Colorado State University’s Audit Follow-Up Process By Stephanie Wolvington
ABOUT THE COLORADO STATE UNIVERSITY SYSTEM he mission of the Colorado State University (CSU) System is to support, enhance and protect the unique missions of its constituent institutions and to encourage collaboration that benefits students and Colorado. The CSU System is made up of three member institutions, CSU, CSU-Pueblo and CSU-Global Campus.
T
CSU is home to several top centers and programs, including one of the top-ranked veterinary medicine programs in the country.
CSU, located in Fort Collins, Colorado, was founded in 1870 and is the state’s land grant institution. The student body totals nearly 30,000. CSU is home to several top centers and programs, including one of the top-ranked veterinary medicine programs in the country. CSU-Pueblo, located in Pueblo, Colo., was first established in 1933 as a junior college. In 1963, CSU-Pueblo became a four-year degree granting college. It has a student body of over 5,000. It has been designated a Hispanic Serving Institution.
CSU-Global Campus is a 100 percent online public university that focuses on learning opportunities for nontraditional students and working adults. It began enrolling students in fall of 2008 and has a current student body of over 5,600. CSU SYSTEM INTERNAL AUDITING OFFICE The CSU System Internal Auditing office reports through the Audit and Finance committee of the CSU System Board of Governors. The office was founded in 1967 and employs eight people, including a director, IT audit manager, audit manager, principal auditor, three senior auditors and a part-time administrative assistant. The majority of the staff is located in Fort Collins.
ABOUT THE AUTHOR
Stephanie Wolvington is the IT Audit Manager for the Colorado State University System. She has worked in internal audit for more than 15 years. She holds a Bachelor’s degree in Accounting and Business Administration and a Master’s Degree in Accounting and Information Systems, both from the University of Kansas.
WHY DO AUDIT FOLLOW-UP? According to the Institute of Internal Auditors International Professional Practices Framework, audit follow-up “is a process by which internal auditors evaluate the adequacy, effectiveness and timeliness of actions taken by management on reported observations and recommendations.” According to Standard 2500, it is the As auditors, we perform responsibility of the Chief Audit Executive to establish and maintain follow-up engagements a system to monitor the disposition of results communicated to manbecause the standards agement. require them. As auditors, we perform follow-up engagements because the standards require them. If an issue is important enough to report on in the first place, shouldn’t we conduct follow-up procedures to monitor the final outcome? And what about a natural sense of curiosity? As auditors, many of us have this trait. We would like to know the results of our audit findings and recommendations and what impact they have had on business operations. PREVIOUS FOLLOW-UP PROCESS At CSU, audit follow-up was done every six months. This meant that every six months, the auditor who had completed an audit would initiate a follow-up engagement to track the 18 COLLEGE & UNIVERSITY AUDITOR
The follow-up engagement could consist of interviews, verification of work performed, review of new or revised policies
implementation of corrective action for all the recommendations in the audit. The follow-up engagement could consist of interviews, verification of work performed, review of new or revised policies and procedures, or even additional test work. The work would result in a memorandum-style follow-up audit report. This report would detail the initial audit findings and recommendations and provide a status update on the implementation of the recommendations. The distribution would mirror that of the original audit report. The six month reviews would continue until all the recommendations were closed.
and procedures, or even
The six month timeframe for follow-up was arbitrary. None of the current internal audit staff could recall how that timeframe was selected. It may or may not have allowed for an additional test work. appropriate amount of time to resolve an audit finding. At that time, the Internal Auditing office was not requiring management to provide a target completion date for the implementation of audit recommendations. As a result, many recommendations would stay outstanding for multiple years. Additionally, recommendations that were implemented faster than the six month time frame would not be verified until the follow-up engagement had begun. The audit follow-up process was initiated by the department’s administrative assistant. She kept an index card-based tickler file to serve as a reminder of the follow-up engagement. At the beginning of each month she would provide a report to each auditor detailing the audits that still had open recommendations, together with details of the recommendations and a certification form on which the auditee provided status information for each recommendation. The audit certification is a Microsoft Word document that is used by the auditor in the conduct of the engagement. The certification details the audit recommendation and requires management to complete a status field, detailing the status of the audit recommendation. Management then signs and dates the certification form to certify the accuracy of the status of the recommendations. REVISED FOLLOW-UP PROCESS In 2011, a change in the audit director position served as the catalyst to revise the follow-up process. It was decided that for every audit recommendation in every audit report, as part of the management response, a target implementation date would be identified. This date, provided by management and documented in the audit report, would act as a trigger for follow-up procedures to occur. Follow-up procedures would now occur by finding and recommendation, and no longer by audit. It was also decided to move away from the index-card based tickler file and create a database, using Microsoft
It was also decided to move away from the index-card based tickler file and create a database, using Microsoft Access, to track follow-up for audit recommendations. At this time, the CSU System Internal Auditing office did not use an automated workpaper package, so using tools included in such a software package was not an option. The new database was created in-house by the IT audit manager.
Initial planning for the database required the audit staff to determine how the database was to be used. The audit staff would use the database to monitor the outstanding for audit recommendations. recommendations that had been assigned to them. Follow-up would now occur based on the implementation date provided by management (and not the previous six month timeframe) and reports for the auditors would be generated based on this date. Certification reports would still be used by the auditors to obtain management sign-off. These reports would now be automatically generated from the database with the push of a button, with no more copying and pasting from old audit reports. Access, to track follow-up
It was also decided to use the database to generate reporting for the audit committee of the CSU System Board of Governors. These reports detail overdue audit recommendations by institution. For each recommendation, the report provides the board with information on the audit recommendation, management response, responsible management personnel and the revised target completion date for implementing the recommendation. Internal Auditing reports only the overdue recommendations to the Board. The President’s Office also receives a copy of this report and uses it to monitor the status of overdue audit recommendations. Once the desired uses for the data were determined, the actual design of the database began. The data to be collected and recorded for use in the generation of these reports was decided upon. Some of the fields
19 COLLEGE & UNIVERSITY AUDITOR
in the database include: audit number (unique audit identifier), audit finding, audit recommendation, management response, department, responsible management personnel, target completion date, revised target completion date (established if the auditee did not complete implementation by the original date), recommendation status, closed date and topic. This gives the database user the capability to filter or query on the information by audit, by department, by date, or by topic, such as policy and procedures or information technology. The responsibility for maintaining the audit tracking database resides with the Internal Auditing office’s administrative assistant. At the completion of each audit, she inputs the audit findings, recommendations, management responses, target completion date and other pertinent data into the By keeping what worked database. On a monthly basis, she generates reports for each auditor that detail the recommendations scheduled for implementation during that month. She also generates from the old process the reports for the Board of Governors and the President’s Office. and understanding what could be gained with
CONCLUSION While the level of follow-up work performed and the certification form process did not change, many other areas of the follow-up process did. The decision to require database, the CSU System management to provide target completion dates for each audit finding and Internal Auditing office recommendation served as the catalyst for a revised follow-up process. It also served to raise the level of accountability among managers for their audit responses and the greatly improved its followimplementation of corrective action. The creation of the audit tracking database allowed up process. for the automatic generation of reports to be used by the audit staff, Office of the President and the CSU System Board of Governors. It also allowed for the creation of ad-hoc reports based on any of the data fields in the database. By keeping what worked from the old process and understanding what could be gained with the implementation of a database, the CSU System Internal Auditing office greatly improved its follow-up process. n the implementation of a
20 COLLEGE & UNIVERSITY AUDITOR