91̽»¨

FAQs

Fraud FAQs

What if I suspect fraud?

We suggest you read through our Fraud information, which includes the details of how to report fraud. Once received, the Office of Audit, Risk, and Compliance will look into the information you provide. You should consider making an anonymous report via Ethics Point since they will facilitate discussion between you and our office in a manner that preserves your anonymity.

Employees are advised not to conduct their own investigations after initially identifying suspected fraud.

What if I want to report fiscal matters, fraud, conflict of interest, or other concerns about the mismanagement of University resources?

Those matters should be referred to us (the Office of Audit, Risk, and Compliance) in whatever manner you find to be the most comfortable. Anonymous reports are best made through the Ethics Point service where your identity will be protected by an independent third party. We will be able to communicate through that third party, which is handy if we need to ask follow-up questions or if there is information to pass back to you.

What if I want to report harassment or discriminatory misconduct?

91̽»¨ Policy 03-006 directs that these reports should be made to the Office of Institutional Equity. If you make an anonymous report through Ethics Point, the Office of Audit, Risk, and Compliance will refer the matter to them. Matters of race, ethnicity, age, religion, national origin, sex, disability, gender identity or expression, sexual orientation, veteran status, or socioeconomic status can be complex and not all instances of controversial speech are illegal or a violation of policy. You should consider if involving the Campus Climate Concerns Team.

What if I want report a violation of federal law, state law, governmental regulations, or 91̽»¨ Policy?

91̽»¨ Policy 03-006 directs that these reports should be made to the Office of Legal Affairs. If you make an anonymous report through Ethics Point, the Office of Audit, Risk, and Compliance will refer the matter to them.

What if I want to report inappropriate workplace behavior, work conduct, or violence related to the workplace?

91̽»¨ Policy 03-006 directs that these reports should be made to Human Resources. If you make an anonymous report through Ethics Point, the Office of Audit, Risk, and Compliance will refer the matter to them.

What if I want to report criminal conduct that occurs within the geographic jurisdiction of 91̽»¨?

91̽»¨ Policy 03-006 directs that these reports should be made to the 91̽»¨ Police Department. If you make an anonymous report through Ethics Point, the Office of Audit, Risk, and Compliance will refer the matter to them.

If I make a report, what protects me from retaliation?

91̽»¨ Policy 03.006 addresses "Whistle-blowing and Retaliation." So long as you are making a "good faith" report the policy prohibits retaliation. Still, we recognize being a whistle-blower is not easy and best not done casually or informally. The Ethics Point service was chosen because it offers anonymous reporting.

If you're still not comfortable making a report to the Office of Audit, Risk, and Compliance, you might look to external reporting avenues that are listed within 91̽»¨ Policy 03.006.

Internal Audit FAQs

Why was my department selected for an audit?

The Office of Audit, Risk, and Compliance is an independent adviser to 91̽»¨'s administration and Board of Trustees (Board). We are charged with providing an independent, objective assessment of University operations to determine if management is taking the necessary steps to provide assurance that resources are managed effectively and in accordance with all applicable rules, regulations, and procedures. Our annual audit plan is approved by the Board. It begins with a risk assessment to determine where the greatest risk exist. Input is included from the Board, University administration, and the Office of Audit, Risk, and Compliance Staff.

What if it isn't a good time for an audit?

If there are extenuating circumstances we will work with you to find a more appropriate time.

What do I need to do to prepare for an audit?

Minimal preparation is required. At the beginning of the audit, The Chief Audit Executive will reach out to management and provide a summary of standard audit procedures and documents that may be needed.

How can I benefit from an audit?

Internal audit reviews can help you determine whether there are appropriate internal controls over your administrative processes and systems. We may also be able to show you ways to improve the efficiency and effectiveness of your operations.

What will the auditors examine?

91̽»¨ must comply with a variety of federal and state laws, grant requirements, and policies all of which include rules and standards. We will review compliance with those pertinent to the department along with any departmental policies and procedures. 91̽»¨ policies can be found .

What about the confidentiality of information retained by our department?

Internal Auditors have access to all records and assets of the University, and we know we have an obligation to maintain the confidentiality of that information. Our charter states that:

  • "Documents and information given to Internal Auditors during a periodic review will be handled in the same prudent manner as by those employees normally accountable for them.
  • It is understood that certain University items are confidential in nature and the Internal Auditors will make special arrangements when examining and reporting upon such items."

 

We have several options for working with, and potentially storing, sensitive data such that your compliance with confidentiality requirements will be preserved and the information will be protected. All of our auditors, including student auditors, receive specific instruction on confidentiality requirements and all Internal Auditors sign confidentiality agreements.

What are common audit findings?
  • (Financial) Compliance with the PCard and Travel Policies
  • (Financial) Compliance with the Cash Handling Policy
  • (IT) Software Updates for Workstations
  • (IT) Access Control Issues
  • (IT) Information Security Training
  • (IT) Protection of Sensitive Data
Why won't you tell me exactly how to resolve a finding?

We report to the Board of Trustees as advisers. We are not part of management and are not permitted to specify solutions. We are only allowed to consult, which means we can provide advice regarding the implementation of controls. Our work with other clients may give us some perspective on what has worked for others. We may also know of potential solutions that are available to you from other 91̽»¨ departments. But ultimately the authority and responsibility for all decisions for a solution belong to management, not the Office of Audit, Risk, and Compliance.

What if I disagree with a finding in our report?

The process should assure there are no disagreements between your department and the Office of Audit, Risk, and Compliance. You will have multiple opportunities to discuss potential findings and influence the final report.

Nobody wants an incorrect or overstated finding to be sent to the Board of Trustees for it creates unnecessary work for everyone plus damages our credibility. We recognize that your expertise in your subject area is going to be deeper and more comprehensive than ours. If we have failed to take something important into account, by all means work with us so that our conclusions are relevant, accurate, and fair.

Who gets copies of the audit reports?

Draft reports will be distributed to those employees with responsibility for replying to the report, as agreed during the entrance conference. Final audit reports will be distributed to the relevant administrators of the area audited and made available to the Board of Trustees, President, Provost, Deans, and many Vice Presidents. The Auditor of State, and any external auditors they have retained, may request and receive copies of any and all audit reports.

What happens after a report is issued?

Follow-up audits are scheduled based on the corrective action planned by management.

Compliance FAQ

What is Compliance?

91̽»¨ is a complex and highly regulated institution with guidance, law, and policy obligations issued at the federal, state, and local levels. Because 91̽»¨ is a recipient of federal and state funding, non-compliance may lead to enhanced reporting and monitoring obligations, fines, and/or loss of funding. Moreover, 91̽»¨ seeks to conduct its business – educating students – by doing the right things in the right ways to protect students, faculty, staff, and the communities our campuses serve. 

Why did Internal Audit become OARC (Office of Audit, Risk, and Compliance)?

91̽»¨ operates in an increasingly complex regulatory environment of federal, state, and local laws, as well as university policies intended to maintain fiscal accountability and to prudently invest resources in academic programs.  

Recognition of the need for a strong internal system for monitoring and supporting legal and ethical practices at 91̽»¨ led the 91̽»¨ Board of Trustees and the Office of the President to add a university level compliance function to Internal Audit, now known as the Office of Audit, Risk, and Compliance. OARC supports 91̽»¨'s commitment to meeting our individual and collective legal and regulatory responsibilities and fostering a culture that promotes ethical conduct.

Who is responsible for compliance at 91̽»¨?

It is the responsibility of every member of the 91̽»¨ community to act ethically in study, work, and recreation on our campuses and in activities conducted on behalf of the university, wherever they may occur. 91̽»¨ has historically met its legal and ethical responsibilities through a decentralized compliance approach. While this structure will be maintained, the goal of OARC is to promote and support a culture of compliance and integrity through training, outreach, and intervention when necessary.

What is OARC’s role in supporting compliance at 91̽»¨?

OARC is committed to supporting compliant and ethical conduct by providing educational training and resources, monitoring ongoing compliance concerns and areas of highest risk; detecting and preventing compliance issues; and support individuals and units that are responsible for specific areas of compliance. 

  • OARC does not assume the duties of the various substantive compliance areas, and all ongoing compliance activities continue in their existing reporting structures.  
  • OARC will coordinate and support OHIO’s compliance initiatives.
How do I report a compliance concern?

To report compliance issues or concerns you may make a report to the Ethics Hotline.

If you have specific questions about compliance at 91̽»¨, please contact: 

Laura L. Myers, J.D., M.A.
Director of University Compliance
myersl@ohio.edu