, and disciplines within the staff, including
staff focus on process improvement.

A determination of whether OIA adds value and improves the Universitys

operations.

The North Carolina Internal Audit Act of 2007 establishes basic standards for external
evaluations. Implementing guidance from the Council on Internal Auditing is published
in their IA Manual (www.osbm.state.nc.us).

December, 2013

Page 2 of 3
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 300) QAIP

(300.4) REPORTING ON QAIP

Internal Assessments Results of internal assessments will be reported to the Audit
Committee and to the Chancellor at least annually.
External Assessments Results of external assessments will be provided to the Audit
Committee and to the Chancellor. The external assessment report will be accompanied
by a written action plan in response to significant comments and recommendations
contained in the report.
Follow-up The CAO will monitor appropriate follow-up actions to ensure that
recommendations made in the report and action plans developed are implemented in a
reasonable timeframe.
Disclosure of Noncompliance - Should the situation arise, the CAO will communicate
to the Audit Committee and to the Chancellor the facts and impacts of noncompliance
with external assessment standards.

(300.5) OIA PERFORMANCE METRICS

The CAO will attempt to evaluate ongoing measurements and analyses of performance
metrics relative to the following areas:
1. Customer Perspective:
a. Improve awareness of OIA functions and capabilities
b. Improve satisfaction with OIA services
2. Audit Environment Perspective:
a. Improve operational effectiveness and efficiency of reviewed processes and
units
b. Develop and execute a risk-based annual audit plan
3. Internal Business Processes Perspective:
a. Meet or exceed performance standards of the IIA
b. Execute annual spending plan within assigned targets
4. Learning and Growth Perspective:
a. Obtain and maintain professional certification for each staff member
b. Provide adequate and appropriate training opportunities for each staff
member

December, 2013

Page 3 of 3
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(SECTION 400)

ANNUAL AUDIT PLAN

(400.1) DEVELOPMENT PROCESS
The OIA shall develop and maintain an annual audit plan containing the projected
workload for the Internal Audits staff. The audit plan will be developed based on a risk
assessment conducted each year by the CAO with input from the campus community
and others. The CAO will solicit input from the Chancellor, Vice Chancellors, deans,
directors, external auditors (e.g., State Auditors) and others by conducting interviews
and formal memoranda documenting requested risk questionnaires.
Risk assessments may be based on:

History of problems: A history of weak controls, problems in recent audits, and

other issues may increase risk.

Regulatory compliance and public scrutiny: High public interest and a large
volume of regulatory requirements may increase risk.

Reliance on information technology:

Heavy reliance on information
technology may increase risk for newly implemented processes, especially if
those processes are locally developed and used by inexperienced staff.

Dollar volume and liquidity of assets: A large dollar volume flowing through
a department or unit and a high liquidity of assets generally increases risk.

Organization stability and changes: Significant organizational changes and

lack of continuity in personnel may mean the control system is less effective than
in prior periods.

Other sources to consider are ideas from the audit staff, knowledge of the mission
functions, and external audit information.
The UNCGA requires that all North Carolina Universities submit their audit plans in a
universally prescribed format which divides the audits into categories of: financial
audits,
information
system
controls,
audits/reviews
of
internal
controls,
performance/operational audits, compliance audits, audit follow-ups, special
investigations, and special assignments.

(Section 400) Annual Audit Plan

(400.2) APPROVAL PROCESS AND ANNUAL CERTIFICATIONS

Certification: Audit Committee Certification Letter
CAO Certification Letter
The annual audit plan is reviewed and approved by the Audit Committee each year. The
approved audit plan is then submitted to UNCGA along with annual certifications signed
by the CAO of Internal Audits and the chairperson of the Audit Committee.
Also during this meeting, the prior years audit plan and the results accomplished during
the prior year are discussed. This discussion encompasses all audit work completed for
the prior year. All significant findings and their resolutions are also discussed. This prior
year audit plan and results (including significant findings and resolutions) is submitted to
the Office of State Budget and Managements Council of Internal Auditing each year.

December, 2013

Page 2 of 5
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 400) Annual Audit Plan

Certification Letter for Board of Trustees

Date
[Name of the Board of Governors Chair]
UNC Board of Governors
P.O. Box 2688
Chapel Hill, North Carolina 27515-2688
Dear _____:
In accordance with the Best Financial Practices Guidelines adopted by the Board of
Governors in November 2005, I confirm that the Board of Trustees (BOT) Audit
Committee of Appalachian State University is in compliance with the following (any
exceptions must be identified and explained in an accompanying statement):
1.

Met at least four times this year.

2.

Reviewed the results of the annual financial audit with representatives of the
State Auditors Office and discussed corrective actions, if needed.

3.

Discussed the results of any other audit performed and report/management

letter (i.e., information system audits, investigative audits, etc.) issued by the
North Carolina Office of the State Auditor with the State Auditor, the Chief
Audit Officer (CAO) of Internal Audits or appropriate campus official.

4.

For any audit finding contained within a report or management letter issued
by the State Auditor, reviewed the institutions corrective action plan and the
report of the internal auditor on whether or not the institution has made
satisfactory progress in resolving the deficiencies noted, in accordance with
North Carolina General Statute 116-30.1 as amended.

5.

Reviewed all audits and management letter of University Associated Entities

as defined in Section 600.2.5.2 [R] of the UNC Policy Manual.

6.

Received and reviewed quarterly or four reports from the institutions CAO of
Internal Audit that, at a minimum, reported material (significant) reportable
conditions, the institutions corrective action plan for these conditions and a
report once these conditions had been corrected.

7.

Received, reviewed, and approved, at the beginning of the audit cycle, the
annual audit plan for the Office of Internal Audits department.

8.

Received and reviewed, at the end of the audit cycle, a comparison of the
annual audit plan with internal audits performed by the internal audit
department.

I further attest to the following:

1.

The institutions CAO of Internal Audits reports directly (administratively) to

the Chancellor with a clear and recognized functional reporting relationship to
the chair of the BOT Audit Committee.

2.

The Audit Committee charter defines appropriate roles and responsibilities.

One of these responsibilities is the assurance that the institution is performing
self-assessments of operating risks and evaluations of internal controls on a
regular basis.

December, 2013

Page 3 of 5
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 400) Annual Audit Plan

3.

Internal audit functions are carried out in a way that meets professional
standards.

4.

The institutions CAO forwarded copies of both the approved audit plan and
the summary of internal audit results, including any reportable conditions and
how they were addressed, to UNC General Administration in the prescribed
format.

_______________________________
[Name of the BOT Chair]
Chair of BOT Audit Committee

December, 2013

Page 4 of 5
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 400) Annual Audit Plan

Certification Letter for Audit CAO

Date
[Name of Board of Governors Chair]
UNC Board of Governors
P.O. Box 2688
Chapel Hill, North Carolina 27515-2688
Dear _____:
As Chief Audit Officer (CAO) of Internal Audits at Appalachian State University, I confirm
that we are in compliance with the following (any exceptions must be identified and
explained in an accompanying statement):
1.

Met and updated the BOT Audit Committee at least four times this year.

2.

Attended the financial audit exit conference conducted by the State Auditors Office.

3.

Discussed the results of any other audit performed and report/management letter
(i.e., information system audits, investigative audits, etc.) issued by the North
Carolina Office of the State Auditor with either the State Auditors Office or
appropriate campus official.

4.

I report directly (administratively) to the Chancellor with a clear and recognized

functional reporting relationship to the chair of the BOT Audit Committee.

5.

The audit plan was constructed with the consideration of risk and potential internal
control deficiencies and included any audits outlined by the UNC General
Administration (UNCGA).

6.

Ensured that all internal audits were planned, documented and executed in
accordance with professional standards.

7.

Forwarded copies of both the approved audit plan and the summary of internal audit
results to UNCGA in the prescribed format and updated the BOT Audit Committee for
completion.

_____________________________
[Name of CAO]
CAO of Internal Audits

December, 2013

Page 5 of 5
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(SECTION 500)

AUDIT PROCESS
(500.1) PLANNING
Reference:
Templates:

PA- 2200-1
Audit Engagement Memo, ASU IIA Standards Checklist Template

The internal auditor plans and conducts the engagement, with supervisory review and
approval.
During the planning portion of the audit, the auditor notifies the client of the audit by
sending an Audit Engagement Memo which identifies the audit purpose and time
period covered by the audit. It also notifies the client of certain documentation that will
be requested and lets them know that an entrance conference will be scheduled to
communicate the details of the planned audit.
During the planning portion of the audit, the auditor also discusses the scope and
objectives of the audit in a formal meeting with organization management, gathers
information on important processes, evaluates existing controls, prepares the audit
program, and plans the remaining audit steps.
As part of OIAs QAIP, the CAO has established an internal audit activity whose scope of
work includes the activities in the Standards and in the Definition of Internal Auditing.
To ensure that this occurs, the CAO has implemented the ASU IIA Standards Checklist
Template to determine IIA Standards compliance with every engagement in the areas
of Independence and Objectivity, Planning, Fieldwork, Reporting, and Monitoring
Progress.

(500.2) ENTRANCE CONFERENCE

Template:

Preliminary Survey Questionnaire

An entrance conference should be scheduled early in the planning stages of an audit.

The auditor-in-charge is responsible for scheduling this meeting with the audit clients
management and key supervisory personnel. The CAO should also be in attendance.
This meeting should set the tone for the audit as well as explain the scope and
objectives of the audit. The timing of the engagement work should be discussed and it
should also be explained how audit findings and other issues will be handled. The client
should have the opportunity to provide a description of their department, available
resources (such as personnel, facilities, equipment, systems) and other relevant
information as well as any issues or concerns they may have. As a result of the
entrance conference, the auditor will complete the Preliminary Survey Questionnaire.

(Section 500) Audit Process

This form will be used to document the entrance conference as well as document
identified problems or concerns, identified risks and address the probability of significant
errors, fraud, and noncompliance. The responses will also be used to determine the
critical internal controls that will be evaluated during the audit.

(500.3) RISK ASSESSMENT IN ENGAGEMENT PLANNING

Reference:
Template:

PA-2210.A1-1
Risk Assessment in Engagement Planning

The auditor must conduct a preliminary assessment of the risks relevant to the activity
under review. Engagement objectives must reflect the results of this assessment. The
auditor also considers:
Managements assessment of risks relevant to the activity under review.

The reliability of managements assessment of risk.

Managements process for monitoring, reporting, and resolving risk and control
issues.

The auditor obtains or updates background information about the activities to be

reviewed to determine the impact on the engagement objectives and scope. During the
entrance conference, the auditor conducts a survey to become familiar with the
activities, risks, and controls to identify areas for engagement emphasis, and to invite
comments and suggestions from engagement clients. Using the Risk Assessment in
Engagement Planning template, the auditor summarizes the results from the reviews of
managements assessment of risk, the background information, and any survey work.
The summary includes:
Significant engagement issues and reasons for pursuing them in more depth.

Engagement objectives and procedures.

Methodologies to be used, such as technology-based audit and sampling

techniques.

Potential critical control points, control deficiencies, and/or excess controls.

(500.4) ESTABLISHING OBJECTIVES

Reference:

PA-2210-1

Objectives must be established for each engagement.

The auditor establishes
engagement objectives to address the risks associated with the activity under review.
For planned engagements, the objectives proceed and align to those initially identified
during the risk assessment process from which the internal audit plan is derived. For
unplanned engagements, the objectives are established prior to the start of the
engagement and are designed to address the specific issue that prompted the
engagement. The risk assessment during the engagements planning phase is used to
further define the initial objectives and identify other significant areas of concern. (See
section 500.3). After identifying the risks, the auditor determines the procedures to be
performed and the scope (nature, timing, and extent) of those procedures. Engagement
December, 2013

Page 2 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 500) Audit Process

procedures performed in appropriate scope are the means to derive conclusions related
to the engagement objectives.

(500.5) ENGAGEMENT SUPERVISION

Engagements must be properly supervised to ensure objectives are achieved, quality is
assured, and staff is developed. The extent of supervision required will depend on the
proficiency and experience of the auditors and the complexity of the engagement. The
CAO has overall responsibility for supervising the engagement, whether performed by or
for the internal audit activity, but may designate appropriately experienced members of
the internal audit activity to perform the review. Appropriate evidence of supervision is
documented and retained.
Supervision is a process that begins with planning and continues throughout the
engagement. The process includes:
Ensuring designated auditors collectively possess the required knowledge, skills,
and other competencies to perform the engagement.

Providing appropriate instructions during the planning of the engagement and

approving the engagement program.

Ensuring the approved engagement program is completed unless changes are

justified and authorized.

Determining engagement working papers adequately support

observations, conclusions, and recommendations.

Ensuring engagement communications are accurate, objective, clear, concise,

constructive, and timely.

Ensuring engagement objectives are met.

Providing opportunities for developing internal auditors knowledge, skills, and

other competencies.

engagement

The CAO is responsible for all internal audit engagements, whether performed by or for
the internal audit activity, and all significant professional judgments made throughout
the engagement.
All engagement working papers are reviewed to ensure they support engagement
communications and necessary audit procedures are performed.
Evidence of
supervisory review consists of the reviewer initialing and dating each working paper
after it is reviewed. Other techniques that provide evidence of supervisory review
include completing an engagement working paper review checklist or preparing a
memorandum specifying the nature, extent, and results of the review.
Engagement supervision also allows for training and development of staff and
performance evaluation.

December, 2013

Page 3 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 500) Audit Process

(500.6) AUDIT PROGRAM

Reference:
Template:

PA-2240-1
Engagement Work Program

The audit program establishes the procedures necessary to complete an efficient and
effective audit. It includes a detailed plan of the work to be performed as well as the
steps required to achieve the audit objectives.
The work program also includes
methodologies to be used, such as technology-based audit and sampling techniques.
There should be sufficient detail for less experienced staff to perform the steps; however
it should not be overly detailed whereby it might cause auditors to execute steps
routinely and override their judgment. The audit program also offers a place to
document expected target and actual dates for starting and completing the
engagement. Total audit hours will also be documented on the audit program.
A well designed audit program provides an outline of the work to be performed,
encouraging a thorough understanding of the department being audited. It acts as a
guide for assigning work and thereby controlling the project from beginning to end. It
creates documentation and evidence that the work was completed.
It assists
managements review to ensure quality. It assures management that all risk areas were
adequately addressed.
The program should be prepared before the beginning of the fieldwork and approved by
the CAO. Audit programs are not set in stone and therefore are modified during the
course of the audit depending on test results or new information obtained, with the
CAOs approval.
A template for the Engagement Work Program is provided at M:Audit Administrative
Info/ASU.OIA Templates/ASU.OIA Audit File Templates/Engagement Work Program.

(500.7) FIELDWORK
Fieldwork is the process of gathering evidence and analyzing and evaluating that
evidence as identified in the planning stage of the audit.
The purpose of fieldwork is to accumulate sufficient, reliable, relevant, and useful
evidence to reach a conclusion concerning the performance expectations, and to support
the audit comments and recommendations. Audit evidence is sufficient when it is
factual and would convince an informed person to reach the same conclusion. Evidence
is reliable if it consistently produces the same outcomes. It is relevant when it is directly
related to the audit comments, recommendations, and conclusions. Useful information
supports the audit comments and recommendations.

December, 2013

Page 4 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 500) Audit Process

(500.8) USE OF PERSONAL INFORMATION IN CONDUCTING

ENGAGEMENTS
Reference:

PA-2300-1
ASU website (https://password.appstate.edu/pswdchgform/UniversityPolicies.aspx)
Certification: Statement of Confidentiality
Auditors need to consider concerns relating to the protection of personally identifiable
information gathered during audit engagements as advances in information technology
and communications continue to present privacy risks and threats. Privacy controls are
legal requirements in many jurisdictions. Personal information generally refers to data
associated with a specific individual or data that has identifying characteristics that may
be combined with other information. It includes any factual or subjective information,
recorded or not, in any form or media. Personal information includes:
Name, address, identification numbers, income, blood type.

Evaluations, social status, disciplinary actions.

Employee files and credit and loan records.

Employee health and medical data.

In many jurisdictions, laws require organizations to identify the purposes for which
personal information is collected at or before the time of collection. These laws also
prohibit using and disclosing personal information for purposes other than those for
which it was collected except with the individuals consent or as required by law. It is
important that internal auditors understand and comply with all laws regarding the use
of personal information in their jurisdiction. If the internal auditor accesses personal
information, it may be necessary to develop procedures to safeguard this information.
For example, the internal auditor may decide not to record personal information in
engagement records in some situations. The internal auditor may seek advice from
legal counsel before beginning audit work if there are questions or concerns about
access to personal information.
Appalachian State University maintains strict confidentiality requirements and
regulations in compliance with the Gramm-Leach-Bliley Act (GLBA), Family Educational
Rights and Privacy Act of 1974 as amended (FERPA), and the Health Insurance
Portability and Accountability Act (HIPAA) in addition to other federal and state laws.
These laws pertain to the security and privacy of all non-public information that may be
considered confidential or sensitive including student information, employee
information, and general University information whether it is in hard copy or electronic
form.
All University employees are required to read and agree to the online Statement of
Confidentiality. The review and agreement to this policy is required when establishing
a secure password for the first time and annually thereafter.

December, 2013

Page 5 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 500) Audit Process

(500.9) WORK PAPERS

Reference:
Template:

PA-2330-1
Tickmark Legend

Internal auditors must document relevant information to support the conclusions and
engagement results. Work papers document the information obtained, the analyses
made, and the support for the conclusions and engagement results. The CAO reviews
the prepared work papers. Engagement work papers generally:
Aid in the planning, performance, and review of engagements.

Provide the principal support for engagement results.

Document whether engagement objectives were achieved.

Support the accuracy and completeness of the work performed.

Provide a basis for the

improvement program.

internal

audit

activitys

quality

assurance

and

To encourage consistency across the staff, the CAO has established a Tickmark Legend
defining certain tickmarks that will be used in audit testing.
Work papers should be:
Legible and neatly prepared.

Understandable without the need for detailed supplementary oral explanations.

Restricted to matters that are materially important and relevant to the objectives
of the assignment.

Information should be clear and complete, yet concise. Normally, each work paper
should be limited to only one subject and only one side of the paper should be used.
Unnecessary or irrelevant work papers should not be prepared or kept in the files.
Each set of work papers should contain sections for purpose, source, scope, and
conclusion. As applicable, include the elements of criteria, methodology, condition,
cause, effect and recommendation in the appropriate section.
1. Purpose: The purpose section of the work papers explains why auditors are
doing the audit work and what the auditors are trying to accomplish.
2. Source: The work papers should tell the reader where the auditors obtained the
information. Auditors should provide enough detail to permit an independent
reviewer to find the source of the information recorded in the work paper without
assistance.
3. Scope: The work papers should also define the parameters of the information
gathered and how the auditors did the work. It provides things such as the total
number of items available for selection and the number selected, the basis for
choosing what the auditors examined, or the period covered.

December, 2013

Page 6 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 500) Audit Process

4. Conclusion: Auditors draw conclusions by analyzing and interpreting the results
of conversations, observations, tests, analyses, information obtained, and other
related facts. These conclusions should be documented in the work papers.

(500.10) AUDIT REPORT

Reference:

PA-2410-1

The principal product of an audit is the final report in which the auditor expresses an
opinion, presents the audit findings, and discusses recommendations for improvement.
To facilitate communication and ensure that the recommendations presented in the final
report are practical, the auditor should discuss the rough draft with the client prior to
issuing the final report.
Audit reports are to contain, at a minimum, the purpose, scope, and results of the
engagement:
1. Purpose statements describe the engagement objectives and may inform the
reader why the engagement was conducted and what it was expected to achieve.
2. Scope statements identify the audited activities and may include supportive
information such as time period reviewed and related activities not reviewed to
delineate the boundaries of the engagement. They may describe the nature and
extent of engagement work performed.
3. Results can include findings or recommendations and action plans.
a. Audit Findings should include the nature of the findings, the criteria used
to determine the existence of the condition, the root cause of the
condition, the significance of its impact, and what the internal auditors
(with managements input) recommend should be done to improve the
situation. Fully developed findings are easily understood, convey impact
and significance to appropriate management, and enhance the likelihood
and sustainability of improvement action.
The internal auditor may
communicate less significant observations or recommendations informally
as oral findings or best practice recommendations.
b. Recommendations and action plans are based on the internal auditors
findings. They call for action to correct existing conditions or improve
operations and may suggest approaches to correcting or enhancing
performance as a guide for management in achieving desired results.
Recommendations can be general or specific. For example, under some
circumstances, the internal auditor may recommend a general course of
action and specific suggestions for implementation.
In other
circumstances, the internal auditor may suggest further investigation or
study.

December, 2013

Page 7 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 500) Audit Process

Audit reports may also include background information and summaries. Background
information may identify the organizational units and activities reviewed and provide
explanatory information.
The internal auditor may communicate engagement client accomplishments or notable
strengths, in terms of improvements since the last engagement or the establishment of
a well-controlled operation. This information may be necessary to fairly present the
existing conditions and to provide perspective and balance to the engagement final
communications.
The internal auditor may communicate the engagement clients views about the internal
auditors conclusions, opinions, or recommendations as a response to the auditors
finding.
Certain information is not appropriate for disclosure to all report recipients because it is
privileged, proprietary, or related to improper or illegal acts. Disclose such information
in a separate report. Distribute the report to the Board if the conditions being reported
involve senior management.
The CAO should review and approve the final audit report. The CAO and the auditor-incharge of the engagement should sign all final reports.
The final audit report is addressed to the Vice Chancellor who is responsible for the
department being audited. A copy is sent to the management of the department in
addition to the Chancellor. The Board of Trustees Audit Committee receives a copy at
the quarterly Audit Committee meeting. Copies of all audit reports are also sent to the
Council of Internal Auditing (part of the North Carolina Office of State Budget and
Management), UNCGA, and the State Auditors Office.

(500.11) EXIT CONFERENCE

Reference:

PA-2440-1

The internal auditor-in-charge is responsible for scheduling the exit conference before
the CAO issues the final engagement communications.
The goal is to have
knowledgeable and accountable audit, client, supervisory, and management personnel
attend the meeting who can make decisions and implement agreed improvements. The
CAO and the auditor-in-charge as well as any staff auditors the CAO deems necessary
should also attend the exit conference. The purpose of the exit conference is to inform
management of the audit results and the report process, reach final agreement on
findings, and finalize planned improvement actions. Management can also provide an
update on any actions already taken.
Management of the audited activity should have an opportunity to review a draft of the
engagement issues, observations, and recommendations.
These discussions and
reviews help avoid misunderstandings or misinterpretations of fact by providing the
opportunity for the engagement client to clarify specific items and express views about
the observations, conclusions, and recommendations.
December, 2013

Page 8 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 500) Audit Process

(500.12) AUDIT REPORT FOLLOW-UP

Reference:

PA-2500-1, PA-2500.A1-1

The CAO maintains a spreadsheet to monitor the disposition of findings communicated to

management (located in M:Audit Administrative Info/ASU Finding Follow-up). If certain
reported findings are significant enough to require immediate action by management or
the Board, the internal audit activity monitors actions taken until the observation is
corrected or the recommendation implemented.
The internal audit activity may effectively monitor progress by:
Addressing engagement findings to appropriate levels
responsible for taking action.

of

management

Receiving and evaluating management responses and proposed action plan to

engagement findings during the engagement or within 15 days after the
engagement results are communicated.

Receiving periodic updates from management to evaluate the status of its efforts
to correct observations and/or implement recommendations.

Reporting to senior management and/or the Board on the status of responses to

engagement findings.

The CAO schedules follow-up activities as part of developing engagement work

schedules. A follow-up audit should be scheduled for any audit that had significant
findings within six months to one year after the issuance of the final audit report.
Follow-up is a process by which internal auditors evaluate the adequacy, effectiveness,
and timeliness of actions taken by management on reported findings, including those
made by external auditors and others. This process also includes determining whether
senior management and/or the Board have assumed the risk of not taking corrective
action on reported observations. Follow-up audits involve inquiry of management and
usually some limited test work. Follow-up audit reports outline the findings that have
been completely resolved, those that are partially resolved, and the outstanding or new
items that have not been addressed. Follow-up activities should be appropriately
documented.
Follow-up audits for State Audit reports are required to be completed within 90 days of
the issuance of the final report.

(500.13) GRANTING ACCESS TO ENGAGEMENT RECORDS

All reporting from the OIA should include the following footer:
This document and related work papers may be subject to the North Carolina Public Records Act
(NC Gen Stat 132-1 et seq. and NC Gen Stat 116-40.7). The office of record for this document is
the Office of Internal Audits. Please refer requests for release to this office. Release of copies to
parties external to the University should be coordinated with the Office of Internal Audits.

December, 2013

Page 9 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 500) Audit Process

(500.14) RETENTION OF RECORDS

ASU OIA retains records in accordance with ASU Policy Manual 105.1 Records
Retention Schedule as managed by ASU Records Management.

December, 2013

Page 10 of 10
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(SECTION 600)

PERSONNEL
(600.1) RESOURCE MANAGEMENT
The CAO should ensure that internal audit resources are appropriate, sufficient, and
effectively deployed to achieve the approved audit plan.
1. Staffing plans and financial budgets, including the number of auditors and the
knowledge, skills, and other competencies required to perform their work, should
be determined from the annual audit plan, administrative activities, education
and training requirements, and audit research and development methods.
2. The CAO should establish a program for selecting and developing the human
resources of the internal audit activity. The program should provide for:
Developing written job descriptions for each level of the audit staff.

Selecting qualified and competent individuals.

Training and providing continuing educational opportunities for each internal

auditor.

Appraising each internal auditors performance at least annually.

Providing counsel to internal auditors on their performance and professional

development.

(600.2) MINIMUM TRAINING AND EXPERIENCE

North Carolina General Statute 143-739, which was adopted during the 2007 legislative
session, established the qualifications for any internal auditor employed by a State
agency.
This law was modified in 2013 [General Assembly of NC, Session 2013, Session Law
2013-406, House Bill 417] and now states that regarding the appointment and
qualifications of Internal Auditors: Any State employee who performs the internal audit
function shall meet the minimum qualifications for internal auditors established by the
Office of State Personnel, in consultation with the Council of Internal Auditing.
For an Internal Auditor, the OSHR site states minimum training and experience as
follows: Bachelors degree in accounting or discipline related to the program area, with
nine credit hours of accounting coursework; or equivalent combination of training and
experience. All degrees must be received from appropriately accredited institutions.
For the OIA Director and OIA Manager, the OSHR site states minimum training and
experience as follows: Bachelors degree in accounting, business, finance or other

(Section 600) Personnel

discipline related to the area of assignment with 12 credit hours of accounting
coursework and three years of professional accounting experience, of which at least two
are supervisory (one year supervisory for Audit Manager); or equivalent combination of
training and experience.
Some positions may require additional credit hours of
accounting coursework. All degrees must be received from appropriately accredited
institutions.

(600.3) CHIEF AUDIT OFFICER

The CAO is responsible for the administration of the internal audit activity. The CAO is
responsible for properly managing the internal audit activity so that:
a. Internal audit work fulfills the specific and general purposes and responsibilities
approved by management and the Board.
b. Internal audit resources are efficiently and effectively employed.
c. Internal audit operations conform to IIA IPPF Standards and Definition of Internal
Auditing.
The CAO establishes plans to carry out the responsibilities of the internal audit activity.
The work includes directing a comprehensive audit program that provides assurance and
consulting services designed to add value and improve the organizations risk
management, control, and governance processes.
The CAO is responsible for:
Directing the identification and evaluation of the organizations audit risk areas
and overseeing the development of the annual audit plan.

Assessing the adequacy of staff resources and expertise in relation to the annual
audit plan and recommending enhancements where necessary.

Overseeing the departments QAIP.

Directing internal audit staff in the planning, organizing, directing, and

monitoring of internal audit operations, including assisting in hiring, training, and
professional development, evaluating staff, and taking corrective actions to
address performance problems.

Directing the overall performance of audit procedures, including identifying and

defining issues, developing criteria, reviewing and analyzing evidence, and
documenting client processes and procedures.

Directing the audit staff in conducting interviews, reviewing documents,

developing and administering surveys, composing summary memos, and
preparing working papers.

Directing the audit staff in the identification, development, and documentation of

audit issues and recommendations.

Communicating the results of audit and consulting projects via written reports
and oral presentations to management and the Board of Trustees Audit
Committee.

December, 2013

Page 2 of 4
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 600) Personnel

Developing and maintaining productive client, staff, management, and board

relationships through individual contacts and group meetings.

Pursuing professional development opportunities, including internal and external

training and professional association memberships, and sharing information
gained with co-workers.

Representing internal auditing at management and board meetings and with

external organizations.

Performing related work as assigned by the Board of Trustees Audit Committee.

Benchmarking
improvement.

audit

work

processes

and

promoting

continuous

process

(600.4) ASSISTANT DIRECTOR

The Assistant Director position aids in managing the auditing operation by either
assisting with or having full responsibility for: the establishment of long-term and shortterm goals and objectives; the formulation of audit programs and policies; and the
overall direction of audit staffing training and development. The position assists with or
has full responsibility for audit program design and/or changes to ensure compliance
with federal and state laws, audit standards, and legal opinions. The position must
tactfully deal with controversial issues/problems and maintain successful working
relationships with clients, other employees, administrators, and the public. The position
is responsible for self-development by demonstrating a commitment to continuous
learning, self-awareness and performance through feedback. The position also has
responsibility for conducting advanced professional auditing assignments and working on
compliance, departmental, investigative, and other audits as required.

(600.5) AUDITOR
The Auditor position has responsibility for conducting advanced professional auditing
assignments. Types of audits performed include financial, compliance, performance,
investigative and follow-up audits. The scope of the positions contact and responsibility
extends to all University related functions. This position is required to work with a
minimum of supervision, requires substantial knowledge and skills in the auditing field,
and must be able to complete an audit from beginning to end. Audit assignments will
include annual financial and/or compliance audits of University functions such as New
River Light and Power, the Department of Athletics, the University Bookstore, Food
Services, Financial Aid, and other University accounts. This position will also provide
assistance as needed to the State Auditors office in their annual financial audit of the
University. This position will also work on investigations of suspected irregular financial
activities of University employees as well as performance and operational audits of
University functions.

December, 2013

Page 3 of 4
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 600) Personnel

(600.6) IT AUDITOR
The primary purpose of the IT Auditor position is to assist the OIA in providing the
University with reasonable assurance that the proper controls are in place to protect the
confidentiality, integrity and security of the Universitys information systems. This
position is responsible for conducting audits of information systems configurations and
environments of the University mainframe computers and the user financial areas.
Included are audits of the IT general controls, including access controls, program
maintenance, disaster recovery plans, security issues, and systems software in the
Computer Center and user financial areas. This position works closely with ASUs
Information Technology Services and the Office of the State Auditor during any and all
information systems audits. This position is also responsible for reviewing controls on
other campus stand-alone systems, extracting data for financial and performance audits
performed by other audit staff, and working on compliance, departmental, investigative,
and other audits as required.

(600.7) AUDIT ASSISTANT

The Audit Assistant position has administrative duties as well as audit related duties.
This position is responsible for maintaining the office budget, ordering supplies,
maintaining files, preparing and binding audit reports and assisting with maintaining and
publishing office policies and procedures. This position is also responsible for completing
annual cash counts on all University petty cash and imprest cash funds, conducting an
annual review of the procedures and receipt books for all cash collection points, and
reviewing and analyzing all computer access actions for terminated employees. This
position will also have audit related duties in regards to University P-Cards, Foundation
expenditures, travel expenditures, inventory counts and other duties deemed necessary
by the CAO.

December, 2013

Page 4 of 4
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(SECTION 700)

IDENTIFICATION OF FRAUD
(700.1) IDENTIFICATION OF FRAUD
The OIA supports managements efforts to establish a culture that embraces ethics,
honesty, and integrity. The OIA assists management with the evaluation of internal
controls used to detect or mitigate fraud, evaluates the organizations assessment of
fraud risk, and is involved in any fraud investigations.
A. Prevention: Establishing a culture of integrity is a critical component of fraud
control. Senior management must set the tone at the top and model the highest
level of integrity. The internal auditors may advise management on methods to
ensure integrity. As part of their assurance activities, internal auditors watch for
potential fraud risk, may assess the adequacy of related controls, and make
recommendations for improvement.
B. Detection:
Because the internal auditors are exposed to key processes
throughout the University and have open lines of communication with the senior
administration and the Audit Committee, they are able to play an important role
in fraud detection. The OIA is responsible for responding to issues raised on
hotlines, employee tips or through other processes that may lead to the detection
of fraud; however, audit procedures alone, even when carried out with due
professional care, do not guarantee the detection of fraud.
C. Investigation: The investigation of fraud consists of performing procedures
necessary to determine whether fraud, as suggested by the indicators, has
occurred. It includes gathering sufficient information about the specific details of
a discovered or suspected fraud.
Internal auditors, lawyers, investigators,
security personnel, and other specialists from inside or outside the organization
are the parties that usually conduct or participate in fraud investigations. If a
fraud is detected and investigated and it appears there is sufficient evidence, the
CAO will notify the University Police and the State Bureau of Investigation (SBI).
At this point the OIA may continue with the investigation, issue a report of its
findings and conclusions, or turn the investigation over to the SBI. Internal
auditors are not expected to have knowledge equivalent to that of a person
whose primary responsibility is detecting and investigating fraud.
Access to employee computer files and email accounts will require authorization from
the University Attorney to the Chief Information Officer of Information Technology
Services.

(Section 700) Identification of Fraud

(700.2) INTERNAL AUDIT ACTIVITIES AND FRAUD

Reference:

IPPF Practice Guide Internal Auditing and Fraud December 2009

There are various approaches that the CAO may use in considering fraud while
conducting internal audit activities:

Auditing management controls over fraud. This includes policies, awareness

practices, tone at the top, board and senior management governance (the control
environment), as well as related practices, such as risk assessment, assessing
the adequacy of preventive and detective controls in managing fraud risk within
organizational tolerances, incident management, investigations, and recovery
practices. Internal auditing should allocate resources to fraud-related activities in
line with the risk of fraud relative to other organizational risks.

Auditing to detect likely fraud by testing high-risk processes, with the

intention of looking for indicators of fraud, within the organization and
with external business relationships.
For example, testing payroll for
phantom employees, or testing vendor invoices for overcharges, matching vendor
addresses with employee addresses to detect fictitious vendors, or reviewing
databases for duplicate transactions.

Considering fraud as part of every audit. For example, brainstorming about

fraud risk, evaluating fraud controls, designing procedures that consider the fraud
risk, or evaluating errors to determine whether they could be an indication of
fraud.
The cumulative results may provide perspective on whether
managements awareness and risk management programs have been
implemented effectively across the organization.

Consulting assignments help management identify and assess risk and

determine the adequacy of the control environment for process reviews, new
business ventures, or IT applications.
Facilitation of managements selfassessment is another example of evaluating fraud risk, ensuring controls are in
place to mitigate those risks, and who is monitoring results.

December, 2013

Page 2 of 2
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(SECTION 800)

AUDIT COMMITTEE CHARTER

BACKGROUND
Appalachian State University has chosen to use the North Carolina Office of the State
Auditor (the State Auditor) to conduct its annual financial audits. The State Auditor
determines staff assignments for individual audits, including rotation of Audit managers
for each audit client.
In addition, constituent institutions have internal audit
departments to address the institutions operating risks and internal controls, review the
effectiveness and efficiencies of programs, conduct investigative audits when necessary,
and perform other audit-related activities. The UNC Board of Governors has required
that the Board of Trustees of each UNC constituent institution have an active committee
generally responsible for audit activities and reporting to the Board of Trustees and UNC
Board of Governors.
PURPOSE
The primary purpose of the Audit Committee of the Appalachian State University Board
of Trustees (the ASU Board) is to assist the ASU Board in fulfilling its oversight
responsibilities for (i) the integrity of the financial statements of the University, (ii) the
performance of the Universitys internal audit function, and (iii) the assurance that the
University is performing self-assessment of operating risks and evaluation of internal
controls on a regular basis.
AUTHORITY
The Audit Committee of the ASU Board has authority to conduct or authorize
investigations into any matters within its scope of responsibility, including resolving any
disagreements between University administration and the auditor regarding financial
reporting and any audit findings and recommendations.
ORGANIZATION
The Audit Committee shall be a standing committee of the ASU Board consisting of at
least three (3) and no more than five (5) members of the ASU Board. Each Audit
Committee member must be (i) independent of the Universitys administrative and
executive officers and (ii) free of any relationship that would impair such independence.
If possible, at least one member of the Audit Committee must be a financial expert; the
other members should be able to understand financial information and statements. For
this purpose, a financial expert is someone who has an understanding of generally
accepted accounting principles and financial statements; experience in applying such
principles; experience in preparing, auditing, analyzing, or evaluating financial
information; experience with internal controls and procedures for financial reporting; or
an understanding of the audit committee function. It is desirable for the role of financial

(Section 800) Audit Committee Charter

expert to be rotated no less frequently than biannually. The members of the Committee
shall be selected in the same manner as other committees of the ASU Board.
MEETINGS
The Audit Committee shall meet at least four (4) times a year and may hold additional
meetings as circumstances require. The Audit Committee will invite representatives of
University administration, auditors, legal counsel, and others to attend meetings and
provide pertinent information as necessary. It will also hold private meetings with the
Universitys Chief Audit Officer of Internal Audits (the CAO) at least annually. Meeting
agendas shall be prepared and provided in advance to members, along with appropriate
briefing materials. Minutes of the meetings shall be prepared.
DUTIES AND RESPONSIBILITIES
The principal duties and responsibilities of the Audit Committee shall be as follows:

Meet at least four times during the year.

Review the results of the Universitys annual financial audit with the State Auditor
or a designated representative thereof.

Discuss the results of any other audit performed and report/management letter
(i.e., information systems audits, investigative audits, etc.) issued by the State
Auditor with the State Auditor or his staff, the CAO, or the appropriate campus
official(s).

For any audit finding contained within a report or management letter issued by
the State Auditor, review the institutions corrective action plan and receive a
report once corrective action has taken place.

Discuss the results of any audit performed by independent auditors and, if there
were audit findings, review the institutions corrective action plan and receive a
report once corrective action has taken place.

Review all audit reports and management letters issued with respect to entities
associated or affiliated with the University.

Institute and oversee special investigations as needed.

Have a functional reporting relationship with the CAO to enable the CAO to meet
privately to discuss professional issues freely with the Audit Committee and its
chairperson, even though the CAO also will report administratively to the
Chancellor.

Receive quarterly reports from the CAO that, at a minimum, report material
(significant) reportable conditions and the corrective action plan for these
conditions.

Receive, review, and approve a summary of the annual internal audit plan for the
University at the beginning of the annual audit cycle. The annual audit plan

December, 2013

Page 2 of 3
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

(Section 800) Audit Committee Charter

should be based upon the results of an institutional risk assessment, testing of
internal controls, and audits.

Receive and review an annual summary of audits performed by the CAOs office
and a comparison of the plan set forth at the beginning of the cycle to the audits
actually performed.

Review internal audit reports when issued by the CAO.

Ensure that internal audit functions are conducted in accordance with professional
standards, including assurance that the University is performing self-assessment
of operating risks and evaluation of internal controls on a regular basis.

Review and consult with the Chancellor in the appointment, replacement, or

dismissal of the CAO and the compensation package.

Resolve, or assist the ASU Board in resolving, disagreements between the CAO
and University administration concerning audit findings and recommendations.

Engage, in accordance with state laws, rules and regulations, independent

counsel or other advisors if and as necessary to carry out its duties. The
University shall provide funding as determined by the Audit Committee, subject
to the oversight of the ASU Board, for payment to any such advisors that may be
engaged by the Audit Committee.

Prepare and forward to the UNC Board of Governors an annual summary of the
work performed by the Audit Committee, including a report of the work of the
University Internal Auditor that indicates any identified material reportable
conditions and how they were addressed.

Confirm annually that all responsibilities outlined in this charter have been carried
out as part of the annual internal assessment.

Perform such other duties and tasks as may be assigned or requested from time
to time by the ASU Board.

AMENDMENTS
The Audit Committee, with the assistance of the CAO and University legal counsel should
annually review and assess the adequacy of the Audit Committee Charter, and prepare
any suggested revisions or additions to the ASU Board for its consideration. Revisions or
additions to this Charter shall be made and effective as approved by the ASU Board.

December, 2013

Page 3 of 3
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS

AUDIT MANUAL

GLOSSARY

REFERENCE TO ABBREVIATIONS
ASU Board

ASU Board of Trustees

Audit Committee

ASU Board of Trustees Audit Committee

CAO

Chief Audit Officer

IIA

Institute of Internal Auditors

IPPF

International Professional Practices Framework (of the IIA)

IT

Information Technology

NC GS

North Carolina General Statute

OIA

Office of Internal Audits (of ASU)

OSHR

Office of State Human Resources

PA

Practice Advisory (of the IPPF)

P-Card

Procurement card, or purchasing card

QAIP

Quality Assurance and Improvement Program

QAR

Quality Assurance Review

SBI

North Carolina State Bureau of Investigation

Standards

International Standards for the Professional Practice of Internal

Auditing (of the IIA)

the University

Appalachian State University

UNC

University of North Carolina (as a system of public institutions)

UNCGA

University of North Carolina General Administration

December, 2013

Page 1 of 1
APPALACHIAN STATE UNIVERSITY OFFICE OF INTERNAL AUDITS