Library 2004 AUDIT PROGRAM COLLEGE LIBRARY
Audit Step A. ADMINISTRATIVE 1. Engagement Letter 2. Audit Program 3. Pre-Audit Memo 4. Cross-referenced Audit Report 5. Audit Report 6. Transmittal Letter 7. Client's Response B. PLANNING 1. Review any prior year workpapers 2. Obtain contact names and coordinate with appropriate personnel for interviews and schedules 3. Flowchart Operations 4. Prepare a memorandum of key points discussed during interviews and update audit program if necessary 5. Perform fiscal analysis of FAS accounts C. SUBSTANTIVE TESTING Areas of General Risk Policies and Procedures 1. Review copy of any departmental policies and procedures 2. Obtain a copy of the unit’s Disaster Recovery Plan for the continuation of service in the event of an interruption of normal operations? 3. Obtain a copy of the unit’s
file retention plan. 4. Obtain a selection of purchase orders from the invoiced file and a selection of prepay orders from the library bookkeeper; trace prepay to PO a. Check for completeness b. Check for bibliographer approval c. If documented, review for supervisory review of correctness d. trace to book purchase request e. trace to order ledger f. observe that the purchase order is not in the on-order/inprocess file to ensure it was processed correctly g. trace title and price to invoice h. On a scope basis, trace invoice to payment 5. Determine what procedures exist to identify and follow-up on outstanding purchase orders 6. Review order ledger for long outstanding orders Areas of Fiscal Risk Accuracy of Financial Records 1. Review FAS reconciliation process. Who is responsible for frequency, monitoring, completeness etc. 2. Review procedures for correcting errors or omissions in units' FAS reports. 3. Is FDS utilized? Has training been taken? 4. Review reconciliation
documentation for _______ period. Sponsored Programs 1. Determine and evaluate the method used to assure that direct costs charged to sponsored projects are in accordance with contract terms and conditions. 2. Determine if and how often a review of costs is performed on FAS. 3. Determine the process used to handle current fiscal year and prior fiscal year pay period changes (cost transfers). Capital Assets 1. Obtain latest "Inventory Summary Report" to see if unit has significant missing equipment. Inquire of status of equipment? 2. Inquire of inventory process utilized? Who is responsible? How do you address missing equipment? 3. Identify the authorization of offcampus lap-top usage? Foundation 1. Obtain listing of unit's Foundation accounts 2. Review method of gift solicitation utilized 3. Determine process and flow of information to Foundation 4. Determine process utilized to monitor how gifts are
expended in accordance with donor's intent 5. Determine who has copy of the donor restrictions for each account and how compliance is monitored 6. Determine who performs reconciliation process (how, frequency etc.) Travel 1. Test a sample of travel expenses from FAS for current and prior year for policy compliance Cash and Receivables 1. Review asset, liability and petty cash accounts for cash and receivables 2. Determine cash collection process and responsibility 3. Test a sample of cash remittance vouchers or bank deposit slips (if applicable) for timeliness of deposit 4. Evaluate and discuss compensating controls for cash management for employee protection 5. Evaluate security of cash and key access 6. Determine procedures used to report shortages, overages and theft. 7. Reconcile petty cash for current period and review reconciliation
sheets for the period tested. 8. Determine what bank accounts, if any, the unit maintains. (Include student organization accounts) 9. Determine if unit issues invoices or receives payment based on these invoices. If applicable, determine who is tasked with this responsibility. 10. Obtain copy of open receivables aging report and evaluate it for follow-up procedures. 11. Determine process used to control invoices (prenumbered, retention) 12. Determine segregation of duties in invoicing, receivables and reconciliation and any compensating controls that might be in place. Procurement 1. Test a sample of Accounts Payable transactions for policy compliance and existence 2. Test a sample of Petty Cash transactions for policy compliance and existence 3. Test a sample of procurement card transactions for policy compliance and existence 4. Review the vendor
selection methods used and determine that they ensure the best possible prices and services. Telecommunications 1. Secure and review a copy of the department's telecommunication bill for the months of__________ 2. Compare usage to the university average of $45 per month. 3. Evaluate process used to determine reasonableness of charges including cell phone usage Risk Management 1. Identify terminated employees for period__________ 2. Evaluate procedures for return of key, parking permits, library books and payment of outstanding parking and library fines Areas of Human Resource Risk Leave Reporting 1. Obtain and review a copy of the department's sick leave from HR evaluate in relation to university average usage of 80 hours per year identify those with no sick leave taken Off-campus Assignments 1. Obtain and review list
of all personnel on offcampus assignments within last 12 months 2. Review procedures for approving, tracking and controlling offcampus assignments. Sexual Harassment 1. Determine what the department has done to reduce the likelihood of faculty and staff being subjected to sexual harassment 2. Determine how employees were made aware of the University's sexual harassment policy Consultants vs. Employees 1. Determine how many independent contractors were hired last year and the process for monitoring and reporting requirements Compliance with Equal Employment Opportunity Act (EEO) 1. Review steps department takes to ensure that all employees are equally made aware of and allowed to participate in training that might enhance career progression Areas of Legal and Regulatory Risk Contracts 1. Determine who, if anyone, in department
is authorized to initiate agreements between WSU and outside organizations (Follow up any affirmative answers) Gifts 1. Determine process utilized to inform employees that they should not accept personal gifts from third parties that may conduct business with WSU Areas of Health and Safety Risk Safety of Workplace 1. Obtain, review and evaluate documentation from EHS related to training and safety inspection compliance Areas of Information System Risks 1. Identify any departmental servers and review the types of data the unit processes and stores on its servers. 2. Determine and evaluate the process used for unit employees to obtain access to information systems. 3. Obtain and review the unit's business continuity plan for computer system interruption. 4. Determine the process used to ensure that all web page developed
on unit computer systems comply with University policy. Information System Security 1. Determine and review adequacy of minimum password length required to access department servers. 2. Determine and review the adequacy of password change frequency. 3. Determine what systems require passwords. 4. Determine conditions by which employees share passwords. 5. Determine and review the frequency and type of departmental server access (audit) logs review. 6. Determine and review the process used to cancel access for employees upon termination or transfer. 7. Determine and evaluate policy and procedure for installing a new account. 8. Determine and evaluate procedure used to limit access to authorized users. 9. Determine and evaluate the practice used for timely installation of patches on operating systems and/or workstations.
10. Determine if department has management support of installation of appropriate security measures. 11. Determine and evaluate incident report procedures. Physical Security/Accountability 1. Determine and evaluate procedures used to protect system hardware, software, and data against unauthorized access and accidental or intentional destruction or alteration. 2. Determine how department employees obtain access to department information system Written authorization E-mail authorization Verbal authorization Other 3. Determine and evaluate security of departmental server. Data Stewardship 1. Determine what business, academic or research functions are supported by applications running on departmental servers. 2. Determine and evaluate adequacy and
storage of department server backups. 3. Determine and evaluate process used to back-up desktop computers. 4. Determine business continuity plan for operations within the department during periods of computer systems interruption. 5. Determine procedures used to assure no nonWSU employee has access to computer systems (vendors, contractors, retired/former employees) 6. Who is responsible for carrying out the system backup run and how often is the system backed up? Software Licensing 1. Determine and evaluate procedure used to ensure that all software on University computers is properly licensed and that employees adhere to software license restrictions. 2. Obtain an inventory list of purchased software. Determine if the list includes: Name Type License number 3. Determine and evaluate specific methods used to
ensure that employees adhere to software licensing restrictions pertaining to: Installation Use Copying Number of simultaneous users Terms of license Areas of Public Relations Risk Public Relations Management 1. Determine process used to inform faculty and staff about proper representation of WSU information to the media Association with External Organizations 1. Determine if any member of the department participate in the financial management of any external organization (professional society, student organization, etc.) If yes, review the fiscal internal controls that safeguard assets of the external organization. Areas of Risks Dealing with Students International Students 1. Review the process used by the department to reduce the risk of foreign students being noncompliant with
immigration laws. Sexual Harassment 1. Review procedures used to reduce the likelihood of the students being subjected to or involved in sexual harassment. 2. Determine how students are made aware of or informed of the University's sexual harassment policy. Information Privacy 1. Determine the methods used to safeguard student information from improper release Additional Items from Sample Programs Select a representative sample of billings generated during FY XX, and review for: proper amount charged, timeliness, correctly posted to accounts receivable records, authorization of adjustments/credits, timely 2nd/3rd notices, properly turned over to Accounting Department, and “holds” promptly placed on student accounts receivable with properly authorized clearances. Prepare an aging of AR outstanding Select a representative sample of outstanding AR to confirm Select a representative sample of student outstanding accounts receivable and verify
that a “hold” has been placed on them. Obtain XX billings invoices: a. Check for mathematical accuracy b. Check for completeness of form c. Inquire as to how the replacement cost is determined d. Trace to billing, if the book was not returned Examine XX overdue slips a. Review for completeness b. See how many times an overdue notice was sent Examine XX billing slips a. Review overdue slip for completeness b. Note the number of times an overdue notice was sent c. Recompute charges d. Trace to individual billing in Receivable Accounting Examine XX open invoices (AR) a. Mathematical accuracy b. Completeness c. Note date, if over 8 weeks old has another notice been sent d. Determine if procedures exist for noncollectible accounts Review the procedures for collection of fees for adequate controls and test as appropriate Determine and document if there is any sort of vendor
approval process. Are all vendors well-known in the library business? Is all library ordering a sole-source?