FAQs

1. What is the difference between a control test and a transaction test?

Control procedure tests tell management what should happen in the future. Transaction tests tell management what has happened in the past. Modern professional internal auditors first evaluate control procedures to determine if activities exist in the organization that can mitigate the risk of something happening or going wrong. The results of control procedure evaluations are used to determine if additional test of transactions within the process are needed.

2. Who are the COSO private sector sponsoring organizations?

American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA), and National Association of Accountants (NAA) or currently known as the Institute of Management Accountants (IMA). To learn more about COSO:http://www.coso.org/ or http://www.coso.org/key.htm or http://www.coso.org/audit_shop.htm.

3. Do we get a chance to respond to an audit?

Your input is considered during the data gathering or fieldwork stages of the audit and for accuracy after the report's findings are drafted. Management's responses to audit recommendations are included in the audit report.

4. What does a typical Internal Audit include?

We offer a number of services - core reviews, investigations, compliance reviews, and operational reviews, however, the typical audit is the core review.

5. What is Internal Audit's reporting structure?

Internal auditors are University of Kentucky employees reporting administratively to the Executive Vice President for Finance and Administration and functionally to the Audit Sub-committee of the Board of Trustees.

6. How can I best work with the auditors at the University of Kentucky?

Your initial exposure during the engagement is usually during the planning stage. You can assist by either providing relevant information or directing the auditor to the right person or office.

Each auditor that requests information should be able to explain the audit's purpose and objectives so you can understand the reasons for the questions and provide accurate answers. If you have questions or concerns about the information being requested, it is appropriate to discuss those concerns with the auditor.

7. Who audits the Internal Audit Department?

Per the standards of the Institute of Internal Auditor (IIA), peer reviews are required every five years. The peer review is conducted by an external committee assessing the effectiveness of the Internal Audit function.

8. What should I do if a theft occurs?

You should immediately report it to you supervisor. If you do not feel comfortable reporting the theft to your supervisor, you may report it anonymously to the Compliance Hotline (link), the UK police or the UK Internal Audit Department. Supervisors reporting thefts at UK should follow UK's Business Procedure E-2-9.

9. What do the external auditors audit?

External auditors are employees of public accounting firms who primarily perform the annual consolidated financial statements audit for the University. External auditors are charged with providing a documented opinion stating whether or not the consolidated financial statements are fairly presented, "in all material respects."

External auditors, after gaining a thorough understanding of a business, assess the risk of material misstatement and design effective audit procedures required to determine if the financial statements are not materially misstated. External auditors maintain objectivity by working for an accounting firm that is outside the University and are not UK employees. External auditors are licensed by the state to perform financial audits. The financial statements are owned by and remain the responsibility of UK management.

The objective of the external auditor's report is materiality.

10. How are we selected for an audit?

Eighty percent of units are selected for audits through the Risk Assessment Process. Risk Assessment is used as the framework for preparing the Annual Work Plan. The Risk Assessment process commences with a listing of University areas and processes deemed significant for review. Areas are listed because of their importance or perceived risk or significance to the organization in the Audit Universe. The additional 20% of Audits conducted each year take place because of management request, compliance review, or investigation.

11.. Who gets the audit report?

Audit reports are sent to the management of the unit being audited, as well as University administration. The issuance of reports also follows the reporting line of the Internal Audit Department.