The Office of Audit Services is an independent and objective assurance and consulting activity within the University that provides the Board of Trustees and management with observations, recommendations and advice designed to add value and improve the effectiveness of the University's risk management, control, and governance processes.
The University is committed to conducting its affairs in accordance with its principles of behavior outlined in its Code of Conduct and Ethical Standards and University policies. This protocol establishes an administrative process for dealing with allegations of misconduct reported under the Code of Conduct and Ethical Standards so that the integrity of business conducted at the University of Vermont may be preserved.
As outlined in the Code of Conduct and Ethical Standards reports of suspected misconduct are to be made to a responsible official or Office of Audit Services. Suspected fraudulent activity should be reported to the Office of Audit Services. Reporting channels outlined in specific University policy should be followed.
The Chief Internal Auditor shall keep the President, General Counsel and the Chair of the Audit Committee informed of any potentially serious or widespread compliance issues or defalcations.
Expectations of Employees
All employees are expected to cooperate and be truthful in the University's investigation of allegations.
When fraudulent activity is suspected, administrators:
- should not contact the person suspected to further investigate the matter or demand restitution,
- should not discuss the case with anyone other than the Audit Services Office, the Office of General Counsel, or a duly authorized law enforcement officer,
- should direct all inquiries from any attorney retained by the suspected individual to the Office of General Counsel, and
- should direct all inquiries from the media to the University Communications Office, or in the event that the Communications Office cannot be contacted, to the Office of General Counsel.
Persons assisting in the investigation shall be reminded of the University's whistleblower protections against retaliation in cases where the identity of the whistleblower may be compromised in furtherance of the investigation.
Individuals that are the subject of an allegation shall be notified as long as the investigative officer concludes it will not risk the integrity of the investigation and evidence of wrongdoing is found and reported on.
- The investigative auditor shall evaluate the issues raised and refer the matter to the appropriate University offices as may be required during the investigation and in accordance with University policy.
- Investigation Outcomes.
- When the fact finding produces no evidence of misconduct or defalcation, the Office of Audit Services shall report the outcome to the cognizant University administrator.
- Incidents of minor misconduct or noncompliance may be referred to departmental management or other appropriate University offices for resolution. In these instances the investigation shall be a fact finding function in order to determine whether internal control deficiencies exist.
- If the investigation determines that substantial misconduct or defalcation occurred or likely occurred, the Office of Audit Services shall report on the findings to the President, Cognizant Vice President or Provost, appropriate responsible official, and General Counsel. Potential criminal activity will also be reported to Police Services. Risk Management will be notified of any defalcation that may be covered under University insurance. In addition, the Audit Committee of the Board of Trustees shall be notified of any allegation involving senior management (Vice President or above) and any fraud with an aggregate value of $10,000 or greater.
- Note: The Chief Internal Auditor retains the authority to report any matter to University administration or the Board of Trustees as he/she deems appropriate.
- If wrongful conduct is determined to have occurred the appropriate University official will initiate disciplinary action in a manner consistent with applicable University policy and procedure.
- Police Services is responsible for referrals made to the Vermont State Attorney's Office for potential criminal prosecution.
- The Office of Audit Services shall maintain the records and supporting documents related to all investigations.
- All reasonable efforts shall be made to complete the investigative review within 90 days. Any inquiries anticipated to extend beyond 90 days will be reviewed and approved by the Chief Internal Auditor.
Effective Date: 7/17/09
When an audit begins, the department being audited is informed in advance. An entrance conference is held for the auditors and department members to meet each other and discuss the objectives of the audit. Issues or processes that members of the department would like included in Audit Service's scope of work may be defined at this time. During the initial planning phase, Audit Services may talk with managers, General Counsel, and other offices to get different perspectives on operations and where to focus resources during the audit.
Since each department is unique in its size, purpose, staffing and procedures. The audit procedures that are followed during the fieldwork phase depend on the nature of the audit and are designed to focus on operations or controls that have been identified as high risk or the most problematic for the department. Test work may be expanded, eliminated, or otherwise adjusted as the audit progresses
During a typical audit, Audit Services performs an evaluation of the internal controls and tests the compliance by tracing a sample of transactions through the operations' processes. Office policies and manuals are reviewed, processed and systems are tested, and documents maintained by the department are examined. Key personnel may also be interviewed. Compliance with University policies are reviewed, as is compliance with procedures that are important and specific to the department's mission.
Throughout the audit process, Audit Service staff will keep relevant staff members advised of findings and attempt to resolve any issues that arise during the audit. Occasionally, a serious or urgent problem is discovered that Audit Services will bring immediately to the attention of the appropriate senior officer(s) for corrective action. An audit of one department may produce findings and recommendations for another department within the University to address.
When the fieldwork is completed, Audit Services prepares a draft of the audit report which is provided to department management for discussion and review. The report is usually formatted with the background and scope of the audit, a brief summary of the positive findings and a list of observations that were identified in the audit. Observations which require a response from outside of the unit being audited are referred to the area's manager for response.
An exit conference is scheduled with Audit Services and relevant managers to discuss the substance and wording of the report and how management intends to respond to the observations. If there are significant changes to the draft, a second draft of the report may be issued.
The final version of the audit report incorporates management's responses to each recommendation. It is distributed to the President, VP of Finance, and the senior officers and department managers responsible for the operations being reported upon. Some final internal audit reports are requested by external auditors.
- The Institute of Internal Auditors (IIA)
- Information Systems Audit and Control Association (ISACA)
- Association of College & University Auditors (ACUA)
- American Institute of Certified Public Accountants (AICPA)
- Association of Certified Fraud Examiners (ACFE)
- National Association of College & University Attorneys (NACUA)
- National Association of College & University Business Officers (NACUBO)
- GAO Green Book - Standards for Internal Control
- VT Department of Finance & Management - Internal Controls