Internal Audit

Click the links below to find more information:

/templatefiles/imagegallery.aspx?id=2147544412 for Health
  • Policies and Procedures

    The Internal Audit Department shall adhere to the policies, procedures, and regulations of the University of Mississippi Medical Center as presented in the Faculty and Staff Handbook and Personnel Procedures and the Employee Handbook.

    Important links

    Standards for the Professional Practice of Internal Auditing

    The Standards for the Professional Practice of Internal Auditing outline the criteria by which the operations of an internal auditing department are evaluated and measured. They are meant to serve the entire profession in all types of organizations. The purposes of the Standards are to:

    • Delineate basic principles that represent the practice of internal auditing as it should be.
    • Provide a framework for performing and promoting a broad range of value-added internal audit activities.
    • Establish the basis for the measurement of internal audit performances.
    • Foster improved organizational processes and operations.

    The Internal Audit Department at UMMC shall comply with these Standards. Each member of the department shall receive a copy of the Standards and is expected to be familiar with them and adhere to them.


    Fraud encompasses an array of irregularities and illegal acts characterized by intentional deception. Persons outside as well as inside the organization can perpetrate fraud for the benefit or detriment of the organization.

    Deterrence of fraud is the responsibility of management. The Internal Audit department is responsible for examining and evaluating the adequacy and the effectiveness of actions taken by management to fulfill this obligation. Auditing procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected.

    Internal auditors should have sufficient knowledge of fraud to be able to identify indicators that fraud might have occurred but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. Internal auditors should be alert to opportunities that could allow fraud. If significant control weaknesses are detected, additional tests conducted by internal auditors should include tests directed toward the identification of other indicators of fraud.

    The Internal Audit department will assist in the investigation of fraud in order to:

    • Determine if controls need to be implemented or strengthened to reduce future vulnerability.
    • Design audit tests to help disclose the existence of similar frauds in the future.
    • Help meet the internal auditor's responsibility to maintain sufficient knowledge of fraud.

    Information security

    Information security is a management responsibility. This responsibility includes all critical information of the organization regardless of the media in which the information is stored. The Internal Audit department should evaluate information security and associated risk exposures. Internal auditors should assess the effectiveness of preventive, detective, and mitigative measures against incidents deemed likely to occur. Internal auditors should periodically assess the organization’s information security practices and recommend, as appropriate, enhancements to or implementation of new controls and safeguards.

    Due professional care and proficiency

    Internal auditors should apply the care and skill expected of a reasonably prudent and competent auditor. Due professional care does not imply infallibility. The internal auditor should exercise due professional care by considering the:

    • Extent of work needed to achieve the engagement’s objectives;
    • Relative complexity, materiality or significance of matters to which assurance procedures are applied;
    • Adequacy and effectiveness of risk management, control, and governance
    • Probability of significant errors, irregularities or noncompliance.
    • Cost of assurance in relation to potential benefits.


    Personnel should collectively possess the knowledge, skills, and other competencies essential to the practice of internal auditing within the organization. Educational and work experience criteria have been established for the various positions within the department. In order to maintain their proficiency, all personnel are encouraged to continue their education and will be given adequate opportunities to do so. Continuing education hours necessary to meet certification requirements should be obtained. If no certification requirements are necessary, a minimum of 16 hours should be obtained. Continuing education may be obtained through:

    • Membership and participation in professional societies
    • Attendance at conferences
    • Seminars
    • College courses

    Departmental memberships have been obtained in the Institute of Internal Auditors, the Association of College and University Auditors, the Association of Health Care Internal Auditors, and the Information Systems Audit and Control Association. UMC may cover the cost of obtaining continuing education; however, the employee should obtain approval prior to registering for any course or seminar.

    Accreditation is an important indicator of an auditor's technical proficiency. Certification as a public accountant, internal auditor, or information systems auditor is encouraged for all departmental personnel and is a requirement for certain positions. Currently, UMMC will pay the cost of registering a certificate.

    Conflicts of interest

    Internal auditors should be objective in performing their job. Objectivity requires internal auditors to have an impartial and unbiased attitude, to avoid conflicts of interest, and to perform audits in such a manner that no significant quality compromises are made. Therefore, the department will do its best to make sure the auditors are not placed in situations in which they feel unable to make objective, professional judgments.

    • Staff assignments will be made so that potential and actual conflicts of interest and bias are avoided. If a conflict of interest or bias is present, the auditor(s) will be reassigned.
    • Staff assignments will be rotated periodically, if practicable to do so.
    • Internal auditors will not assume operating responsibilities.
    • Internal auditors should refrain from assessing specific operations for which they were previously responsible.

    Each auditor will be required to complete an annual Conflicts of Interest Statement.


    Workpapers that document the engagement should be prepared by the auditor doing the work and reviewed by someone other than the preparer. The workpapers should record the information obtained and the analyses made and should support the basis for the observations and recommendations to be reported.

    Engagement workpapers are the property of the organization. Workpaper files will remain under the control of the Internal Audit department and will be accessible only to authorized personnel.

    The Mississippi Department of Archives and History has approved a records disposition program. All workpapers (audits and special projects) are to be retained for 3 years and then destroyed.


    Engagements should be properly supervised to ensure objectives are achieved, quality is assured and staff is developed. All work performed by the Internal Audit department will be properly supervised. The extent of supervision required will depend on the proficiency of the auditor assigned to a task and the difficulty of the assignment. Supervision includes:

    • Providing suitable instructions to subordinates at the outset of the audit and approving the audit program.
    • Seeing that the approved audit program is carried out unless deviations are both justified and authorized.
    • Determining that audit working papers adequately support the audit findings, conclusions, and reports.
    • Making sure that audit reports are accurate, objective, clear, concise, constructive, and timely.
    • Determining that audit objectives are being met.

    The director should approve all outgoing correspondence.


    Activities should be coordinated with external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

    Performance evaluation

    As outlined in the UMMC Faculty and Staff Handbook and Personnel Procedures and the Employee Handbook, employees are to receive a formal performance appraisal at the end of a new employee's 90-day probationary period and on an annual basis, usually during the month of March. The Employee Performance Appraisal Form is used to evaluate individuals who have no supervisory responsibility and is to be completed by the immediate supervisor. Managers and supervisors are to be evaluated by their department heads. The Manager/Supervisor Performance Appraisal Form is used to rate these individuals.

    Additionally, each auditor shall receive feedback at the conclusion of each audit. This feedback may be written or oral.

    Leave time

    Leave time will be provided in accordance with the policies outlined in the UMC Faculty and Staff Handbook and Personnel Procedures and the Employee Handbook. Leave time must be coordinated within the department so that sufficient staffing is available at all times. In the event all employees request leave at the same time, approved leave will be granted on a first come, first serve basis.