All You Need to Know About Internal Audit at AUC
Sameh Abdel Fadil, AUC’s chief audit executive, is responsible for conducting all of the University’s internal audit processes. Fadil shared with News@AUC what auditing is and its significance at AUC.
From a general perspective, what is audit, and why is it important?
Basically, audit is providing assurance to our stakeholders, which are the management and Board of Trustees, that our control structure is effective enough to mitigate risks. Risk can be expressed, in simple terms, as whatever can prevent us from achieving our organizational objectives. In general, this is the primary reason for having an internal audit.
What do we audit at AUC?
We conduct different types of audit. We conduct operational audits, where we review strategies and procedures to determine whether we are implementing our processes in the most effective way, or if we need to make changes and updates to streamline these processes to achieve operational objectives. We conduct compliance audits to benchmark different offices and departments against the standards they should be following. The offices and departments themselves determine some of these standards, and sometimes, there are external entities that decide them –– such as accreditation bodies or federal and non-federal grant institutions –– which set rules that organizations need to follow. We report on discrepancies between the ways offices and departments are handling their activities and how they should be handling them. We conduct financial audits, where we review AUC’s financial performance to make sure we are applying the right accounting standards and financial practices. We also conduct IT audits, where we review the IT backbone of AUC. These are all the normal, regular audits that we do.
According to this year’s plan, we have a number of offices that will be audited, including the Social Research Center, Office of the Controller (grants accounting), Center for Sustainable Development, University Information System and Faculty Housing. We are also conducting follow-ups on audit reports that were issued last year, such as those for Campus Planning and Construction Services, Environmental Health and Safety, AUC Press, and Research Institute for a Sustainable Environment.
How do you decide what to audit each year?
At the beginning of each year, we prepare an annual audit plan. Within this plan, we try to feature the highest risk areas, from an audit perspective, through a risk assessment process. Up until last year, this process was manual, involving one-on-one interviews, but last May, we launched our new, web-based risk assessment. It’s more interactive, and we offer different offices and departments the opportunity to go into the online system and put in the risks they believe they are facing. Based on what we obtain from this system, we start building our annual audit plan.
The AUC internal audit has a dual reporting line, where we report to the president and the Audit Committee of the Board of Trustees, so both parties approve our audit plan before implementation. This reporting structure provides independence, objectivity and organizational stature for an internal audit function, which are necessary for it to effectively fulfill its obligations.
Do you conduct other types of audit?
In addition to the regular audits, we conduct special assignments. These assignments address many subjects, including irregularities that are identified by management or that come to our attention and require the audit to investigate what went wrong from a control perspective and determine how we can strengthen our control structure to correct this and prevent it in the future. So basically, we assess the situation and place some recommendations to make the processes more efficient and effective.
How do you work on these special assignments?
We allocate our office resources to the different assignments based on the available working hours each year. We use our limited resources to cover audits scheduled in our annual audit plan, special assignments from management and areas where we are asked to provide opinion regarding applied processes.
Are there broad, University-wide risks that you analyze or are they mostly office-specific?
Right now, we are focusing on office-specific risks, but we are always working with management on broader exposure or risks. There are the operational risks in offices or departments, and there are the organizational risks. The audience of organizational risks is management and the Board of the Trustees, and we bring to their attention the risks that we might be facing as a University. Based on what’s written in our books and the whole idea of internal audit, we do not manage the risks for senior management. Rather, we help in identifying and evaluating how management is handling these risks.
What are some of the challenges you face in conducting an internal audit?
With the economic changes currently taking place in Egypt and their reflection on our operations, we are facing an increased level of irregularities noted within the University. For instance, there were five special assignments reporting violations in the first quarter of this year, compared to five cases investigated throughout fiscal year 2016. This is pushing us to do a more intense evaluation of all our processes and functions.
We work with other departments and offices to strengthen their controls so nobody can exploit the system. For example, we had a recent case of fraud, which was discovered by a senior executive who gathered the necessary evidence, confronted the offender and took appropriate actions to reclaim University rights. The role of the University did not end here, but rather, we conducted a thorough review of all transactions performed by this offender, as well as a review of the related processes to ensure that enough controls are applied to avoid such cases from happening again. Another case was reported by one of our directors and is currently being investigated in association with the Office of Legal Affairs. The main reason we treat such investigations with great seriousness and take immediate, corrective action is to clearly communicate that our duty is to protect the numerous honest people from the offenders who try to abuse the system.
What is the most important aspect of the audit process that you want the AUC community to know?
I understand that most people don’t know a lot about audit. It often seems like a closed, black box. But what I want to emphasize to the AUC community is that we are here to help. If people find or detect inefficiencies in their processes, we will be there to try to close this gap and strengthen controls. Anyone seeking advice or assessments is always welcome. We are not reinventing the wheel; audit is something that is done everywhere. We are here to raise awareness of risk among the AUC community, how to manage this risk and how to achieve objectives.
What can be done to enhance the audit process at AUC?
Raise the AUC community’s awareness of the importance of risk (anything that would prevent us from achieving the University’s objectives) and how it can aid us in streamlining our processes to best serve our purpose. This knowledge represents the greatest factor that would make the internal audit function better and more proactive. If I am the head of a function and am able to identify my risks, then I can focus on building my controls structure that will enable me to achieve my objectives.
What are your plans for the future?
We would like to issue a regular report –– possibly on a quarterly basis –– about our internal audit updates to keep reminding the AUC community that we, as internal auditors, are closely examining the processes to constantly improve University operations. We would also like to foster our newly introduced, proactive auditing techniques, where we do not only perform our normal audit work and provide final reports to management, but are there from the beginning. We want to let our community know that if you have doubts about a process, please come to us. We are part of AUC; we are not policemen or people who point fingers. Please make use of our services because we are a tool that the University provides for your own benefit.