Virginia Tech®home

Frequently Asked Questions

Annually OARC conducts a university-wide risk assessment.  The assessment includes an analysis of auditable entities, their inherent level of risk, and incorporates input provided by senior management. Risk factors included in the analysis may include financial, compliance, public relations, physical security, health and safety, and other factors. These factors drive the frequency and intensity of audit activity in the annual audit plan, which is presented to the Compliance, Audit, and Risk Committee of the Board of Visitors for their approval.

Routine documentation requests will include, but not be limited to:

  • Mission Statement
  • Current organization chart
  • Most current annual report
  • Measurables/matrices/score cards
  • Internally documented procedures
  • Details on number and nature of laboratories
  • Listing of IT resources
  • Listing of service centers
  • Listing of funds handling locations

Additional background information that the client thinks will assist us in gaining knowledge of established controls, including any recent reviews or consultant reports, are also routinely requested.

Audit projects typically last for two to three months for areas of primary focus; however, ancillary participation may include involvement lasting for only one or two weeks. The team assigned to your area will give you a reasonable estimate of the time they need to complete the audit, after the planning phase is finished.

Like any special project, an audit affects the department's routine to some extent.  We make every effort to minimize this disruption and cooperate with you to ensure a smooth process.

What is the audit process? Click here to review.

Our rating system has four tiers.  Professional judgement is used in selecting the appropriate tier based on the varying degrees of deficiency or significance. Definitions and sample wordings for each assessment option follow:

1. Effective
The audit identified opportunities for improvement in the internal control structure but business risks are adequately controlled in most cases.

2. Improvements are Recommended (Adequate)
The audit identified occasional or isolated business risks that were not adequately or consistently controlled.

3. Significant or Immediate Improvements Are Needed
The audit identified several control weaknesses that have caused, or are likely to cause, material errors, omissions, or irregularities to go undetected. The weaknesses are of such magnitude that senior management should undertake immediate corrective actions to mitigate the associated business risk and possible damages to the organization.

4. Unreliable
The audit identified numerous significant business risks for which management has not designed or consistently applied controls prior to the audit. Persistent and pervasive control weaknesses have caused or could cause significant errors, omissions, or irregularities to go undetected. The weaknesses are of such magnitude that senior management must undertake immediate corrective actions to bring the situation under control and avoid additional damages to the organization.

OARC has unrestricted access to all university records, reports, activities, property, and personnel that they deem necessary to discharge their responsibilities. OARC will exercise discretion in the review of records to assure the necessary confidentiality of matters that come to its attention. Please refer to Policy 3350 for granted authority.

Risk-based Audits

The objective of these audits is to contribute to the improvement of risk management and the control systems within the university by identifying and evaluating exposures to business risks and the controls designed by management to reduce those risks.  OARC performs risk-based audits of all university operations and activities to appraise:

  • The reliability, integrity, and timeliness of significant financial, managerial, and operating information and the adequacy of the internal controls employed over the compilation and reporting of such information.
  • Compliance with policies, procedures, standards, laws, and regulations.
  • Measures taken to safeguard assets, including tests of existence and ownership.
  • The adequacy, propriety, and cost-effectiveness of accounting, financial, and other controls throughout the university, as well as compliance therewith.
  • Whether university resources are being managed in an economical, efficient, and effective manner.

Policy Compliance Reviews

Policy Compliance Reviews provide senior management with a clear picture of university-wide business practices and compliance with key university fiscal and administrative policies.  Each senior management area is scheduled to receive a policy compliance review at least once during every five-year cycle. The ultimate objective of the reviews is to contribute to the improvement of risk management and the control systems by evaluating compliance with the certain university policies and procedures.


Advisory Services

OARC performs advisory service reviews at the request of management. Advisory service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the university's governance, risk management, and control processes without the internal auditor assuming management responsibility.


Fraud, Waste, and Abuse Investigations

All allegations of fraud, waste, and abuse are treated seriously and reviewed to the extent allowed by the quality of the information provided and evidence available.  Navigate to the Hokie Hotline page to see all your options for reporting a concern..


The purpose of the Enterprise Risk Management (ERM) program is to strengthen the university’s ability to achieve its mission and strategic objectives by effectively managing key risks and seizing opportunities related to the achievement of strategic objectives. 

The ERM program is a collaborative effort between the ERM Committee, Risk Advisory Committee and the Office of Audit, Risk, and Compliance.

The charge of the compliance function within OARC is to be a resource and serve as a catalyst for the achievement of university best practices in compliance-related subject matter areas. While OARC does not own any discrete compliance subject matter area, it will assist in promoting a culture of compliance and ethical behavior by:

  • Developing a compliance matrix of applicable regulations and authoritative guidance with responsible parties
  • Implementing the compliance risk assessment process as a component of the ERM program
  • Facilitating the university compliance and ethics hotline
  • Assisting the compliance committees in their various duties
  • Providing assistance in responding to external reviews and investigations