The Internal Audit Department receives its authority from the Board Finance Committee of the San Jacinto Community College District (Internal Audit Charter). The authority includes full and unrestricted access to all personnel and departmental records while conducting audit activities. All information received by the audit department is held at the appropriate level of confidentiality.
Internal Audit reports directly to the Vice Chancellor of Fiscal Affairs, with an advisory reporting relationship to the Chancellor and Board Finance Committee.
There are two main ways in which a program, department, process, or initiative (auditable entity) is selected for an audit. One way is through the risk scoring model of the annual Internal Audit risk assessment. Another way auditable entities are selected is through specific request by the SLT, Board Finance Committee, or the auditable entities themselves.
The frequency of department audits depends on the level of risk associated with the department. A high risk department could be audited each year where a department with a lesser associated risk may be part of a several year rotation.
Internal Audit calculates the risk score of a program, department, process, or initiative by using key risk factors such as previous audit finding, financial impact, regulatory implications, the potential for negative publicity, duration since last audit, and several others.
The scope of an audit refers to what organization functions will be included for review as part of the audit. Internal Audit wants to maximize its resources by concentrating on specific significant areas within an organization. The audit scope is determined through review of the organization's functions, discussion with the organization's management and auditor judgment.
If a significant issue is identified during the audit of a department, Internal Audit expresses the results of its audit work as findings. Findings have certain elements, including the criteria or basis for determining that a problem does exist, a condition or situation that was observed, the effect or impact of the condition, and the cause of the problem to the extent that it can be determined. Findings should result in recommendations that resolve the issue and are helpful to management.
The length of time it takes to complete an audit varies significantly. Some take as little as a couple of weeks and others can take several months. The audit is a dynamic process, the scope of which can be expanded or reduced at any time depending on the findings.
The overall goal of our audit is to provide the department being reviewed with an assessment of its control environment and compliance with appropriate policies. A secondary goal of our review is to make recommendations, if necessary, that are aimed to improve the efficiency and/or accuracy by which certain procedures are performed.
Prior to our review, we submit an initial request for information to the department. This request includes general department information which aids us in gaining an understanding of the department being reviewed. When we begin the fieldwork segment of our review the department will need to provide us with various details supporting the transactions we are testing.
Inevitably there will be some disruption within the department's daily schedule. However, we try to keep this disruption to a minimum and schedule our meetings with department personnel at their convenience.
Audit reports are issued to the auditee and supervisor, as well as the Vice Chancellor of Fiscal Affairs, Chancellor, Board Finance Committee and other interested parties.
Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. The elements of fraud are:
- A representation about a material fact
- Which is false
- And made intentionally, knowingly, or recklessly so
- Which is believed
- And acted upon by the victim
- To the victim’s damage
Employees who commit fraud generally are able to do so because there is opportunity, pressure, and a rationalization.
Opportunity is generally provided through weaknesses in the internal controls. Some examples include inadequate or no:
- Supervision and review
- Separation of duties
- Management approval
- System controls
Pressure can be imposed due to:
- Personal financial problems
- Personal vices such as gambling or drug use
- Unrealistic deadlines and performance goals
Rationalization occurs when the individual develops a justification for their fraudulent activities. The rationalization varies by case and individual. Examples include:
- "I really need this money and I’ll put it back when I get my paycheck."
- "I'd rather have the company on my back than the IRS."
- "I just can't afford to lose everything – my home, my car, everything."
Management. Internal Audit is responsible for examining and evaluating the adequacy and effectiveness of actions taken by management to fulfill this obligation. Deterrence consists of actions taken to discourage fraud and limit financial losses if it does occur. The principal mechanism for deterring fraud is strong internal controls.
Internal auditors should have sufficient knowledge of fraud to be able to identify indicators that fraud might have been committed. If significant control weaknesses are detected, additional tests conducted by internal auditors should include tests directed toward identification of other indicators of fraud. Internal auditors are not expected to have knowledge equivalent to that of a person whose primary responsibility is to detect and investigate fraud. Audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected.
Fraud investigations may be conducted by or involve the participation of the Internal Audit Department, campus Police Departments and other areas of the College as appropriate.
The following is a partial list of the factors contributing to fraud.
- Ineffective internal controls such as:
- Not separating functional responsibilities of authorization, custodianship, and record keeping. No one should be responsible for all aspects of a function from the beginning to the end of the process.
- Unrestricted access to assets or sensitive data
- Nor recording transactions resulting in lack of accountability
- Not reconciling assets with the appropriate records
- Unauthorized transactions
- Unimplemented controls because of the lack of or unqualified personnel
- Collusion among employees over whom there is little or no supervision
- Embezzlement “red flags” include:
- Borrowing money from co-workers
- Creditors or collectors appearing at the workplace
- Gambling beyond the ability to stand the loss
- Excessive drinking or other personal habits
- Easily annoyed at reasonable questioning
- Providing unreasonable responses to questions
- Refusing vacations or promotions for fear of detection
- Bragging about significant new purchases
- Carrying unusually large sums of money
- Rewriting records under the guise of neatness in presentation
- Other common forms of fraud are:
- Falsifying timesheets for a higher amount of pay
- Stealing of any kind (e.g., cash, petty cash, supplies, equipment, tools, data, records, etc.)
- Lapping collections on customers’ accounts
- Pocketing payments on customers’ accounts, issuing receipts on self-design receipt books
- Not depositing all cash receipts
- Creating fictitious employees and collecting the paychecks
- Failing to end personnel assignments for terminated employees and collecting the paychecks
- Paying for personal expenses with University funds
- Increasing vendor invoices through collusion
- Billing for services not rendered and collecting the cash
- Seizing checks payable to vendors
- Recording fictitious transactions on the books to cover up theft
- Other fraud danger signals:
- High personnel turnover
- Low employee morale
- No supporting documentation for adjusting entries
- Incomplete or untimely bank reconciliations
- Increased customer complaints
- Write-offs of inventory shortages with no attempt to determine the cause
- Unrealistic performance expectations
- Rumors of conflicts of interest
- Using duplicate invoices to pay vendors
- Frequent use of sole-source procurement contracts