What is Internal Auditing?

This is the function of professionals, often in a separate and independent departmental unit of the entity, who have an in-depth understanding of the business culture, systems, processes and procedures pertaining to the specific organization.  Audit activities can be financial or performance related and are conducted to assure that management‘s policies are followed and that there are adequate controls in place to mitigate the risk of non-compliance with established standards or regulations, fraud and ineffective administration and unit performance.

Why should an organization have internal auditing?

Internal auditors are expected to provide recommendations for improvement in those areas where opportunities or deficiencies are identified. While management is responsible for internal controls, the internal audit activity provides assurance to management and the audit committee that internal controls are effective and working as intended. The internal audit activity is led by the Director who delineates the scope of activities, authority, and independence of the report. Similarly, an effective internal audit activity can provide assurance to other stakeholders such as regulators, employees, financial partners, grant organizations and donors.

How do I know if I will be audited?

In general, an annual audit plan is developed by the Director for review by senior management and the Board of Trustees.  The annual plan will include activities that must be completed each year for external financial reasons and for government and academic association requirements.  Other activities are selected randomly and on a rotating basis based on an analysis of risk factors, a significant change in an operation, the time from the last audit review or as requested by administrative staff and leaders. The Director will communicate to the department if and when an audit is to be commenced and will arrange for meetings to discuss the audit scope and objectives with administrators and staff. 

How long will an audit take?

Generally, the audit process is completed within six months, and most often in a few weeks.  It is difficult to determine definitely since the time period depends upon the scope of the review and consideration of relevant systems, records and personnel access that may be involved.  When the audit report is complete, the department will have the opportunity to discuss any findings and offer management comments.

Can I ask Internal Audit for assistance when I am not being audited?

Definitely!  The purpose of internal controls and procedures is to mitigate risk. Developing and designing management controls into operations early is the most cost effective and efficient use of resources.  Auditors do not wish to audit systems that are known to be dysfunctional; their role is to provide guidance and recommendations, not to just report on the obvious or known problems but to strengthen the ability of units to meet their operational and administrative goals.

What should I do if I suspect someone is involved in something illegal?

There are a few options.  You can report your concerns to your supervisor, the Director of Internal Audit or to the Department of Public Safety.  There are procedures on investigating reports which have been established with the Office of General Counsel to protect the privacy of reporting parties and to analyze any allegation. The most popular and easiest way to report suspected activities is using the Ethics Point Hot Line.  This service allows for privacy, and all complaints or concerns are funneled to the proper investigative channels.    Please refer to the Internal Audit website Home Page and the link found on the right hand side labeled:

Other Resources - Whistleblower Policy UPP1-25pdf document - EthicsPoint – Marquette University anonymous reporting hotline. 

Note:  Any individual concerned with reprisals may report alleged financial misconduct anonymously and confidentially by contacting the fraud hotline at 1-800-445-7068 or at URL:

What are Internal Controls?

Internal control activities are the policies and procedures to ensure that management directives are carried out.  Controls include necessary actions taken to address risk for the achievement of the objectives and usually involve two elements: 1)  A policy establishing what should be done and 2) procedures to affect the implementation of the policy.  Activities include:

How does Internal Audit maintain its independence and objectivity?

Internal Auditors are subject to ethical rules established by their professional associations and in accordance with the standards for professional practice developed by the Institute of Internal Auditors.  Auditors have specific training in their field, and professional credentials follow the individual auditor, not the organization. These individuals take their professional reputation and integrity seriously. Independence is also achieved because the auditing department is a separate departmental unit and seldom part of the same structure of the group being reviewed. 

When necessary, the Director has access to discuss concerns directly with senior management and the Audit Committee of the Board, and in turn, may be asked to provide information to them by-passing perceived bottlenecks or departmental politics.  Independence is essential to the effectiveness of the audit function. The Director has the ability to report issues and keep sources private so that important communication is not impeded within a single departmental reporting structure. 

The audit process itself also lends itself to fairness and objectivity.  There is an entrance conference with those who are knowledgeable about the operations and who authorize actions to provide valuable input with respect to the direction and audit review.  Fieldwork will be performed through testing and analysis, interviews and discussions with employees and staff. Outside research, when applicable, will also be considered.  Finally, an exit conference is scheduled with the audited administrators and/or managers where a draft report is reviewed and discussed.  Any misunderstandings or misinterpretation of facts can be addressed at this time before a formal audit report is issued.  The final report will include a formal response and comments from the audited unit to any recommendations or findings.

What is Enterprise Risk Management and what role in it does internal auditing play?

Enterprise Risk Management (ERM) is a process authorized and supported by an entity’s board, management or other personnel to consider a business strategy across the entire enterprise in order to identify potential events that may adversely affect the entity at large.   Identification leads to methods to manage business risks within a framework and within its risk tolerance to provide reasonable assurance that effective contingencies or remedies are in place for the entity to achieve its main objectives and fulfill its stated mission.   ERM is a recognition that an organization has many managers who address various risks pertaining to the entity’s success.  In today’s complex business environment, a silo approach to identification and mitigation may no longer be adequate to address the aggregate needs of the organization in order to mitigate systemic risk or reputation concerns. 

Types of ERM Risks which can be either strategic or tactical for the operation include:

Internal Auditors are one of the many risk managers within an organization whose job involves identification, analysis and evaluation of business risk for Senior Management.  Internal Auditors have been instrumental in defining the Enterprise Risk Management process through domestic and international associations in a number of “COSO” reports.  Below is the COSO framework describing the ERM model.

COSO Model

What if I have more questions?

Please contact the Director of Internal Audit directly or members of the Risk Unit.  The Director of Internal Audit works closely with the Director of Environment, Health and Safety, the Director of Risk Management and the Office of General Counsel to identify and manage risks to the University.  Contact information is found on the Internal Audit website and the Campus Directory.

What is Fraud?

The Association of Certified Fraud Examiners defines occupational fraud as “the use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resource or assets.”  Elements present for an employee to commit fraud include opportunity, a low chance of being caught, rationalization by the individual that the action is not a crime, and justification of the ends versus the means.  It has been estimated that US businesses lose over $600 billion to fraud each year and that the average organization may lose 5% of revenue to fraud.

How is Fraud detected?

Fraud can be found using a number of methods.  A 2006 survey indicated 34.2% of fraud was detected from tips from individuals, 25.4% by accidental identification and 20.2% from internal audits. It is important to the University that individuals report suspect activities or a “red flag” circumstance that is unusual or an action that varies from the norm.  Red flags do not indicate guilt or innocence but can be warning signs to be investigated.  Often an error is just a mistake, so the responsibility for review of a “red flag” should be placed in the hands of a responsible authority like the Director of Internal Audit or reported on the Ethics Hotline at 1-800-445-7068 or at URL:

Frequently Asked Questions with respect to EthicsPoint: FAQ EthicsPoint

What is internal auditing’s role in preventing, detecting and investigating fraud?

Auditors, employees and management need to be aware of “red flags” in order to monitor a situation and take any corrective action if needed. When something suspicious is identified, internal auditors can help determine its effect and evaluate the situation with financial analysis, observation or other methods to review and test a weakness of established controls.  If a review confirms potential fraud, a formal investigation is often the next step.  If the review finds a weakness or an error, the auditor can take steps to correct the process and a procedure or follow-up recommendation can be implemented to prevent future occurrence.  It is important that professionals, like the Director of Internal Audit or staff from the Office of General Counsel, are involved in investigations to assure proper techniques are used and to be able to notify other departmental units who may need to be involved such as Risk Management, for insurance claim reporting, or the Department of Public Safety if actions are deemed criminal in intent.


Mission Statement

The Risk Unit is responsible for evaluating loss exposures, assessing liability, handling claims, promoting internal controls and developing effective safety and health programs. The corporate and student insurance plans are managed by this unit.