/Audit Resources
Audit Resources 2022-04-27T12:07:46+00:00

Audit Resources

Add Value – Organizations exist to create value or benefit to their owners, other stakeholders, customers, and clients. This concept provides purpose for their existence. Value is provided through their development of products and services and their use of resources to promote those products and services. In the process of gathering data to understand and assess risk, internal auditors develop significant insight into operations and opportunities for improvement that can be extremely beneficial to their organization. This valuable information can be in the form of consultation, advice, written communications, or through other products all of which should be properly communicated to the appropriate management or operating personnel.

Adequate Control – Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization’s risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically.

 Assurance Services – Implied or expressed representations by management about the accounts in the financial statements.  Management assertions are obtained in the following five broad categories:

  • Existence or occurrence assertion
    • All assets and liabilities actually existed at the balance sheet date
    • All revenues and expenditures included in the financial statements actually occurred during the period covered by the financial statements
    • The events recognized in the financial statements represent real transactions
    • No account balances are overstated
    • The financial statements contain information pertaining to the current period only
  • Completeness assertion
    • The financial statements contain all the information that is related to the current period
    • No account balances are understated
  • Rights and obligations assertion
    • Assets accurately represent the organization’s rights
    • Liabilities accurately represent the organization’s obligations
  • Valuation or allocation assertion
    • All account balances represent their true value
    • Includes an evaluation of adequacy of reserves (e.g. allowance for doubtful accounts)
    • Includes an evaluation of appropriate allocation of costs (e.g. depreciation)
  • Presentation and disclosure assertion
    • All transactions are appropriately classified
    • Appropriate disclosure in the notes to the financial statements are present

Assurance Service –  An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.

Audit Scope – The activities covered by an internal audit, which may include, when appropriate:

  • Audit objectives
  • Nature and extent of auditing procedures performed
  • Time period audited
  • Related activities not audited in order to delineate the boundaries of the audit

Auditee – Any individual, unit, or activity of the organization that is audited.

Authorization – Implies that the authorizing authority has verified and validated that the activity or transaction conforms with established policies and procedures. 

Cause – The reason for the difference between the expected and actual conditions (why the difference exists).

Charter – The charter of the internal audit activity is a formal written document that defines the activity’s purpose, authority, and responsibility. The charter should (a) establish the internal audit activity’s position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of engagements; and (c) define the scope of internal audit activities.

Code of Ethics – The purpose of the Code of Ethics of The Institute of Internal Auditors (IIA) is to promote an ethical culture in the global profession of internal auditing.  A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust placed in its objective assurance about risk, control, and governance. The Code of Ethics applies to both individuals and entities that provide internal audit services. The Code of Ethics provides principles and rules of conduct in the areas of integrity, objectivity, confidentiality, and competency.

Compensating Controls – Are used to “counterbalance” the effects of an internal control weakness.

Compliance – The ability to reasonably ensure conformity and adherence to organization policies, plans, procedures, laws, regulations, and contracts.

Conclusions – The internal auditor’s evaluations of the effects of the findings on the activities reviewed. Conclusions usually put the findings in perspective based upon their overall implications.  Conclusions are sometimes referred to as opinions.

Condition – The factual evidence which the internal auditor found in the course of the examination (what does exist).

Conflict of Interest – Any relationship that is or appears to be not in the best interest of the organization. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively.

Consulting Services – Advisory and related client service activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization’s operations.  Examples include counsel, advice, facilitation, process design, and training.

Control – Any action taken by management, the board, and other parties to enhance risk management and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control Environment – The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:

  •   Integrity and ethical values.
  •   Management’s philosophy and operating style.
  •   Organizational structure.
  •   Assignment of authority and responsibility.
  •   Human resource policies and practices.
  •   Competence of personnel.

Cost Benefit Relationship  – Indicates that the potential loss associated with any exposure or risk is weighed against the cost to control it.

Criteria – The standards, measures, or expectations used in making an evaluation and/or verification (what should exist). 

Detective Controls – Actions taken to detect and correct undesirable events which have occurred.

Directing – Involves, in addition to accomplishing objectives and planned activities, authorizing and monitoring performance, periodically comparing actual with planned performance, and documenting these activities to provide additional assurance that systems operate as planned.

Directive Controls – Actions taken to cause or encourage a desirable event to occur.

Economical Performance – Accomplishes objectives and goals at a cost commensurate with the risk.

Effect – The risk or exposure the auditee organization and/or others encounter because the condition is not the same as the criteria (the impact of the difference).

Effective Control – Is present when management directs systems in such a manner as to provide reasonable assurance that the organizations objectives and goals will be achieved.

Efficient Performance – Accomplishes objectives and goals in an accurate and timely fashion with minimal use of resources.

Error – An unintentional misstatement or omission of significant information in a final audit report.

External Auditors refers to those audit professionals who perform independent annual audits of an organization’s financial statements.           

Findings – Pertinent statements of fact. Audit findings emerge by a process of comparing what should be with what is.

Follow-up – A process by which internal auditors determine the adequacy, effectiveness, and timeliness of actions take by management on reported audit findings (include relevant findings made by external auditors and others).

Fraud – Any illegal acts characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by individuals and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.  Frauds are intentional, while errors are unintentional.

Goals – Specific objectives of specific systems and may be otherwise referred to as operating or program objectives or goals, operating standards, performance levels, targets, or expected results.  

Illegal Acts – Refers to violations of laws and governmental regulations.

Impairments – Impairments to individual objectivity and organizational independence may include personal conflicts of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding).

Independence – Allows internal auditors to carry out their work freely and objectively.  This concept requires that internal auditors be independent of the activities they audit.  Independence is achieved through organizational status and objectivity.

Information – Data the internal auditor obtains during an audit to provide a sound basis for audit findings and recommendations. Information should be sufficient, competent, relevant, and useful.

Internal Auditing –  An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal Auditor is an individual within an organization’s internal auditing department who is assigned the responsibility of performing internal auditing functions.

Internal Control – A process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Reliability of financial reporting;
  • Effectiveness and efficiency of operations; and
  • Compliance with applicable laws and regulations.

Internal Control System – The collective effort made toward the achievement of organizational objectives.  The primary objectives of the internal control system are as follows:

  • Compliance with policies and procedures
  • Accomplishment of goals and objectives
  • Reliability and integrity of information
  • Economical and efficient use of resources
  • Safeguarding of assets

Irregularity – The intentional misstatement or omission of significant information in accounting records, financial statements, other reports, documents or records.  Irregularities include fraudulent financial reporting which renders financial statements misleading and misappropriation of assets.  Irregularities involve:

  • Falsification or alteration of accounting or other records and supporting documents
  • Intentional misapplication of accounting principles
  • Misrepresentation or intentional omission of events, transactions, or other significant information

Management – Those individuals with responsibilities for setting and/or achieving the organization’s objectives.

Monitoring – Encompasses supervising, observing, and testing activities and appropriately reporting to responsible individuals. Monitoring provides an ongoing verification of progress toward achievement of objectives and goals.   

Objectives – The broadest statements of what the organization chooses to accomplish.

Objectivity – An unbiased mental attitude that requires internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others.

Opportunity for Improvement – Pertinent statements of fact, which emerge by a process of comparing what should be with what is.  Opportunities for improvement provide facts geared toward bringing what is in alignment with what should be. 

Preventive Controls – Actions taken to deter undesirable events from occurring.

Professional Skepticism – An attitude that includes a questioning mind and critical assessment of audit evidence.  Some examples demonstrating the application of professional skepticism in response to the auditor’s assessment of the risk of material misstatement due to fraud include …

  • a. increased sensitivity in the selection of the nature and extent of documentation to be examined in support of material transactions, and
  • b. increased recognition of the need to corroborate management explanations or representations concerning material matters, such as further analytical procedures, examination of documentation, or discussion with others within or outside the entity.

Recommendations – Actions the internal auditor believes necessary to correct existing conditions or improve operations.

Risk – The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.

Risk Assessment – The identification and analysis of relevant risks associated with the achievement of objectives.

Risk Factors – The criteria used to identify the relative significance of, and likelihood that, conditions and/or events may occur that could adversely affect the organization.  Risk factors can be external or internal.  External risk factors are outside the organization, usually beyond management’s span of control.  Internal risk factors are within the university, usually within management’s span of control.    

Significant – The level of importance or magnitude assigned to an item, event, information, or problem by the internal auditor.

Substance over form – The auditor considers whether the financial statements reflect the financial reality of the entity rather than the legal form of the transactions and events which underlie them

Standards for the Professional Practice of Internal Auditing (the Standards) – The criteria by which the operations of an internal auditing department are evaluated and measured.  The purpose of the Standards is to (a) Delineate basic principles that represent the practice of internal auditing as it should be; (b) Provide a framework for performing and promoting a broad range of value-added internal audit activities; (c) Establish the basis for the measurement of internal audit performance; and (d) Foster improved organizational processes and operations.

Click the icon to find out how you can report suspected fraud, waste and abuse to the Louisiana Legislative Auditor.

Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception.  It usually involves the deliberate concealment of facts.  Fraud can be defined in a number of ways, including the following:

Fraud is the intentional misrepresentation or concealment of a material fact that results in financial or other damages to another party.

Fraud is the use of deception, false suggestions, suppression of the truth, or other unfair means, which is believed and relied upon to deprive another of property or money, resulting in a loss to the party that believed and relied upon such.

Fraud is an illegal act characterized by deceit, concealment or violation of trust committed by individuals and organizations to obtain money, property or services, avoid payment or loss of services, or to secure personal or business advantage.

Fraud is the intentional deception perpetrated by individuals or organizations, either internal or external to the organization, which could benefit themselves, others, or the organization or which could cause detriment to others or the organization, including falsifying financial or other records to cover up the theft of money or other assets.

Regardless of the definition used, certain characteristics are common to fraud, including:

Misrepresentation of a material fact

  • Made knowingly and with the intent to deceive
  • Reliance on the misrepresentation by the victim
  • Resulting in injury or damage from such reliance

The perpetrator’s intent to deceive is usually the hardest element of a fraud to prove.  The following are examples which have been used to prove an intent to deceive:


  • Alteration of documents
  • Concealment of evidence
  • Confessions
  • Destruction of evidence
  • False statements (lies)
  • Obstruction of justice
  • Pattern of conduct (repetition of behavior)
  • Personal gain
  • Testimony of a co-conspirator

“Ordinary” people commit frauds.  Typically, the “ordinary” person has a “pressure” in his/her life (e.g. financial crisis, large gambling debts, or high medical bills).  Then, he/she seizes a perceived “opportunity” to alleviate the pressure (e.g. the combination is taped to safe’s door, or no one ever reviews my work).  Afterwards, he/she rationalizes the fraud he/she committed (e.g. they don’t pay me enough, I’ll pay it back, or I deserve a raise).

Altering documents (changing an actual document), including cash receipts, checks, expense reports, and time sheets

Alumni Affairs / Development
Keeping gifts
Overstating amounts of gifts received

Athlete eligibility Camps
NCAA compliance
Ticket sales



Create fake vendors to receive payments
Inflate check amounts to payees


Improper sale of
Personal use of

Falsifying documents (creating a fictitious document), including cash receipts, checks, expense reports, and time sheets

Forging signatures on documents, including cash receipts, checks, expense reports, and time sheets

Grants and Research
Improper charges to
Keeping research checks

Intellectual Property (creations of the mind, such as patents, copyrights, and trademarks)
Conflict of interest
Improper sale of

Theft of inventory items
Theft of scrap or surplus
Misappropriation of assets, including cash, equipment, property, and supplies
Outsourced Activities
Understating sales
Gifts to management and other personnel Overstating inventory
False accounting records

Creating fictitious employees
Inflating hours worked (padding the payroll)
Keeping former employees on the payroll
Theft of time

Bid rigging
Purchase of inferior products
Purchase of personal items

Theft of assets, including cash, equipment, property, and supplies

Use of State property for personal gain

Fraud can be very expensive in terms of monetary losses, loss of public trust, negative publicity, and potential litigation. It is very difficult to quantify the monetary losses associated with fraud, because not all fraud is known about.  As such, it is imperative that all employees strive toward the prevention of fraud at the University.

Certain areas and transaction types are more susceptible to fraud than others, having an above average potential for fraud to exist.  Examples of such areas and transaction types are as follows:

Asset acquisitions

Cash handling and collection points

Computer and telecommunication access



Credit card usage

Decentralized organization

Disbursements / payables

Employee loans

Employee payroll




Remote locations

Revenue recognition

Student loans

Student payroll

Surplus or scrap material

Suspense accounts

Temporary or casual employees

Third party contracts

Ticket sales


Vendor relationships

Asset misappropriations – The theft or misuse of an organization’s assets

Bribe – A payment made to influence someone to do something that should not be done or to omit to do something that should be done under the rules governing the procurement

Check tampering – A disbursement fraud scheme whereby an individual either prepares a fraudulent check for his own benefit or intercepts and cashes a check intended for a third party

Collusion – A secret agreement between two or more parties for fraud or deceit

Conspiracy – Is an agreement by two or more individuals to commit an unlawful act, or to commit a lawful act for unlawful purposes or by unlawful means

Corruption – A fraud in which perpetrators wrongfully use their influence in a business transaction in order to obtain some benefit for themselves or another person, including kickbacks, other gifts and gratuities, or engaging in conflicts of interest

Embezzlement – To take assets in violation of trust

Forgery – The false making or altering, with the intent to defraud, of any signature to, or any part of, any writing purporting to have legal efficacy; Issuing or transferring, with the intent to defraud, a forged writing, known by the offender to be a forged writing, shall also constitute forgery

Kickbacks – Any money, fee, commission, credit, gift, gratuity, thing of value, or compensation of any kind that is provided for the purpose of improperly obtaining or rewarding favorable treatment in connection with a contract. This prohibition extends to members of the employee’s immediate family.

Kiting – Drawing a bank check on insufficient funds to take advantage of the time interval required for collection

Lapping – A scheme to cover an embezzlement by using payments made by one customer to reduce the account balance of another customer, i.e. recording a payment on a customer’s account sometime after the payment has been received

Larceny – The intentional taking away of an employer’s cash (currency and checks) without the consent and against the will of the employer, involving the theft of money that has already appeared on a company’s books, i.e. “on-book” fraud

Skimming – The process by which cash is removed from the company before it enters the accounting system, including unrecorded sales, understated sales, theft of incoming checks, and swapping checks for cash, i.e. is an “off-book” scheme because the receipt of cash is never reported to the company

Theft – The misappropriation or taking of anything of value which belongs to another, either without the consent of the other to the misappropriation or taking, or by means of fraudulent conduct, practices, or representations (an intent to deprive the other permanently of whatever that was misappropriated or taken is essential)

Goals and objectives obtained in an defined and timely manner using minimal resources can  result in efficient operations.  Inefficiencies occur when processes are performed that provide no additional benefit or value.  Operations are considered effective when they are functioning as intended and produce the desired result.  If two individuals are both responsible for executing the same function within a process, a duplication of efforts would exist.  This is an inefficient and ineffective use of time and resources.

Best Practices:

  1. Analyze business processes and identify and eliminate duplicated efforts;
  2. Streamline processes by reducing an non-value added procedures;
  3. Identify any processes that have been done merely because “that’s the way we’ve always done it”.  Determine if those processes are still needed.  If they are, identify methods that would allow steps to be completed either more timely or effectively;
  4. Strive to process documents and transactions in a minimum required time to increase the efficiency and effectiveness of the department;
  5. Employ a cost-benefit methodology when analyzing and developing new processes.  If the costs outweigh the benefits, then consider eliminating the procedures or reduce the number of steps needed to complete the process;
  6. Look for more innovative ways to accomplish goals and objectives; and
  7. Automate where possible.
Written policies and procedures establish management’s criteria for executing the university’s operations.  Developing and documenting policies and procedures is the responsibility of management.  Management should document business processes, personnel responsibilities, departmental operations, and promote uniformity in executing and recording transactions.  Thorough policies and procedures serve as effective training tools for staff and faculty. If written policies and procedures do not exists, are inaccurate, incomplete, outdated, irrelevant, not written succinctly, and/or not communicated; the following could result:

  • Inconsistent practices among employees and/or departments
  • Processing errors due to a lack of knowledge
  • Inability to enforce employee accountability

Best Practices:

  1. Document all significant all significant business practices, processes, and policies;
  2. Effectively communicate new policies and procedures to personnel;
  3. Ensure policies and procedures are accurate, complete and current at all times;
  4. Revise policies and procedures for changes in business processes and policies.  This is important when new systems are developed and implemented or other organizational changes occur;
  5. Communicate significant changes to all affected personnel to ensure they are aware of any revisions to their daily duties and responsibilities; and
  6. Policies and procedures are only effective if people are aware and understand them.

Segregation or separation of duties involves ensuring that staff members do not perform incompatible duties.  The following responsibilities should be assigned to different individuals:

  • Authorization
  • Custody of Assets
  • Recording of Transactions

Separation of the above duties reduces the opportunities for any individual to both perpetrate and conceal errors or fraud in the normal course of duties such as the following:

  • Misappropriation of Assets
  • Misstated financial statements
  • Inaccurate financial documentation
  • Improper use of funds
  • Modification or manipulation of data or records

Best Practices:

  1. A system should be designed that the work of one individual provides a crosscheck on the work of another individual (reduce opportunity); and
  2. One individual should not perform a process from the beginning to the end.  For example: one person should not be able to accept cash, record deposits, make the deposit and reconcile the account.

Compensating Controls are less desirable then separation of duties because they generally occur after the transaction is complete.  Relying completely on compensating is less desirable because it takes more resources to investigate and correct errors, and recover losses, than it does to prevent them. However, in some circumstances, departments do not have the staff resources to establish adequate separation of duties, so they have no choice in the matter. In these instances it is important for management to implement controls that compensate for the increased risk. Following is a list of the types of compensating controls a department can implement to address not having adequate separation of duties. This can be a valuable reference as well as a potential cost savings in the audit process when a control is more expensive to implement and test that it’s compensating control counterpart.

  1. Review Reports of Detail Transactions Charged to the Department – At a minimum, managers who have a staff member who can perform all the key activities of a transaction with no segregation of duties should be reviewing the reports of detail transactions for their department on a monthly basis to identify, investigate, and correct improper charges. An adequate review would consider the transaction date, vendor, description, dollar amount, and offset account, if any. Keep in mind that this review cannot be delegated to staff who can perform all the key activities of a transaction, as it would defeat the effectiveness of this compensating control.
  2. Review Reports of Detail Transactions Initiated by the Person who Can Perform All the Key Activities of a Transaction –  A manager can periodically pull and review a report that identifies all the transactions created by staff who can perform all the key activities of a transaction. An adequate review would look at purchase dates, vendor name, description of transaction, ship to location, and the departments charged, to identify, investigate and correct improper transactions.
  3. Pull Sample of Transactions –  A manager can periodically pull and review the supporting documents for a sample selected from transactions charged to his/her department. An adequate review would address the same data as are covered under ‘Review Reports of Detail Transactions’.
  4. Take Periodic Asset Counts and Compare to Accounting Records – If a department purchases a significant amount of equipment or other tangible assets, it may be effective to conduct periodic counts and compare to inventory records to ensure equipment and supplies are on-hand.
  5. Prepare Budget Analysis and Cost Trends: Investigate Discrepancies –  A less effective compensating control is the preparation and/or review of budget and trend analysis of expenditures. While this does not provide the specific detailed review, it can be a way to identify problem areas where further detailed review needs to take place.
Assets are the economic resources the State owns that are expected to be of benefit in the future.  Examples are cash, office supplies, merchandise, furniture, equipment, land, buildings and sensitive or confidential data. Protective measures must be taken to ensure that assets are maintained in a properly controlled and secured environment.  The most important type of protective measure for safeguarding assets is the use of physical controls.  If physical controls are not in place the following could occur:

  • Theft
  • Items may be lost or misplaced
  • Fraud may be committed using the unauthorized data
  • Unauthorized transactions or processing could occur if data is not adequately safeguarded

Best Practices:

  1. Lock doors to unoccupied offices, storage or other rooms and buildings;
  2. Cash should be stored preferably in a fire-proof safe;
  3. Restrict access to data and other assets to a limited number of individuals within the department;
  4. Ensure proper access controls are in place in systems.  User ID’s are unique and passwords are forced to be changed frequently by the system;
  5. Issue Master keys only to persons with a legitimate need; and
  6. Perform periodic counting and comparison of actual assets with amounts shown in accounting records.
When a process is performed within a department, there should always be another level of review and approval performed by a knowledgeable individual independent of the process.  The approval should be documented to verify that a review was performed.  Review and approval are controls to help management gauge whether operational and personnel goals and objectives are being met. The lack of or inadequate review and approval could result in the following:

  • Errors may be overlooked resulting in misstatements that could affect financial, as well as, operational decisions
  • Inaccurate or incomplete information in accounts and reports
  • The inability to detect irregularities and/or errors

Best Practices:

  1. A thorough review of processes, transactions, and reports should be performed for accuracy, completeness, and timeliness;
  2. The reviewer should be someone who is knowledgeable about the items or areas being performed such that they are able to identify errors or omissions;
  3. The reviewer should preferably be someone who has the authority, who is able to authorize, provide direction, and make decisions about the items under review;
  4. The reviewer should be someone who does not perform the process; and
  5. Evidence of the review and approval should be documented; signed and dated by the reviewer.
Timeliness means meeting the arranged deadlines. By failing to meet deadlines the following events could occur:

  • Inefficiencies
  • Legislative audit findings
  • Fines or penalties could be imposed
  • Operational processes could be negatively impacted

Timeliness is an area where all employees can analyze their work-flows and identify ways to work smarter and save time.

Best Practices:

  1. Obtain an understanding of all the required deadlines particularly those that are invariable such as regulatory due dates;
  2. Prioritize activities when critical deadlines are pending;
  3. Ensure adequate resources are available, staff trained, and are able to complete the obligations;
  4. If deadlines cannot be met, notify the appropriate parties in advance and document and retain the communication.  Confirm a new date and meet the obligation.
Monitoring is the process that assesses the quality of internal control performance over time, by assesing the design and operation of controls (such as policies and procedures) on a timely and continious basis and taking corrective action if necessary. Establishing and maintaining internal control is a responsibility of management.  Management must monitor controls to determine whether they are operating as intended or whether the controls should be modified to produce the University’s desired outcome.  Failure to monitor controls and process could result in:

  • Inability to force employee accountability
  • Undetected errors or irregularities
  • Inability to assess the effectiveness and efficiency of operations, programs or projects
  • Violations of laws, regulations, and policies

Best Practices:

  1. Management should implement an ongoing monitoring activity into the normal recurring activities;
  2. Evaluate and review progress to identify inefficiencies, ineffectiveness, duplicative processes, and determine if adjustments should be made; and
  3. Make adjustsments to improve results and to ensure desired outcomes.