FAQ

  1. What does the Office of Internal Audit and Enterprise Risk do?
  2. How are specific departments or processes selected for audits?
  3. What is Enterprise Risk Management (ERM)?
  4. What should I do if an external agency contacts me and wants to conduct an audit or review of our department, operation, or grant?
  5. What should I expect when an audit is being performed on my department?
  6. How are audit findings and results from the ERM reported?
  7. How do I get a copy of the University's audited financial statements?
  8. What are Internal Controls?
  9. Who is responsible for Internal Controls?
  10. What is considered fraud?
  11. Where do I report waste, fraud, or abuse?

1. Q: What does the Office of Internal Audit and Enterprise Risk do?

A: The Office of Internal Audit and Enterprise Risk uses a systematic and disciplined approach to improve the effectiveness of governance, risk management and control processes and the University of Montana and its affiliated campuses: Helena College, Montana Technological University, and the University of Montana Western. The Office of Internal Audit and Enterprise Risk executes the University's annual Audit Plan and coordinates the University's Enterprise Risk Management program. (Back to Top)

2. Q: How are specific departments or processes selected for audits?

A: Areas selected for audits are identified as part of an annual risk assessment performed by the Internal Auditors. However, some audits may result from specific requests by UM's senior executive team and/or the Legislative Auditor. (Back to Top)

3. Q: What is Enterprise Risk Management (ERM)?

A: ERM is the combination of culture, capabilities, and practices organizations rely on to proactively manage risks to the achievement of their strategic objectives. UM launched its ERM program in 2019. The mission of the program is to provide a systemic, comprehensive risk ecosystem to manage mission-critical risks in pursuit of value for stakeholders.(Back to Top)

4. Q: What should I do if an external agency contacts me and wants to conduct an audit or review of our department, operation, or grant?

A: The Internal Audit Office serves as campus liaison with all external auditors/representatives. It is the responsibility of the affected administrator to notify Internal Audit. Email Anta Coulibaly in Internal Audit: anta.coulibaly@mso.umt.edu. Your email should include the name of the agency conducting the audit/review, name and phone number of a contact person, dates of the proposed audit/review and any specific information the external agency is requesting. (Back to Top)

5. Q: What should I expect when an audit is being performed on my department?

A: See Internal Audit Procedures. (Back to Top)

6. Q: How are audit findings and results from the ERM reported?

A: You and your staff will be kept informed of the auditor's findings throughout the course of the audit. At the conclusion of the audit, you will be able to review a draft of the report before the final version is issued. A copy of your department's response to the audit findings is included in the final audit report. Final audit reports are distributed to the Office fo the Commissioner of Higher Education (OCHE), the President, the appropriate Sector Head, and staff/management of the department being audited.

Results from the ERM are reported to the President's Cabinet and OCHE.  (Back to Top)

7. Q: How may I get a copy of the University's audited financial statements?

A: You can email Kari Johansson in the Internal Audit Office: kari.johansson@mso.umt.edu. You should include the name, title, address and phone number of the person requesting the financial statements. If the request for financial statements is related to grants, please include the name of the Principal Investigator/Program Director and, if applicable, the grant index code. (Back to Top)

8. Q: What are internal controls?

A: Internal controls are designed to provide reasonable assurance regarding the achievements of objectives in the following categories:

  1. Effectiveness and efficiency of operations
  2. Reliability of financial reporting
  3. Compliance with applicable laws and regulations

Internal controls are the process you and your staff, as well as the University's administration, develop to administer your area efficiently and effectively. Internal controls may be rules of procedures; for example, certain steps must be followed in processing disbursement checks. They can also be informal; for example, you may control access to administrative records by locking them in a file drawer.

There are three types of controls: preventive, detective, and corrective.

  • Preventive controls are installed to prevent possible undesirable outcomes before they happen.
  • Controls that identify the undesirable outcomes when they do happen are detective controls.
  • The last type of control is corrective, and is used to make sure that corrective action is taken to reverse undesirable outcomes, or to make sure that they do not happen again.

Good internal control systems should include:

  1. Individual accountability
  2. Independent monitoring
  3. Approval and authorization
  4. Segregation of duties

These control elements protect individuals, as well as the university as a whole, from loss. Without these controls, errors can arise and go unnoticed.(Back to Top)

9. Q: Who is responsible for internal controls?

A: Everyone in your department is responsible. The department head is ultimately responsible for internal controls in the department and should take ownership of the internal control system. The department head is responsible for setting the "tone at the top" by providing leadership and direction. Additionally, since all employees generate information that affects internal controls, they should all be responsible for communicating upward any problems of noncompliance, policy violations, or unlawful actions. (Back to Top)

10. Q: What is considered to be fraud?

A: Fraud can be defined as (1) a misappropriation of the university's assets, or (2) the manipulation of its financial data to benefit the perpetrator. It can be for the benefit and gain of an individual, or for the benefit and gain of an organization. These benefits and gains may be direct, as in receiving money or other assets, or indirect, as in receiving promotions and other benefits.
Fraud includes the following five crimes:

  1. Bribery
    Bribery is the receiving or offering of anything of value with the intent to influence an official in the performance of, or failure to perform, the lawful duties of that official.
  2. Conspiracy
    Conspiracy entails an agreement between two or more parties to knowingly and overtly commit a crime or to achieve, illegally, an objective that itself is not unlawful.
  3. Embezzlement
    Embezzlement is the unlawful conversion of entrusted property pursuant to a trust relationship. It is a breach of financial responsibility.
  4. Extortion
    Extortion is the unlawful obtaining of property through the wrongful use of actual or threatened force or fear.
  5. Forgery
    Forgery is the false writing or altering of an instrument, such as a check or receipt, with the intent to defraud.

(Back to Top)

11. Q: Where do I report waste, fraud, or abuse?

A: If you suspect misuse and/or theft of university assets, or if you have concerns about the efficiency and effectiveness of university operations, please contact:

Office of Internal Audit and Enterprise Risk
University Hall 018
University of Montana
Missoula, MT 59812-4032

phone: (406) 243-2545
email: anta.coulibaly@mso.umt.edu

or











(Back to Top)