Skip to main content

Weather-Related Announcement

Close

Western Carolina University Suspends Classes Amid Outages and Road Closures; Advises Safety Measures for Students and Parents.

Learn More

Office of Internal Audit

HFR Administration

 

What is Internal Auditing?

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objective bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

A basic overview of the Office of Internal Audit

The Purpose and Mission of Internal Audit

The purpose of Western Carolina University’s (University) Office of Internal Audit (OIA) is to provide independent, objective assurance and consulting services designed to add value and improve University’s operations. The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. The OIA helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

Review Audit Statutes & Policies

Audit Ratings

At the end of each audit, we issue an audit report. The report contains our unbiased assessment of the effectiveness of your unit’s processes, internal controls, compliance, etc. The report includes an overall audit rating, audit issue ratings (if any), and recommendations when applicable. 

Audit findings

We report on those risks that are rated medium or high.

High Risk indicates:

  • There are weaknesses in the process that present risk exposure to the unit under review.
  • The significance of these weaknesses makes it imperative to correct them.
  • Management attention is required, as well as an action plan to address the reported issue.

Medium Risk indicates:

  • There are weaknesses in the process that present risk exposure to the unit under review.
  • The significance of these weaknesses makes it important to correct them.
  • Management attention is recommended, as well as an action plan to address the reported issue.

Low Risk indicates less significant issues, not included in the final report. The issues are discussed with management.  

Audit ratings

Based on the aggregate level of risk, one of three ratings is issued.  

  • Satisfactory: The processes and controls are generally effective in mitigating risks.
  • Needs improvement: The processes and controls are only partially effective in mitigating risks.
  • Unsatisfactory: The processes don’t mitigate risks and are seriously flawed in design or operation. 

Note: Needs improvement is not a negative audit rating. It just means that management needs to respond with an action plan to improve processes. 

These audit ratings are effective as of July 1, 2024.

Report Fraud, Waste & Abuse

Improper governmental conduct includes alleged fraud, misappropriation, mismanagement or waste of state resources. It also includes alleged violations of state or federal law, rule or regulation in administering state or federal programs, and substantial and specific danger to the public health and safety.

Report Fraud, Waste, and Abuse

External Audit

The University is subject to external audits, program reviews, and similar activities by various agencies and other organizations. It is the responsibility of the primary contact person for the program or activity being reviewed to notify the Internal Audit Office.

Submit a notification of External Audit

Code of Ethics

The Office of the State Controller of North Carolina has adopted a Code of Ethics. The Code establishes the standard for the minimum levels of expected behavior and is also intended to serve as a guide for making ethical decisions.

Review the Code of Ethics

Risk Assessment

The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization's business, risks, operations, programs, systems, and controls.

Office of Web Services