Audit and Management Services

FAQ — Audit

Why is the audit function of Audit and Compliance Services called Audit and Management Services, or simply Internal Audit?

We have selected Audit and Management Services as the name of our Internal Audit division because we provide services in addition to standard internal audits, which we refer to as “management services.” Audit and Management Services supports VCU and VCUHS with the following types of additional services:

  • Investigations
  • Management requests
  • Systems development reviews
  • Special reviews/projects

What’s the difference between Audit (internal) and our external auditors?
External auditors perform annual audits for the purpose of expressing an opinion as to whether the financial statements of the university or health system fairly present their financial position and performance and whether the financial statements conform to Generally Accepted Accounting Principles (GAAP). External auditors audit the financial statements of many clients. For example, the Auditor of Public Accounts is a Virginia state agency whose responsibility is to audit all state agencies, including public universities. The health system uses independent certified public accounting (CPA) firms to conduct its external audit.

Internal Audit is a part of the organization it audits, but remains independent of operations and management. Internal Audit’s focus is to determine whether the organization’s procedures and internal controls are sufficient for the achievement of management’s business objectives. Internal auditors perform different kinds of audits, not just financial, and may also perform special projects, investigations or management requests.

To whom does Audit and Management Services report?
Audit and Management Services reports directly to the Audit, Integrity, and Compliance Committee of the Board of Visitors for the university and to the Audit and Compliance Committee of the Board of Directors for the health system. Both university and health system management and both boards have approved the role of the Audit and Compliance Services through the department’s charter.

What is the authority of the Audit and Management Services?
Audit and Management Services has the authority to recommend improvements and to monitor the implementation of its recommendations. In accordance with its board-approved charter, it has free, unlimited and unrestricted access to all books, records, files, data, property and personnel of the university and health system including the schools, service and resource centers and institutes, central administrative departments, auxiliary enterprises, subsidiaries, MCV Physicians, and the hospitals and clinics of the health system.

Who is responsible for internal controls?
Management is responsible for establishing, maintaining and promoting effective business practices and effective internal controls. However, virtually all employees play some role in effective controls. Systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.

A properly functioning system of controls improves the efficiency and effectiveness of operations, contributes to safeguarding university and health system assets, and identifies and discourages irregularities, such as questionable or illegal payments and practices, conflict of interest activities and even significant errors.

Are internal controls foolproof?
No system of internal controls is completely foolproof, nor is the point-in-time verification of those controls that an internal audit provides. A foolproof system of internal controls would be cost prohibitive and make business processes unreasonably cumbersome. Internal controls are designed to provide reasonable assurance regarding the achievement of objectives and the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Even well-designed controls are susceptible to collusion, the failure of employees to follow these control processes, and the failure of supervisors to enforce or monitor the controls.

How are audits selected?
Audits are generally selected through an annual risk assessment process. Our risk assessment includes factors such as:

  • Size and complexity of operation
  • Change in business environment
  • Time elapsed since last audit

An annual audit work plan is developed, based on this risk assessment and consultation with management and the Audit and Compliance Committee of each board. The work plan defines the areas to be audited.


Can I request an audit?
Yes! We will consider all requests from management; however, our ability to accept the project is dependent upon the risk/urgency of the request as compared to currently scheduled audits, staffing levels/workload and other potential factors. If we cannot fulfill your request, it will likely be added to a listing of projects under consideration for next fiscal year’s work plan.

What should I expect when I’m being audited?
First and foremost you can expect courtesy and professionalism in all of your interactions with Audit and Management Services. We will notify the head of the unit being audited that the audit has been included on the annual work plan and will coordinate to schedule the timing of the audit. You can expect regular communications throughout the audit to keep you informed regarding the project’s overall progress, barriers or delays, potential issues identified and open items. The audit will be executed in a spirit of partnership. We will make an objective assessment of your operations and share ideas for best practices. Finally, we will provide a report that includes recommendations for improving internal controls, processes and procedures, performance and risk management.

What happens when Audit and Management Services identifies a deficiency or non-compliance?
We will fully explore the issue and will typically develop an audit finding for inclusion in the audit report. All issues will be fully vetted with the unit’s management and we coordinate with the appropriate personnel to develop a recommendation best suited for the unit’s individual needs.

Who receives the audit report?
All audit reports are addressed to the most senior executive management of the entity audited. Addressees may include VCU’s president and the chief executive officer of the health system. Audit reports are also issued to the appropriate university cabinet members, chief executive officer and chief operating officer of the health system, and the president and executive director of MCV Physicians. Copies are also provided to management of the department or function audited (e.g., deans, department chair, director, department administrator). The Audit and Compliance Committees of the respective boards are also provided with summaries of the outcomes of completed audits. Our external auditors periodically request copies of internal audit reports to assist them with the annual financial statement audit.

What should I do if I become aware of or suspect illegal or questionable activities?
You are encouraged to raise questions and concerns, particularly if you suspect violations of policies or legal requirements. Audit and Compliance Services provides multiple vehicles for confidentially reporting such issues. For more information, click here.

View graphic versionView graphic versionView graphic version