Frequently Asked Questions
- How are audits selected?
- What is the difference between internal and external auditors?
- What are internal controls, and who is responsible for them?
- What can I expect if Internal Audit identifies an observation/finding during the audit?
- Who receives the audit report?
- How long does an audit take?
- May I request an Audit?
- If I have information about questionable activities, or activities that may not be in alignment with University policies, procedures, and/or regulations/laws, what can I do?
How are audits selected?
Internal Audit performs an annual risk assessment process which focuses on current and emerging risks. The Audit Plan, prepared after seeking input from leadership, is presented to, and approved by the Stewardship Committee.
What is the difference between internal and external auditors?
Internal auditors are employees of the University. Our scope of work serves the University by helping it accomplish its goals, enhance operations, improve risk management and internal controls. Internal auditors focus on both financial and non-financial risks and controls. Internal auditors provide University leadership and the Board with assurance on the University’s risk management and control processes.
Internal Audit follows the standards and guidelines of the Institute of Internal Auditors (IIA). Internal Audit roles include monitoring, analyzing, and assessing risks and controls; reviewing and confirming compliance with policies, procedures, regulations, and laws; reviews to ensure accuracy of data; and, assessing current operations and procedures against best practices.
External auditors are often thought of as the independent accounting firm hired by the University to render an opinion on the financial statements each year. Other external auditors could include government auditors who perform audit work related to determine compliance with regulations/laws, or non-University auditors hired to perform a specialized audit or review of a specific process or area.
What are internal controls, and who is responsible for them?
Internal controls are processes, systems, and/or policies and procedures put in place to provide reasonable assurance regarding the achievement of reliable financial reporting, effective and efficient operations, and compliance with laws and regulations. Internal controls are anything we do or put in place to help us achieve our objective(s). Examples of internal controls include locking your desk, or office space to ensure your belongings and other items are safeguarded and, using strong passwords to reduce the risk of your accounts being accessed by external parties.
Management is responsible for establishing and maintaining the control environment. Auditors play a role in a system of internal controls by performing evaluations, testing the effectiveness of controls, and making recommendations for improved controls.
In general, controls can be categorized as preventive or detective. Preventive controls are aimed at preventing errors or irregularities from occurring. Detective controls are designed to identify errors or irregularities after they have occurred.
What can I expect if Internal Audit identifies an observation/finding during the audit?
You can expect the auditor to discuss the observation with you to ensure the auditor has a thorough, accurate, and appropriate understanding of the issue. Further, Internal Audit will partner with leadership within the department/unit being reviewed to develop an appropriate recommendation to enhance processes, mitigate, or transfer risk.
Who receives the audit report?
The final audit report is sent to University leadership as well as leadership within the area/department being audited. The President, Provost, and Executive Vice President will be copied on each audit report. Departmental leadership would typically include the Dean or Vice President, as well as appropriate administrative staff. The Stewardship Committee will be provided with a summary of each audit report.
How long does an audit take?
Some audits take approximately two months, while others take approximately five months, depending on the size and complexity of the area under review.
The majority of this time is spent by the auditor in our office performing reviews and analyses of data and information. While we will request meetings, and make requests for data and documentation during the audit, we take your schedules into consideration as we strive to minimize interference with your day to day work.
May I request an Audit?
Yes. Internal Audit will consider all requests for inclusion on the audit plan. Please note that our ability to accept project requests depends on several factors including but not limited to staff workload, and the level of risk and/or urgency associated with the requested engagement.
If I have information about questionable activities, or activities that may not be in alignment with University policies, procedures, and/or regulations/laws, what can I do?
As a member of the Villanova community, you are encouraged to raise questions or concerns. Please visit the following University Compliance Office webpage (https://www1.villanova.edu/villanova/generalcounsel/uco/hotline.html) for information on how to report your concerns.