Internal Audit Function
Please send questions, comments, or requests for assistance to FSandSingleAudit@nysed.gov, or call 518-473-4516.
1. Who must establish and maintain an internal audit function?
Every BOCES and school district must establish and maintain an internal audit function, except for those school districts with fewer than eight teachers, less than $5 million in general fund expenditures in the previous school year, or fewer than 300 ( ) enrolled students in the previous year. Any district claiming the exemption must annually certify to the Commissioner that the district meets the requirements of the law.
A school district or BOCES with a pre-existing internal audit function that meets or exceeds the requirements of the new law and regulations is not required to replace or modify that function. However, any of the “big four” dependent school districts outside of New York City that has such a function by special or local law must annually certify to the Commissioner that its existing internal audit function meets or exceeds the requirements of the law.
2. When must the internal audit function be implemented?
The internal audit function must be established by board resolution by July 1, 2006 with an operational date of December 31, 2006.
3. What is the primary responsibility of the internal audit function?
The internal audit function’s primary responsibility is to assist the board in ensuring that the district’s risks are identified and that appropriate internal controls are in place to address those risks.
4. What are the specific responsibilities of the internal audit function?
The internal audit function must include, at a minimum:
(1) Development of a risk assessment of district operations including, but not limited to, a review of school district financial policies, procedures and practices, and the testing and evaluation of district internal controls;
(2) An annual review and update of such risk assessment;
(3) Periodic testing and evaluation of one or more areas of the district’s operations; and
(4) Preparation of reports, at least annually or more frequently as the trustees or board may direct, which analyze significant risk assessment findings, recommend changes for strengthening controls and reducing identified risks, and specify timeframes for implementation of those recommendations.
5. While the primary and specific responsibilities are spelled out, is the internal audit function a one size fits all?
No. BOCES and districts must consider their size and particular circumstances in establishing an internal audit function. A smaller district may hire an independent contractor to conduct the risk assessment and annual testing of controls whereas it may be more appropriate for a larger district to hire permanent staff for its internal audit function. The number of areas reviewed and reports issued should be a function of risk, control weakness, size, complexity of operations, etc. In general, BOCES and districts should conduct a comprehensive risk assessment and then develop a plan to address the high-risk areas.
6. Is there a specific format to follow in conducting a risk assessment?
No. There is no one best agreed upon method to conduct a risk assessment. Some districts may use a questionnaire checklist to identify possible high-risk areas and follow-up on key exceptions noted. Their checklists can be the ones provided by the State Education Department (SED), the Office of the State Comptroller (OSC) (see the list of resources at the end of this document) or the district’s certified public accountant (CPA). Other districts may utilize a comprehensive process starting with identifying the universe of potential audit areas, reviewing goals and objectives, assessing the risk and likelihood of not achieving the goals and objectives, assessing the adequacy of controls to address the risks, etc. OSC, the federal government, the Institute of Internal Auditors, the Committee on Sponsoring Organizations (COSO) and others provide information on risk assessment. (See the list of resources at the end of this document.)
7. As part of the risk assessment, is it necessary to “test the controls” to ensure they are working as intended?
Although the statute requires the internal auditor to test and evaluate internal controls as part of the risk assessment, it is generally up to the auditor to use professional judgment to determine the nature and extent of this testing. An auditor should complete some preliminary testing of the controls at this stage and not merely rely on a “yes” answer provided by management. However, the determination of whether controls are working, as intended, would be made based upon more thorough testing of selected controls based upon the outcome of that risk assessment process.
8. Once the risk assessment is completed, can a district or BOCES utilize a multi-year plan to audit selected areas in more detail?
Yes. The number of areas reviewed and the time frame to complete those reviews is a factor of a variety of issues including staffing, number of high-risk areas, etc.; however, annual testing and evaluation of one or more areas are required. It is recommended that the district or BOCES develop a written plan to prioritize and address high-risk areas.
9. What are some of the areas that might be selected for audit?
The areas may include payroll and personnel, cash receipts and revenue, accounts payable, and cash disbursements, travel and conference, extra-classroom activity funds, etc.
10. Does the internal auditor need to be an employee of the district or BOCES?
No. The Board may fulfill this requirement using an employee of the district or BOCES provided certain conditions are met and the individual does not have any responsibilities related to business operations in the district or BOCES. The board may also use an intermunicipal cooperative agreement, shared services, or one or more independent contractors. Regardless of the option used to fulfill this function, the board must ensure that the individual and firm is independent of district or BOCES business operations and meet professional auditing standards.
11. Who can be appointed the internal auditor?
It is the school district or BOCES board’s responsibility to appoint an individual or firm with the necessary knowledge and skills to effectively conduct a risk assessment and internal audit of the district or BOCES, in accordance with professional auditing standards. If the district hires an outside firm to provide this, or any service, it should select the firm through a request for proposals (RFP) process, similar to that used to hire the external auditor.
12. What kind of qualifications does the internal auditor need to have?
Before a board hires an internal auditor, it should ensure that the individual or firm they are considering hiring has experience conducting audits in accordance with professional auditing standards. The Board should also ensure the individual or firm has or can obtain experience with school district financial operations; pertinent laws, rules and regulations; purchasing and investment policies; accounting systems and procedures; and other areas that are deemed necessary. The board needs to ensure that the internal auditors receive training that will assist them in meeting these criteria. Any individual conducting internal audits, reviews, or risk assessments should follow professional standards established by either the Government Accountability Office or the Institute of Internal Auditors. It is important that the internal auditor:
(1) Be independent of district business operations;
(2) Have the requisite knowledge and skills to complete the work; and
(3) Meet the other general standards, fieldwork standards, and reporting standards for audits, or the other attributes and performance standards for audits, as appropriate.
Adhering to the standards will help ensure the integrity of the auditor’s work and district operations.
13. What are specific professional auditing standards for independence?
Specific professional auditing standards for independence are noted below. Internet links to these sources are listed in the answer to question 19 and in the list of references at the end of this guidance document.
Government Accountability Office – Government Auditing Standards
- The Government Auditing Standards (January 2007 revision) under Chapter 3 General Standards have a general standard for Independence section 3.02 through 3.30
Institute of Internal Auditors
- The International Standards for the Professional Practice of Internal Auditing - Attribute Standard 1100 Independence and Objectivity , 1110 Organizational Independence, 1120 Individual Objectivity, 1130 Impairments to Independence or Objectivity
- The Institute of Internal Auditors Practice Advisories – 1100-1, 1110-1, 1110-2
14. What if I am having trouble finding an
internal auditor in my area?
First, you should check to see if your BOCES can
provide assistance. For example, the BOCES may
have an approved cooperative service agreement
(CoSer) to coordinate the internal audit function.
Second, you could check with other districts to
see if they are interested in joining to request
proposals from individuals and firms who want to
provide internal auditing services.
15. Should any special precautions
be taken in regard to an internal auditor’s accessto
highly confidential information?
Internal auditors typically require complete access
to highly confidential information such as personnel
data and care must be taken to secure all confidential
data. Boards need to ensure the internal auditors
understand their responsibilities related to confidential
information and ensure those responsibilities are
met.
16. Is there a requirement that the internal auditor be a certified public accountant (CPA) or a certified internal auditor (CIA)?
No. There is no requirement that the internal auditor maintain any professional certifications such as a CPA or CIA.
17. Are there restrictions as to who can perform the internal audit function?
Yes. Internal auditors must meet professional auditing standards including those for independence. The individual appointed as the internal auditor must be independent and have no other responsibilities related to business operations of the district or BOCES, and cannot be a close or an immediate family member of an employee, officer, or contractor providing significant or material services to the district or BOCES. In addition, an individual or consultant hired for the internal audit function may neither have a significant or material interest in any other contracts with the district or BOCES, nor be a close or an immediate family member of anyone who has responsibilities related to the business operations of the district or BOCES, or has significant or material interest in any other contracts with the district or BOCES. These requirements can help ensure the independence standard is met.
18. Who is responsible for determining that the internal auditor meets the requirements for independence?
Both the internal auditor and the board are responsible for ensuring that the internal auditor, whether an employee or contractor, meets the requirements for independence.
19. Is there additional guidance available on the meaning of independence and significant and material interest?
Yes. The State Education Department and the Office
of the State Comptroller are available to provide
guidance to districts and BOCES. In addition, the
Government Accountability Office (GAO) has issued
a publication “Government Auditing Standards Answers
to Independence Standard Questions” to provide
guidance on the independence standard. It is available
at www.gao.gov
.
20. What is the definition of a close or an immediate family member?
A close family member is defined as a parent, sibling, or non-dependent child. An immediate family member is defined as a spouse, spouse equivalent, or dependent (whether or not related).
21. Are there any exceptions to the requirement that the internal auditor may not have an interest in a contract with the district or BOCES or provide goods and services to the district or BOCES?
Yes. If a consultant provided contractual services and other goods and services that are not considered significant or material, the board could appoint the consultant as the internal auditor. The materiality and significance of any services/goods provided should be based on both qualitative and quantitative judgments. GAO (the Government Accountability Office) suggests that lower limits of materiality/significance may need to be set for public sector audits because of public accountability requirements and the visibility and sensitivity of government programs.
Consideration must be given to the dollar value of goods and services provided. The greater the dollar value, the more likely the goods and services may be significant and material.
There are certain services that would always be considered significant and material such as implementing the accounting system, posting transactions, conducting the annual audit of the financial statements, and making management decisions. Such services would preclude the consultant from providing the internal audit service. In all cases, the board needs to carefully consider whether the appointment could lead reasonable third parties with knowledge of the relevant facts and circumstances to conclude that the internal auditor is not able to maintain independence in completing internal audits.
22. Can a BOCES employee be appointed as the internal auditor for a school district?
Yes, provided the BOCES and the employee meet the auditing standards, including independence, and the guidance provided in this document.
23. What is the difference between a district using a district employee to conduct an internal audit, rather than a BOCES employee or the district’s independent auditor?
There is one major difference. The district’s employee does not work for an entity that may provide significant and material services to the district.
24. Can a BOCES coordinate the services for the internal auditor and develop a list of qualified auditors that a district could use to hire an internal auditor?
Yes. A BOCES could coordinate this service provided that the BOCES obtains an approved cooperative service agreement (CoSer) for this service. The CoSer would be aidable. There is not aid for providing the internal audit function.
25. If a BOCES and a district use a cooperative service agreement (CoSer) or an intermunicipal cooperative agreement for the internal audit function, are there any restrictions as to who should hire and pay the employee?
Yes. BOCES and districts should be careful to
avoid any appearance of conflict of interest.
For example, if a BOCES that participates in the
CoSer or intermunicipal cooperative agreement also
provides material or significant services to school
districts, it is not appropriate for the BOCES
to hire and pay the internal auditor for those
school districts since the individual would be
required to audit goods and services provided by
the BOCES. Because the employee has a fiduciary
responsibility to his or her employer (the BOCES),
there is a concern that the employee may not be
perceived as being objective in completing internal
audits related to the provision of services by
the BOCES.
26. Can the claims auditor or the external
independent auditor be appointed the internal auditor?
Because of concerns about lack of independence, neither the claims auditor nor the external auditor should be appointed the internal auditor. If such an appointment were permitted, the claims auditor or external auditor could be called on to audit his or her own work.
27. Does the internal auditor need to be a resident of the district?
No. The law does not require that the internal auditor be a resident of the district.
28. What is the difference between the internal auditor and the claims auditor?
The internal auditor is responsible for assessing risk and evaluating the effectiveness of controls. The legislation requires the internal auditor to conduct a risk assessment and periodic testing and evaluation of one or more areas of internal control. The claims auditor is responsible for ensuring that only legitimate claims against the district and BOCES are paid. A claims auditor approves vouchers or invoices prior to payment by the district or BOCES treasurer to ensure proper documentation is attached, the payment is for a proper school district purpose, and the purchase was properly authorized.
29. What professional auditing standards must be followed by the internal auditor in completing the risk assessment and internal audits?
The internal auditor must follow either the Government Auditing Standard issued by the Comptroller General of the United States or the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors.
30. What are some examples of the standards that must be adhered to?
It is not possible to list the standards in their
entirety, but the standards address areas such
as independence, professional judgment, competence,
quality control and assurance, auditor communication,
planning, supervision, evidence, and others. The
standards are available at www.gao.gov and www.theiia.org.
31. What happens if an internal auditor does not follow the auditing standards?
The internal auditor would not be permitted to state the audit was conducted in accordance with professional auditing standards and the district or BOCES would not be in compliance with the Regulations of the Commissioner of Education.
32. Who does the internal auditor report to?
The internal auditor should report directly to the board on the results of internal audit work and to the board, the board clerk or the superintendent as determined by the board, on administrative issues such as workspace.
33. How does the internal auditor relate to the audit committee?
The audit committee is required by law to:
- Make recommendations to the Board of Education regarding the appointment of the internal auditor.
- Assist in the oversight of the internal audit function (this would likely include reviewing the annual internal audit plan to ensure that high risk areas and key control activities are periodically evaluated and tested, and reviewing the results of internal audit activities).
- Review significant recommendations and findings of the internal auditor.
- Monitor implementation of the internal auditor’s recommendations by management.
- Participate in the evaluation of the performance of the internal audit function.
34. How frequently should the internal auditor report to the audit committee and the board?
The board, the audit committee and the internal auditor should agree upon the frequency of reporting. However, the internal auditor must report to the board at least annually and on an as needed basis to discuss potentially significant issues. The internal auditor must meet with the audit committee as frequently as necessary to allow proper oversight.
35. Does the internal auditor need to be bonded?
No. There is no requirement for such bonding.
36. Where can a school district find assistance in setting up a system of internal controls?
Many BOCES can provide assistance to districts to help them set up new or strengthen existing systems of internal controls. Examples of this are helping districts to understand and assess different kinds of risks and considering different types of internal controls for different management functions (e.g., control environment, hiring, purchasing, fixed assets, security, accounting, records and files, fiscal planning and budget administration, etc.). It should be noted that a district’s management is responsible for the establishment of internal controls. For example, a school superintendent or business official could ask the BOCES to help strengthen existing internal controls or address any shortcomings identified by a district’s internal auditor. The BOCES must get prior approval from the Department for a cooperative service agreement (CoSer).
37. Can a BOCES provide training that teaches school district internal auditors the role and responsibilities of the internal audit function?
Yes. BOCES are an appropriate entity to provide training regarding the roles and responsibilities of the internal auditor as well as the requirements of the accountability regulations. Standards for internal auditors require continuing education and regulations require that internal auditors must be qualified. Many school districts would find it more cost-effective to have internal auditors from several districts trained as part of a larger group by the BOCES rather than individually. The BOCES could also offer training to individual internal auditors. The BOCES must get prior approval from the Department for a cooperative service agreement (CoSer).
38. Can a BOCES employee serve as the internal auditor for a component school district when the BOCES provides significant and material services to that component school district?
No. The BOCES employee cannot be the internal auditor of any school district where the BOCES provides significant and material services to the school district. For example, a district that receives central business office services or computer services for the district’s management is receiving significant and material services from the BOCES. For example, a district that is only subscribed to the State Aid Planning Service (and receiving no assistance at the school site) would not be considered to be receiving significant and material services. As noted above the BOCES may provide training and help establish internal controls.
39. What are examples of material and significant relationships between BOCES and school districts that would prevent the BOCES from providing internal auditing services to a school district?
Examples of material and significant relationships include, but are not limited to:
- The relationship between a BOCES and its component school districts where a significant or material level of service is provided,
- BOCES provision of management services on-site to the district business office and
- BOCES that provide the following services
on a cross contract basis to districts other
than the BOCES’ own component districts:
- Regional information center computer services for management (Activity Code 7710), and
- Central Business Office (Activity Code 7017).
Consideration must be given to the nature and dollar value of goods and services provided. If the BOCES service is an integral part of the district’s financial operations, (e.g., accounting, information technology, payroll), then the nature of the relationship would be deemed significant, regardless of the dollar amount. The greater the dollar value, the more likely the goods and services will be material.
40. Is aid available in the event that BOCES provide internal auditing services to school districts?
This service is not eligible for BOCES Aid.