Internal Audit | Montgomery College, Maryland

Mission

In accordance with College Policy 61005 - Internal Audit, the Internal Audit mission is to provide an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. The internal audit program is intended to assist the Leadership of the College, the Board of Trustees and its management in accomplishing its objectives by bringing a systematic, disciplined approach to improve the effectiveness and efficiency of risk management, control, and governance processes.

Guiding Principles

Teamwork

Cooperate and collaborate with the Montgomery College community
Focus on creating partnerships

Integrity

Act with honesty and openness, be fair, respectful, courteous and ethical
Work smart, work hard
Provide uncompromised work
Adhere to professional standards and institutional expectations

Communication

Be clear and concise
Listen
Promote two-way, free flow of ideas

Commitment to Quality

Strive for excellence
Work to continuously improve services

Initiative

Be creative
Seek out and pursue and share opportunities
Be a change agent

Trustworthiness

Maintain confidentiality
Be accountable for our actions and to each other
Follow through on commitments

Learning

Be open-minded
Engage in ongoing educational and professional advancement
Engage and strive for conscious improvement by learning from ourselves and colleague’s past actions
Be adaptable

Audit Charter

Mission

The internal Audit objective is to provide an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. The internal audit program is intended to assist the Leadership of the College, the Board of Trustees and its management in accomplishing its objectives by bringing a systematic, disciplined approach to improve the effectiveness and efficiency of risk management, control, and governance processes.

The Institute of Internal Auditors (IIA) outlined how first-, second- and third-line roles work together along with management to achieve governance and risk management. The framework conceptualizes a flexible, 360-degree feedback loop. Built on a new foundation of defensive and offensive risk management, the Three Lines Model is comprised of six core principles, summarized below.

Proper governance requires structures and processes with accountability, action, and assurance.
Governance roles need the right structures and processes to be effective.
Management’s responsibility spans first- and second-line roles.
First-line roles are more directly client-facing.
Second-line roles assist in managing risk.
Internal auditors, or third-line roles, provide independent and objective assurance on governance and risk management.
Internal audit must remain independent of management to ensure credibility and objectivity.
All roles need to work together to create and protect value.

This model is depicted within the environment of the College in this infographic (PDF, ) .

The Internal Audit department conducts various types of audits

Fiscal - to provide an assessment of controls over financial reporting.
Operational - to provide an assessment of processes, systems, operations and strategies to ensure adherence with internal controls, and to determine appropriate policy and procedures exist.
Compliance - to assess and evaluate the effectiveness of the compliance program and whether there are adequate controls that effectively prevent and/or detect violations of laws, regulations, and College policies.
Consulting engagements - to include reviews of existing business processes and strategies, as well as evaluation and advice on policies, procedures, process enhancements, and any management requests for reviews of areas considered mutually important.

The scope of the work for each engagement will evaluate risks as they relate to:

The operational effectiveness and efficiency of business processes
Reliability of information systems
Safeguarding of organization assets
Compliance with policies, law, contracts, and regulatory bodies

The Chief Compliance, Risk and Ethics Officer shall be accountable to the Board of Trustees of the College to:

Provide ongoing assessments of the College’s systems of internal controls, and their design adequacy and effectiveness in mitigating risks.
Identify and report significant issues in the College’s reporting processes that may have a negative impact on the College’s ability to achieve its strategic objectives, business process improvements, and to provide recommendations for resolutions of issues.
Provide assistance and oversight over other control and monitoring functions such as compliance and risk management.

Internal audit is authorized to:

Full, free, and unrestricted access to any and all of the College’s activities, records, systems, property/facilities, and personnel.
Free and unrestricted access to the Board.
Obtain the necessary assistance of personnel in departments of the College where they perform audits, as well as other services provided internally or externally to the College.
Allocate resources, set frequencies, select subjects, determine scopes of work, and apply internal audit techniques necessary for the completion of audit objectives.

Internal audit will remain free from interference by any element in the organization including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude.
Internal audit will exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being reviewed. We will make a balanced assessment of all the relevant circumstances and will be free from bias and in forming judgments of others.

Internal Audit has the responsibility to:

Develop and execute a broad, comprehensive audit program that encompasses the College’s strategic objectives.
Develop flexible annual audit plans using risk based methodology, and submit those plans to the Board of Trustees for approval.
Establish policies for the auditing activity and directing its technical and administrative functions.
Examine the effectiveness of all levels of management in their stewardship of College resources in compliance with established plans, policies, and procedures, and sound management approaches.
Recommend improvement of management controls designed to safeguard College resources, promote achievement of College goals and objectives, and ensure compliance with governmental laws, regulations, and Board of Trustees policies.
Authorize the publication and distribution of reports on the results of audit examinations, including recommendations for improvement.
Appraise the adequacy of management corrective action acknowledging adequate corrective action, and continuing reviews with appropriate management personnel on inadequate corrective action until the matter has been satisfactorily resolved.
Conduct special reviews at the request of management.

Frequently Asked Questions (FAQ's)

What is the authority of the Internal Audit department?

In accordance with College Policy 61005, Internal Audit is authorized to direct a broad, comprehensive program of internal auditing within the College to include any phase of College activity that may be of service to management, a responsibility that involves going beyond the accounting and financial records, and policies and procedures. The Internal Auditor and designees are authorized full, free, and unrestricted access to all College activities, records, property, and personnel.

What is the difference between internal and external auditors?

The Internal auditor is an employee of Montgomery College. Internal Audit supports the Leadership of the College in the effective discharge of their responsibilities by performing audit activities and furnishing them with analyses and appraisals, recommendations and pertinent comments concerning the activities reviewed.

External auditors are non-employees of Montgomery College hired to provide an independent opinion on the College’s financial statements on an annual basis.

How are audits selected?

Audits are selected through a risk assessment process of the College’s operating units and control functions to identify areas of potential institutional risk. The order in which audits are selected is based on the results of the risk assessment. Audit requests may also come from units, functions, or departments.

How long does an audit typically take?

The length of time it takes to complete an audit varies significantly as each audit’s length will depend on the nature and scope of the review.

What does the basic audit process involve?

The basic audit process has five parts (PDF, ) :

Advanced Scoping: This is the preliminary planning phase and can be conducted well in advance of the planning and kickoff of any audit engagement. Auditors collect information to try to determine the profile of risks on an audit area, which includes limited interviews with the risk owners and informal discussions and reviews. Advance scoping is a useful precursor and can be very broad in view that helps feed into the information needed for the Planning phase.
Planning: During this phase we gather information to help us get a clear understanding of the area under review, establish the audit objectives and the scope of the engagement, and develop an audit program.
Fieldwork: This is the testing phase where the auditor will conduct audit steps such as sample transactions and test records. The auditor will also keep management apprised of observations as they are discovered and inquire of management how these issues will be addressed.
Reporting: At the conclusion of the audit, exit meetings will be held with management, and the results of the audit work will be presented in a draft audit report for discussion purposes. The draft report will include recommendations, and request management’s response to addressing the issues raised in the draft report. The final version of the audit report will incorporate management’s proposed corrective actions.
Ongoing Monitoring: Follow up is performed to determine the status of management’s corrective actions as outlined in the audit report.

What type of audits do we perform?

Financial
Compliance
Operational
Consulting services
Special reviews

What are the benefits of the audit?

The overall goal of the internal audit is to assess controls and compliance with policy and procedures, as well as regulations. We also provide suggestions and recommend “best practices” to improve the efficiency and effectiveness of procedures which can help you achieve your goals.

What is a department’s role during an internal audit?

Internal audit will need to meet with key personnel for planning and information gathering purposes as documentation may need to be provided. However, we will accommodate the time constraints of a department, unit or function and will work with personnel to ensure as little disruption to workflow as possible.

Who receives the audit report?

The audit report is addressed to the head of the department, unit or function being audited. Copies are provided to members of senior leadership of the College, the President and the Board of Trustees depending on the nature of the audit, or as deemed necessary.

What is the process for responding to audit or review findings, recommendations, or suggestions?

If your department received a report after an external agency or internal audit has conducted any type of review or site or monitoring visit, you must prepare management responses even if an external agency states that a corrective action plan is not required. All responses must be prepared by management of the audited department and sent to the Internal Auditor for review no later than 10 calendar days after the final report. You can read guidance on Responding to Audit Findings (PDF, ) or contact Goli Trump at goli.trump@montgomerycollege.edunew window for assistance.

Who is responsible for Internal Controls?

Management, under the leadership of the College, has ultimate responsibility for maintaining and promoting effective business practices to include the adequate design and operating effectiveness of the system of internal controls. However, every employee of the College plays a crucial role in effecting control.