Internal Controls
Explore resources on record retention requirements, the audit process, risk assessments, and self-assessment guidelines.
Strengthening Internal Controls for UM Operations
Understanding and maintaining strong internal controls is essential for safeguarding university resources and ensuring compliance with institutional policies.
- This page provides key information and tools to help you manage risk, retain accurate records, and assess operational effectiveness.
Explore resources on record retention requirements, the audit process, risk assessments, and self-assessment guidelines. These tools are designed to empower university members to maintain accountability and support the institution's mission.
Internal Controls Overseen by the Office of Internal Audit
Record Type | Minimum Retention (Full Fiscal Years) |
| Procurement Card (P-Card) Documents | 3 years |
| Request for Payment | 3 years* |
| Purchase Requisition / Bid File Documentation | 3 years* |
| Interdepartmental Charges (GL Documents) | 7 years |
| Payroll Timesheets | 7 years |
| Travel Authorizations | 3 years* |
| Travel Reimbursements | 3 years* |
| Cash Reports and Bursar Receipts | 3 years |
| Cash Receipt Books (i.e. pink copies) | 3 years |
| Vehicle Logs | 3 years |
| Account Reconciliations | 3 years |
| Accounts Receivable | 7 years |
| Search Committee Documentation | 3 years |
| Scholarship Records | 3 years** |
*For all scanned documents submitted to Procurement, the submitting department is responsible for storing the originals and presenting them upon request for a minimum of 7 years.
**Scholarship records should be kept for 3 years from the end of the award year for which the aid was awarded.
Note: Retention periods may be longer if related to a sponsored program, depending on the funding agency’s requirements. Funding agency requirements should be researched and determined prior to destroying any documents.
Although every audit is unique, the audit process is similar for most engagements.
The information outlined below is intended to familiarize you with the audit process.
1. Selection
The audit of most areas (other than special requests) is based on the periodic Risk Assessment. This assessment includes input from management and staff in identifying risks.
Another factor that increases a department’s chances of being audited is not returning information requested by Internal Audit throughout the year (i.e. risk assessment questionnaires, revenue analysis information, etc.). If information needed to rank an areas’ risk is not received, we have no choice but to audit the area to get the information.
2. Planning
The auditor assigned to the audit will review any prior audits in your area and the information submitted by the department as well as research applicable policies and external laws or regulations. This work will be performed in our office.
3. Notification
We will notify the department head of the upcoming audit and submit a request for information. We typically notify the department head at least two weeks in advance. The information request and questionnaire is typically due back to us within two weeks.
4. Entrance Conference
At the beginning of an audit, a formal meeting is held with the department head of the area being audited and the auditors. In this meeting, we discuss the scope and objectives of the review (if known at this time) and give you the opportunity to share any concerns that you may have. For example, if you would like us to review a particular process or procedure in your unit, let us know at this meeting and we will try to include it in our audit. This meeting will typically be held in the department being audited.
5. Auditee Meetings
We will interview various departmental employees about their duties related to the areas being reviewed. The purpose of these meetings is for us to learn your departmental processes and procedures. These meetings will typically be held in the department being audited.
6. Audit Program
The lead auditor for the project will then prepare the audit program, which is a list of procedures that will be performed during the course of the audit. This work will be performed in our office.
7. Scope Meeting
For audits other than the Internal Control Assessments (ICAs), an additional scope meeting will be held with the department head in order to discuss the audit scope and to request specific documents. This meeting is not held during the ICAs because the audit scope is pre-determined.
8. Fieldwork
The purpose of fieldwork is to complete the audit program testing steps to determine the adequacy of various internal controls. It is during these tests that we will determine whether the controls identified during departmental interviews are operating as described. Some of this work will be performed in our office and some in the department under review.
9. Audit Findings
An audit finding is defined as an area of potential control weakness, risk associated with a policy violation, inadequate performance, financial misstatement, or other problematic issue identified during the audit. It is not unusual for one or more deficiencies to be identified during the course of an audit. Most will be relatively minor issues that will require a slight adjustment to a process. The auditor will address each finding and provide a recommendation on how to correct the issue in the audit report. Internal Audit staff are always available to assist departments in any way.
10. Draft Audit Report
Once the fieldwork is completed, we will draft an audit report which will include findings and recommendations for improvement. This work will be performed in our office. Management will have an opportunity to comment on the content and discuss any concerns during the Exit Conference. There will be a place in this report for departmental responses to be included in the final audit report.
11. Exit Conference
At the conclusion of the audit, a formal meeting is held with the department head to present the draft audit report and discuss the findings and recommendations in detail. The department head will have the opportunity to ask questions and voice concerns at this point. This meeting will typically be held in the department being audited.
12. Departmental Responses and Plans of Action
Once the department head receives the draft audit report, he/she will be required to provide a departmental response and plan of action for each finding. The purpose of an action plan is for management to specifically state how the issue will be resolved. Action plans are due within two weeks of the exit conference and will be included verbatim in the final audit report. Management will also be required to submit a target date in which the action plan will be implemented.
13. Distribution of Final Audit Report
The final report will be distributed to the department head of the area under review, his/her immediate supervisor, the division Vice Chancellor, the Vice Chancellor for Administration & Finance, the Chancellor, the Chief Audit Executive at the Mississippi Institutions of Higher Learning, and the Audit Committee.
14. Post Audit Evaluation
As part of our evaluation program, you will be requested to complete a post audit evaluation after the final report is distributed. We greatly appreciate completion of the evaluation, as this feedback will help us to improve our audit procedures.
15. Audit Follow-up
Follow-up audits are performed to verify that recommendations/plans of action have been implemented for all findings. A follow-up audit will be performed at the end of the quarter in which an action plan is due. Therefore, depending on the target dates of the action plans, a follow-up audit can span over several quarters.
Annual audit plans are based on a periodic Risk Assessment. This assessment includes input from management and staff in identifying risks.
Factors considered within the Risk Assessment include:
Quality of the Control Environment
- Have administrative personnel changes occurred within the department?
- Have major program modifications occurred?
- Have departmental procedural problems been noted by the departmental chair/director?
- How long since last audit?
- Are monthly reconciliations performed on all departmental revenues and expenditures (compare documents to SAP postings)?
Business Exposure
- How many programs/areas are encompassed within department?
- What is the amount of the total departmental budget?
- What is the amount of total department revenue?
- How many full time employees (FTE) for all programs/areas?
- Public & Political Sensitivity
- How sensitive is the department to bad media publicity?
- How much effect could politics have on meeting departmental goals?
Compliance Requirements
- Is the department governed by external regulations other than state law?
- Does the department have external audits?
Degree of Reliance on Information Technology/Reporting
- Are computer systems other than SAP operated within the department?
- Does the department have any external reporting requirements?
- Have procedures been established to backup data files, including the identification of all critical data files and programs on work stations and servers?
Management Concerns
- Does management have any specific concerns regarding meeting departmental goals, fraud, departmental confidentiality, current operating procedures, etc?
- The self-assessment consists of a series of “yes” or “no” questions. “Yes” indicates adequate controls in an area, while “no” indicates control deficiencies.
- Additional control related information is provided below each question to aid in resolving control deficiencies. Links to relevant policies are also included for each section.
> Download the Self Assement form
For questions not addressed in the self-assessment, please feel free to contact us at 662-915-7017 or auditing@olemiss.edu.