Virginia Tech®home

Common Audit Topics

Risk-Based Assurance

While a risk-based engagement can go in many different directions, below is a list of areas that often fall within our engagements and some possible questions to consider:

How does the unit administer both its revenue and expense contracts?

How does the unit ensure it is charge contract pricing on expense contracts?

How does the unit ensure it is receiving the appropriate amount of revenue sharing?

How does the unit ensure that commonwealth and university contract guidelines are met?

Are cost sharing requirements being tracked accurately in the Office of Sponsored Programs database?

Are controls adequate to ensure that multiple cost share isn't occuring on the same funding?

Is cost sharing requirements being monitored and met?

Are cost transfers accurate and complete?

Are cost transfers adequately supported and justified?

Are cost transfers completed timely?

Are end of project/grant transfers adequately supported and reviewed?

Are department scholarships being fully utilized?

How are donor restrictions being considered and adheared to in the awarding process?

Are awarding processes appropriately controlled?

Are awarding processes free from conflicts of interests?

Do controls include appropriate accounting for and monitoring of total effort?

Are wage charges both allowable and reasonable?  Are they appropriately allocated?

Were the reports submitted timely?

Does the person certifying the PAR have first-hand knowledge of the employee’s effort?

Have service center rates been reviewed and approved?

Are service center rates being used and billed?

Are service center accounts receivable tracking being adequately controlled?

Does the service center have adequate separation of duties between invoicing, receiving, and depositing?

Are invoices being generated timely?

How does the unit comply with the Minimum Security Standards?

How does the unit administer and monitor security across its environment?

How does the unit ensure end points and servers are adequately secure, up-to-date, and/or patched?

How does the unit comply with logging standards?


Policy Compliance Reviews

Designed to give a high-level overview of the area's compliance with foundational university policies, Policy Compliance Reviews could ask the following questions: 

Do departmental procedures ensure a monthly reconciliation is completed, is comprehensive, and timely?

Is the supporting documentation comprehensive and adequate?

Is the review effective and timely?

Are records maintained in accordance with guidelines?

Are record maintenance requirements clearly established and the responsibility communicated?

What processes exist to monitor time keeping/entry?

Are hours worked appropriately documented, approved, and correctly entered?

Does the reconciliation ensure someone other than the enterer review the report?

Do P14s follow established requirements?

Are offer letters and signatures maintained?

Are P14s utilized appropriately (i.e. not utilized to avoid other more appropriate hiring protocols)?

Are leave reports submitted and reviewed timely?

Are leave guidelines understood and followed?

Is overtime accurately recorded and approved?

Is overtime accurately calculated?

Are purchases allowed under university guidance?

Is cardholder security appropriate?

Is electronic processes being followed (i.e. ChromeRiver)?

Is the fund handling plan approved by the Bursar?

Is the approved plan being followed?

Are duties between Cashier, Depositor, and Reconciler adequately separated?

Are funds safeguarded appropriately?

Are fund being deposited timely?

Are custodians appropriately assigned to each asset?

Are custodians current?

Are home use forms utilized appropriately?

Is required training complete?

Is the Emergency Action Plan on file?

Is the Emergency Action Plan complete and up to date?

Does the department head have a general awareness of the potential conflicts of interest and commitment in the areas?

Have employees been reminded of the requirements to see permission prior to starting outside employment or consulting?

Are management action plans adequately monitored?

Is required FERPA training completed?

Are academic records adequately protected?

How is release of information verified for allowability prior to publishing?

How are information technology resources secured?

How does the unity apply security patches and anti-virus software?

What personally identifying information is housed?  Does the unit know where it is?  Is it appropriately secured?

Is the unit aware of the Minimum Security Standards?  If so, what efforts are made to ensure compliance?