 University
of Mississippi Medical Center Policies and
Procedures
The Internal Audit Department shall adhere to the policies,
procedures, and regulations of the University of Mississippi Medical Center
as presented in the Faculty and Staff Handbook and Personnel Procedures and the
Employee Handbook.
Standards for the Professional Practice of Internal
Auditing
The Standards for the Professional Practice of Internal
Auditing outline the criteria by which the operations of an internal
auditing department are evaluated and measured. They are meant to serve
the
entire profession in all types of organizations. The purposes of the
Standards are to:
delineate basic principles that represent the practice of internal
auditing as it should be.
provide a framework for performing and promoting a broad range of
value-added internal audit activities.
establish the basis for the measurement of internal audit performances.
foster improved organizational processes and operations.
The Internal Audit Department at UMC shall comply with these Standards.
Each member of the department shall receive a copy of the Standards and
is expected to be familiar with them and adhere to them.
Return to Top
Fraud
Fraud encompasses an array of irregularities and illegal acts
characterized by intentional deception. Persons outside as well as inside the
organization can perpetrate fraud for the benefit or detriment of the
organization.
Deterrence of fraud is the responsibility of management. The
Internal Audit department is responsible for examining and evaluating the
adequacy and the effectiveness of actions taken by management to fulfill this
obligation. Auditing procedures alone, even when carried out with due
professional care, do not guarantee that fraud will be detected.
Internal auditors should have sufficient knowledge of fraud
to be able to identify indicators that fraud might have occurred but are not
expected to have the expertise of a person whose primary responsibility is
detecting and investigating fraud. Internal auditors should be alert to
opportunities that could allow fraud. If significant control weaknesses are
detected, additional tests conducted by internal auditors should include tests
directed toward the identification of other indicators of fraud.
The Internal Audit department will assist in the
investigation of fraud in order to:
determine if controls need to be implemented or strengthened to reduce
future vulnerability.
design audit tests to help disclose the existence of similar frauds in the
future.
help meet the internal auditor’s responsibility to maintain sufficient
knowledge of fraud.
Return to Top
Information Security
Information security is a management responsibility. This
responsibility includes all critical information of the organization regardless
of the media in which the information is stored. The Internal Audit department
should evaluate information security and associated risk exposures. Internal
auditors should assess the effectiveness of preventive, detective, and
mitigative measures against incidents deemed likely to occur. Internal auditors
should periodically assess the organization’s information security practices
and recommend, as appropriate, enhancements to or implementation of new controls
and safeguards.
Return to Top
Due Professional Care and Proficiency
Internal auditors should apply the care and skill expected of
a reasonably prudent and competent auditor. Due professional care does not
imply
infallibility. The internal auditor should exercise due professional care
by
considering the:
extent of work needed to achieve the engagement’s objectives.
relative complexity, materiality, or significance of matters to which
assurance procedures are applied.
adequacy and effectiveness of risk management, control, and governance
processes.
probability of significant errors, irregularities, or noncompliance.
cost of assurance in relation to potential benefits.
Proficiency
Personnel should collectively possess the knowledge, skills,
and other competencies essential to the practice of internal auditing within the
organization. Educational and work experience criteria have been established for
the various positions within the department. In order to maintain their
proficiency, all personnel are encouraged to continue their education and will
be given adequate opportunities to do so. Continuing education hours necessary
to meet certification requirements should be obtained. If no certification
requirements are necessary, a minimum of 16 hours should be obtained. Continuing
education may be obtained through:
membership and participation in professional societies.
attendance at conferences.
seminars.
college courses.
Departmental memberships have been obtained in the Institute
of Internal Auditors, the Association of College and University Auditors, the
Association of Health Care Internal Auditors, and the Information Systems Audit
and Control Association. UMC may cover the cost of obtaining continuing
education; however, the employee should obtain approval prior to registering for
any course or seminar.
Accreditation is an important indicator of an auditor’s
technical proficiency. Certification as a public accountant, internal auditor,
or information systems auditor is encouraged for all departmental personnel and
is a requirement for certain positions. Currently, UMC will pay the cost of
registering a certificate.
Return to Top
Conflicts of Interest
Internal auditors should be objective in performing their
job. Objectivity requires internal auditors to have an impartial and unbiased
attitude, to avoid conflicts of interest, and to perform audits in such a manner
that no significant quality compromises are made. Therefore, the department will
do its best to make sure the auditors are not placed in situations in which they
feel unable to make objective, professional judgments.
Staff assignments will be made so that potential and actual conflicts of
interest and bias are avoided. If a conflict of interest or bias is present,
the auditor(s) will be reassigned.
Staff assignments will be rotated periodically, if practicable to do so.
Internal auditors will not assume operating responsibilities.
Internal auditors should refrain from assessing specific operations for
which they were previously responsible.
Each auditor will be required to complete an annual Conflicts
of Interest Statement
Return to Top
Workpapers
Workpapers that document the engagement should be prepared by
the auditor doing the work and reviewed by someone other than the preparer. The
workpapers should record the information obtained and the analyses made and
should support the basis for the observations and recommendations to be
reported.
Engagement workpapers are the property of the organization.
Workpaper files will remain under the control of the Internal Audit department
and will be accessible only to authorized personnel.
The Mississippi Department of Archives and History has
approved a records disposition program. All workpapers (audits and special
projects) are to be retained for 3 years and then destroyed.
Return to Top
Supervision
Engagements should be properly supervised to ensure
objectives are achieved, quality is assured and staff is developed. All work
performed by the Internal Audit department will be properly supervised. The
extent of supervision required will depend on the proficiency of the auditor
assigned to a task and the difficulty of the assignment. Supervision includes:
providing suitable instructions to subordinates at the outset of the audit
and approving the audit program.
seeing that the approved audit program is carried out unless deviations
are both justified and authorized.
determining that audit working papers adequately support the audit
findings, conclusions, and reports.
making sure that audit reports are accurate, objective, clear, concise,
constructive, and timely.
determining that audit objectives are being met.
The Director should approve all out-going correspondence.
Return to Top
Coordination
Activities should be coordinated with external providers of
assurance and consulting services to ensure proper coverage and minimize
duplication of efforts.
Return to Top
Performance Evaluation
As outlined in the UMC Faculty and Staff Handbook and
Personnel Procedures and the Employee Handbook, employees are to
receive a formal performance appraisal at the end of a new employee’s 90-day
probationary period and on an annual basis, usually during the month of March.
The Employee Performance Appraisal Form is used to evaluate individuals who have
no supervisory responsibility and is to be completed by the immediate
supervisor. Managers and supervisors are to be evaluated by their department
heads. The Manager/Supervisor Performance Appraisal Form is used to rate these
individuals.
Additionally, each auditor shall receive feedback at the
conclusion of each audit. This feedback may be written or oral.
Return to Top
Leave Time
Leave time will be provided in accordance with the policies
outlined in the UMC Faculty and Staff Handbook and Personnel Procedures
and the Employee Handbook. Leave time must be coordinated within the
department so that sufficient staffing is available at all times. In the event
all employees request leave at the same time, approved leave will be granted on
a first come, first serve basis.
Return to Top
|
