Accessibility Navigation:

Internal Audit

The Internal Audit Department serves the Board of Trustees and administrators of the University of North Carolina at Charlotte as an independent, objective assurance and consulting activity designed to add value to and improve the University’s operations. The Department assists the University in accomplishing its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control, and governance processes.

Internal Audit Org Chartpdf icon

 

Internal Audit Key Contacts

Tom York, Director of Internal Audit
704‑687‑2180
teyork@uncc.edu		 Tommy Earnhardt, Staff Auditor
704‑687‑2836
trearnha@uncc.edu
Carla Flowers, Staff Auditor
704‑687‑3270
csflower@uncc.edu		 Diana Hill, Staff Auditor
704‑687‑2254
dlgann@uncc.edu

Internal Audit News

 

Internal Audit Awareness Month

May is Internal Audit Awareness Month, a time that internal auditors around the world dedicate to elevating the image of the internal audit profession.  One of the challenges in promoting our profession is defeating the perceptions of who we are and how we operate.

                                                                         

      The “old” Internal Auditor           

  • “Bean Counters”

Numbers based / Dollars and Cents

  • “You should have done it this way”

Retrospective / Always Looking Back

  • “Gotcha!”

Emphasis on finding faults

 

The 21st Century Internal Auditor

  • “Why are we doing this?  What is the standard?”

        Process Oriented / Systemic concerns

  • “How can we do this better?”

Perspective is on the Future

  •  “We’re here to help – really!

Assess / Advise / Assist

Our formal mission statement reads like this:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

As fellow university employees, we define success by helping you do your job more effectively and more efficiently.  We can do this by providing assurance, insight and objectivity from our unique perspective and independent position within the University.  When you partner with an Internal Auditor, you get someone who brings many roles to the table:

  • A coach.
  • An advocate.
  • A risk manager.
  • A controls expert.
  • An efficiency specialist.
  • A problem-solving partner.

Our profession is guided by four key principles:

TRANSPARENCY  To ensure things are as they should be, internal auditors monitor, assess, investigate, report, and advise. They strive for transparency throughout their organization, and when it is not at the appropriate level, they recommend ways to strengthen it.

RELIABILITY  An internal auditor’s reason for being is to help management and the board to meet organizational goals and objectives. Those at the top must be able to rely on the advice, accuracy, comprehensiveness of information, big-picture perspectives, recommendations, and assurances the internal auditors provide.

EFFECTIVENESS Effectiveness — the twin to efficiency — is critical, not only to the internal auditors, but also to the well being of the entire organization. They watch for red flags that might indicate potential for losses, whether the risks are reputational, operational, financial, IT- or compliance oriented, or strategic in nature.

ETHICS Professional internal auditors adhere to a Code of Ethics that is based on the highest principles and rules of conduct. They demonstrate integrity and responsibility, earning and holding the trust that management and the board place in their objective assurance on risk management, control, and governance. In addition, they monitor the organization’s ethical climate and bring issues of concern to the attention of management and the board.

We invite you to visit our website at http://www.internalaudit.uncc.edu and learn more about what we do and what we can do for you.  Call on us anytime - we really are here to help.

Important Tips to Secure University Data and Portable Devices When Traveling
For some faculty and staff members, travel is an integral element of University business. Many University employees are on the go and carry a laptop or other portable device (iPad, smartphone) to maintain contact with their offices, to access the Internet or to work on business documents. These communication devices are becoming more portable and more powerful, which makes them more attractive as a travel companion. At the same time, such devices are more likely to be lost or stolen. According to the University’s Internal Audit Department, the Digital Forensics Association issued a 2011 report on data breaches in higher education that noted laptops as the second-leading cause of an information security incident. University employees are encouraged to take additional preventative measures prior to traveling with a laptop to avoid potential problems if it is lost or stolen.  Before traveling with a laptop or iPad, consider the following:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 

  • Do the files on the device(s) contain:

o   Student information, such as grades, comments on a student’s work or any other non-directory information on a student?

o   Proprietary information including unpublished research, such as drafts of articles, in-progress projects, data sets or third-party proprietary information?

o   University data that cannot be recovered if the computer is lost or stolen?

o   Personal information, such as tax returns, social security numbers or individual/family health record information?

  • Individuals who answer “yes” to any of the above questions should consider whether or not they really need to take those files on a trip. If not, delete or transfer them to a shared network drive to leave behind
  • Register the laptop serial number with ITS, and identify the Ethernet address for the laptop when it was registered with the campus networking group. This can help ITS to either block it from being used or report if it is being used
  • Make sure passwords/pass-codes are up to date and meet the “strong” criteria (and it is not in a file on the device, either)
  • Back up any data before traveling and leave a copy in a safe and secure location, such as an office or a local fileserver
  • Turn off any file-sharing and print-sharing installed
  • Apply all software patches and updates (especially if the laptop is a department shared resource and not routinely connected to the University network)
  • Ensure that antivirus software is up to date (especially if the laptop is a department shared resource and not routinely connected to the University network)
  • Become familiar with the Remote Services offered on the ITS website
  • Determine if the laptop has a tracking application installed and if so, is it up to date and recorded with ITS.

International travelers should take extra precautions. Certain information, technology, software and equipment may be subject to U.S. export control laws. Individuals must ensure that all the information and software on laptops can be safely and legally transported to another country. UNC Charlotte Policy Statement No. 115 “Export Control” assigns responsibility for implementing required controls to the vice chancellor for research and economic development. The policy statement contains links to two important documents that any international traveler should use to plan a trip that will include any technology device: Decision Tree for Travel, Shipping or Sharing Information and Foreign Travel. Contact John Jacobs (jljacob2@uncc.edu, 704-687-3046), facility security officer, with questions on export controls and foreign travel.

University travelers whose laptop is lost or stolen; or if they suspect a laptop, PDA or other electronic equipment has been compromised, temporarily confiscated, tampered with; or if a suspicious incident and/or contact occurred during travel; should contact ITS immediately upon returning.

Steps to take to mitigate the potential damage include:

  • Change NinerNet passwords and any other passwords that may be stored in the laptop or in cache memory
  • Report the loss to the carrier as required for laptops with a tracking application installed
  • Determine if the laptop had any sensitive and assess the risk if it fell into the wrong hands

 

Audit Determines Software Security Controls Need Attention

A recent review by the University’s Internal Audit Department found more than 50 software applications outside the Banner environment that feed financial data into Banner.

According to Tom York, Director of Internal Audit, as part of the review, basic IT general controls were assessed that should be in place for a sample of these applications. He noted, University Policy Statement No. 102 “Data and Information Access and Security,” which was revised in June 2011, assigns specific responsibilities to information custodians and information managers for information security controls.

“We found many custodians and managers of these external applications who were not aware of these newly assigned responsibilities. Maintaining the integrity, confidentiality and reliability of our financial data is essential to the University, for both operational and reputational reasons,” said York. “Negative audit findings impact the perception of the University held by those with whom we do business. Inaccurate data may lead to decisions that should not have been made. We highly recommend that any information custodian or information manager for an application that feeds data into the Banner system review Policy Statement No. 102 and assess the current state of information security controls for your application.”

Email questions about controls that should be in place or how to implement appropriate controls to Sanjeev Sah, chiefinformation security officer, at ssah@uncc.edu.

 

Internal Audit Reminder on Gifts from Vendors

The holiday season is in full swing, and many vendors that conduct business with the University may choose to show their appreciation with various gifts. While many of these are unexpected and in keeping with how business is done in the for-profit sector, as a nonprofit entity and a state agency, UNC Charlotte has limitations on accepting gifts from vendors.

Previously, Gov. Beverly Perdue signed an executive order banning gifts to employees in her administration from people who do business with the state, and several agency heads have followed the governor’s lead and placed similar restrictions on their employees.

UNC Charlotte employees are subject to the general “gift” law in North Carolina (North Carolina General Statutes §133-32). Violation of these provisions is a criminal offense.

“We also should recognize that we are in a period of increased scrutiny from the public of our actions, a public that expects their civil servants to meet high standards of ethical conduct,” said Tom York, Director of Internal Audit. “Navigating the complexities of properly receiving gifts begins with knowing where to look for guidance. Some good advice can be found in this newsletter from the N.C. Ethics Commission. The general gift prohibition is complex, and it has significant exceptions, so the best course of action is to discuss the situation with your supervisor.”

Supervisors can contact the Office of Legal Affairs at 704-687-5732 for additional guidance.

International Fraud Awareness Week

UNC Charlotte’s Internal Audit Department is joining hundreds of organizations worldwide to support International Fraud Week, Nov. 6-12.

Tom York, director of internal audit, stated that according to the Association of Certified Fraud Examiners (ACFE) International Fraud Awareness Week coincides during a time when organizations around the world lose an estimated 5 percent of their annual revenues to fraud.

One goal of the University’s Internal Audit Department is to focus on fraud prevention. A department or unit audit is an opportunity for employees to be empowered to reduce fraud, as well as other potential misuses of finances, said York. “We search for operations that can be improved, then, we assist with that improvement by using our knowledge and experience to move departments toward a successful operating system.”
York noted that regardless of the size of the organization or business model, fraud can be a serious concern and if undetected can have a measurable impact.

In its “2010 Report to the Nations on Occupational Fraud and Abuse,” the ACFE found that:

  • Fraud schemes are extremely costly. The median loss caused by the occupational fraud cases in the ACFE study was $160,000. Nearly one-quarter of the frauds involved losses of at least $1 million
  • Schemes can continue for months or even years before they are detected. The frauds in the study lasted a median of 18 months before being caught
  • Occupational fraud is a global problem. Though some findings differ slightly from region to region, most of the trends in fraud schemes, perpetrator characteristics and anti-fraud controls are similar regardless of where the fraud occurred
  • Tips are key in detecting fraud. Occupational frauds are much more likely to be detected by tip than by any other means. This finding reinforces the need for promoting awareness to foster an informed workforce

For more information about increasing awareness and reducing the risk of fraud, visit the internal audit website or contact Tommy Earnhardt at ext. 7-5694.

University to Host System Auditor's Conference

UNC Charlotte will host the 2011 UNC Auditors Association annual conference, which is scheduled for Monday and Tuesday, Oct. 10-11, in the Student Union.

Tom York, director of internal audit, is the association’s current treasurer and a past president of the organization. He said this yearly event is an opportunity for “continuing professional education, to share campus best practices and to promote camaraderie among the members.”

Because the University is the conference host, York said he and his team decided on the theme “Staking Your Claim to Assurance,” which incorporates UNC Charlotte’s branding message. Carla Flowers created a conference illustration that combines the elements of the association’s professional mission with the University logo and “Stake Your Claim” imagery.

More than 40 individuals have registered to attend this year’s association conference. Joan Lorden, provost and vice chancellor for academic affairs, will welcome members. Among the conference speakers from the University are Bill Chu, Department of Software and Information Systems ; Krista Newkirk, Office of Legal Affairs; Gordon Hull and Rosemary Tong, Center for Professional and Applied Ethics; and Stephen Ward, executive director of communications, Division for University Advancement.

York said he is excited for members to return to UNC Charlotte. Randy Ross, the University’s former director of internal audit, spearheaded efforts to form the UNC Auditors Association in 1998, and the University hosted the inaugural conference. He added the 2011 conference is benefiting from the generous support from a number of campus units, including the Department of Athletics, Atkins Library, Charlotte Research Institute, Dean of Students Office, Division for University Advancement, Office of Undergraduate Admissions and the Receiving and Stores Office.

 

More International Activity Requires Increased Compliance Awareness

UNC Charlotte is increasing its foreign contacts through academic collaborations and research opportunities. University personnel engaged in coordinating and executing operations overseas should be aware of the provisions of the Foreign Corrupt Practices Act (FCPA) and the United Kingdom (UK) Bribery Act. 

The FCPA, which was signed in 1977 and amended in 1988, makes it a crime for U.S. individuals and companies (including affiliates, subsidiaries and branches) to knowingly offer payment or promises of payment to any foreign government official (either directly or indirectly through an intermediary) in order to secure business. These payments need not only be monetary but include anything of value, and the attempt to influence need not be successful to be considered a violation.

The UK Bribery Act became effective on July 1, 2011; it is patterned after the FCPA but the Bribery Act's prohibitions extend worldwide. The law applies to public and private companies that conduct business in Great Britain wherever located and applies regardless of whether the offending conduct occurs in the United Kingdom. Like the FCPA, the Bribery Act prohibits the offering, promising or giving of any "advantage," a vaguely defined term including not only overt bribery but also more innocuous gifts and favors, to any individual in order to obtain or retain business. It also prohibits the requesting, agreeing to receive or accepting of any such "advantage." Liability is not limited to the actual wrongdoer but instead can extend to a far wider audience, including individual executives, directors, employers and corporate parents, to name a few.   Potential penalties are up to 10 years imprisonment and unlimited fines for individuals and unlimited fines for entities.

While the risk of financial penalties for FCPA violations is not high for the University, there are certainly reputational risks as well as operational and strategic risks, said Tom York, director of internal audit. “The FCPA would apply to individuals conducting business overseas and these individuals would be subject to the full range of penalties. Risks to the University from the UK Bribery Act are less well defined but could include the entire risk range from financial to reputational.”

The Internal Audit Department has created an online survey that will help identify those University programs and operations that may need additional analysis and discussion to mitigate risks posed by potential violations of the FCPA. 

The Fraud Section of the U.S. Department of Justice also provides a PDFthat is a “lay person’s guide to the FCPA.”  Direct specific questions about department operations and the FCPA or the UK Bribery Act to the Office of Legal Affairs at ext. 7-5732.

 

Information Security Tips

The National Security Agency just released a useful guide called "Best Practices for Securing Your Home Network" that goes beyond home networks and wireless to cover email and traveling with mobile devices and more.  We thought it would be of interest to many of you on the listserv and we would encourage you to share it with your co-workers.  The first two sections do get a bit into “cyberspeak” but you can glean some useful information if you have wireless internet at home.  The section on Operational Security (OPSEC)/Internet Behavior Recommendations applies to all of us and has some very good security tips that can be applied both at home and at work. 

You'll find the guide on the NSA web site at:  http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf

 

University Observes Internal Audit Awareness Month
University observes Internal Audit Awareness Month logo

May is Internal Audit Awareness Month, and this presents an opportunity to remind the campus community about the role of the profession.

“One of the greatest challenges of being a professional auditor is getting others to understand what we do,” said Tom York, director of internal audit. “Internal auditing is a must-have for well-run organizations and agencies.”

Internal auditors are tasked to:

  • Serve as a safety net for their organization
  • Keep an eye on ethics
  • Uncover corporate misbehavior
  • Determine what’s working and what’s not
  • Assess risks
  • Look at things with fresh eyes
  • Raise red flags and blow the whistle
  • Tell it like it is

The mission statement for the University’s Internal Audit Department is that internal auditing is an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

As fellow University employees, we define success by helping faculty and staff members do their job more effectively and more efficiently, York noted. “We can do this by providing assurance, insight and objectivity from our unique perspective within the University.”

Assurance – Internal auditing provides assurance on an organization’s governance, risk management and control processes to help the organization achieve its strategic, operational, financial and compliance objectives.

Insight – Internal auditing is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based upon analyses and assessments of data and business process.

Objectivity – With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice.

To learn more about the Internal Auditing Department, visit the website www.internalaudit.uncc.edu.

Read our interview in the Campus News

Staff from the Public Relations Department visited with Internal Audit to learn more about what we do and how we do it.  We shared Read their article at this link to the Campus News.  If you want to know more, just give us a call.

Read the full story