External auditors perform annual audits for the purpose of expressing an opinion as to whether the financial statements of the university or health system fairly present their financial position and performance and whether the financial statements conform to Generally Accepted Accounting Principles (GAAP). External auditors audit the financial statements of many clients. For example, the Auditor of Public Accounts is a Virginia state agency whose responsibility is to audit all state agencies, including public universities. The health system uses independent certified public accounting (CPA) firms to conduct its external audit.

Internal Audit is a part of the organization it audits but remains independent of operations and management. Internal Audit’s focus is to determine whether the organization’s procedures and internal controls are sufficient for the achievement of management’s business objectives. Internal auditors perform different kinds of audits, not just financial, and may also perform special projects, investigations or management requests.

Audit and Management Services reports directly to the Audit, Integrity, and Compliance Committee of the Board of Visitors for the university and to the Audit and Compliance Committee of the Board of Directors for the health system. Both university and health system management and both boards have approved the role of the Audit and Compliance Services through the department’s charter.

Audit and Management Services has the authority to recommend improvements and to monitor the implementation of its recommendations. In accordance with its board-approved charter, it has free, unlimited and unrestricted access to all books, records, files, data, property and personnel of the university and health system including the schools, service and resource centers and institutes, central administrative departments, auxiliary enterprises, subsidiaries, MCV Physicians, and the hospitals and clinics of the health system.

Management is responsible for establishing, maintaining and promoting effective business practices and effective internal controls. However, virtually all employees play some role in effective controls. Systems of internal control will vary from activity to activity depending upon the operating environment, including the size of the entity, its diversity of operations and the degree of centralization of financial and administrative management.

A properly functioning system of controls improves the efficiency and effectiveness of operations, contributes to safeguarding university and health system assets, and identifies and discourages irregularities, such as questionable or illegal payments and practices, conflict of interest activities and even significant errors. Reference the Maintenance of Adequate Controls Policy.

No system of internal controls is completely foolproof, nor is the point-in-time verification of those controls that an internal audit provides. A foolproof system of internal controls would be cost-prohibitive and make business processes unreasonably cumbersome. Internal controls are designed to provide reasonable assurance regarding the achievement of objectives and the effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations. Even well-designed controls are susceptible to collusion, the failure of employees to follow these control processes, and the failure of supervisors to enforce or monitor the controls.

Audits are generally selected through an annual risk assessment process. Our risk assessment includes factors such as:

• Size and complexity of operation
• Change in business environment
• Time elapsed since last audit

We develop an annual audit work plan, based on this risk assessment and consultation with management. The Audit and Compliance Committee of each board approves the work plan that defines the areas we will audit that fiscal year.

Yes! We will consider all requests from management; however, our ability to accept the project is dependent upon the risk/urgency of the request as compared to currently scheduled audits, staffing levels/workload and other potential factors. If we cannot fulfill your request, it will likely be added to a listing of projects under consideration for next fiscal year’s work plan.

First and foremost you can expect courtesy and professionalism in all of your interactions with Audit and Management Services. We will notify the head of the unit being audited that the audit has been included in the annual work plan and will coordinate to schedule the timing of the audit. You can expect regular communications throughout the audit to keep you informed regarding the project’s overall progress, barriers or delays, potential issues identified and open items. The audit will be executed in a spirit of partnership. We will make an objective assessment of your operations and share ideas for best practices. Finally, we will provide a report that includes recommendations for improving internal controls, processes and procedures, performance and risk management.

We will fully explore the issue and will typically develop an audit finding for inclusion in the audit report. All issues will be fully vetted with the unit’s management and we coordinate with the appropriate personnel to develop a recommendation best suited for the unit’s individual needs.

All audit reports are addressed to the most senior executive management of the entity audited. Addressees may include VCU’s president and the chief executive officer of the health system. Audit reports are also issued to the appropriate university cabinet members, the chief executive officer and chief operating officer of the health system, and the president and executive director of MCV Physicians. Copies are sent to the management of the department or function audited (e.g., deans, department chair, director, and department administrator). The Audit and Compliance Committees of the respective boards are also provided with the final audit reports. VCU’s and Health System's external auditors annually request copies of internal audit reports to assist them with the annual financial statement audit.

You are encouraged to raise questions and concerns, particularly if you suspect violations of policies or legal requirements. Audit and Compliance Services provides multiple vehicles for confidentially reporting such issues. For more information, click here.