In a recent Baker Tilly and ACUA webinar, titled “Adventures in Small Shop Auditing,” Baker Tilly advisors discussed auditing tools, techniques, and case studies tailored to small audit shops that covered topics including enterprise risk management (ERM), information technology (IT), and sponsored research. Below we address participant questions to provide additional insight regarding the presentation topics.
How much should internal audit depend on external audit in The Office of Research and Sponsored Projects (ORSP) area?
Internal audit should work with external audit to understand what areas they view as high risk; however, internal audit should not exclusively rely on the external audits to complete the same level review. Internal audit should perform a risk assessment, or if available, leverage a risk assessment completed by ORSP. Additionally, if your organization has an Office of Institutional Compliance, consider reviewing their risk and compliance assessments of sponsored research administration. Once you understand key risk areas, focus your internal audits on the top priority/high risk areas noted, working cooperatively with management.
Regarding direct salary charging, how can institutions ensure a direct charge of an administrator’s salary is not included in indirect charges (since the indirect charge is a percentage of direct costs)?
To understand whether an administrative salary was included in the university’s direct rate, internal audit should work with Grants Accounting, or whomever is responsible for calculating the indirect rate, to determine which administrative costs were included in the indirect rate cost pool. If the administrative salary was included in the indirect rate cost pool, it should not be directly charged to a sponsored award.
Why is it essential for small audit shops to NOT ignore information technology (IT) auditing and focus on operational audits?
Technology is intertwined throughout the institution; whether it is in the classroom, school, or operations. Since IT touches practically everything, the risks to institutional data and the security of the data is extremely imperative to maintaining the institution’s reputation. Data breaches are more likely in this industry than most of the other industries because of the decentralized and open sharing nature of higher education.
Below we identified a couple ways that you can include IT within operational audits:
- Develop questionnaires to provide to each area you audit around IT to understand the risks that exists and the potential control environments that are in place.
- Determine whether it makes sense to test a few IT controls during each operational review, or ask for supporting documentation of general IT controls from the IT directors or the individuals responsible for the area’s IT.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.