Effective Date:  12/03/2004

Internal Audit Polices and Procedures

Chapter 13 - Misuse Investigations


The Internal Audit Department is responsible for reviewing and investigating allegations of misuse involving University employees or property.  We share this responsibility with entities such as UNC’s Office of Human Resources and Public Safety Department, the Office of the State Auditor, and the State Bureau of Investigation.

Internal Audit Policy 2.3 of the Internal Audit Policies and Procedures requires management to notify the University Police and the Internal Audit Department if they have reason to believe that public property or funds may have been damaged, lost, or misused.  Suspected misuse can be reported anonymously to Internal Audit, the University Police, or the State Auditor’s Hotline.

Under NCGS §114-15.1, misuse or other losses of funds must be reported to the State Bureau of Investigation.  The Assistant to the Chancellor and Senior Legal Counsel submits these reports to the SBI on behalf of the University after being notified by University management, the Campus Police, or the Internal Audit Department.

Response to Reports of Misuse 

Our response to allegations of misuse will depend on how the information is communicated to us.

Regardless of the source of the complaint, we will conduct an initial review to determine whether the allegations have merit and what steps are needed to investigate and resolve the issues raised in the complaint.  While all allegations should be given careful consideration and treated seriously, it is important to remember these claims are unsubstantiated unless, and until, corroborating evidence is obtained.

Investigative Procedures

The goals of investigations of potential misuse are to determine if the allegations of misuse are valid, then to identify control weaknesses or breakdowns in procedure that allowed the situation and any related problems to occur, determine the extent of any loss, and recommend corrective action to prevent the situation from recurring.

The type of investigative procedures used will depend on the nature of the potential misuse and the results of the preliminary review.  The investigation may stop with the preliminary review if that shows the allegations are not valid or if the issues are minor and can be resolved through meetings with management of the area involved.  If the allegations are found to be valid, the investigation may involve complex analyses of processes, reviews of access capabilities, and extensive tests of records.  There may be a need to extend the review into areas and activities not identified in the initial complaint.  An auditor performing a misuse investigation must exercise considerable judgment in selecting the type and extent of procedures to be performed.

The two most important steps in the investigative process are determining whether the allegations are likely to be valid and identifying control weaknesses that allowed any misuse to occur.  If allegations are clearly invalid, there is no need to perform extensive work to investigate them.  We need to understand how a loss occurred and what weaknesses are involved in order to know what we should investigate and how.

Investigations of potential misuse must be conducted in a confidential manner and with respect for the rights of the individuals involved.  Whenever possible, Internal Audit will notify appropriate members of management prior to beginning an investigation.  Advance notice may not be possible in rare situations when even a small delay could allow additional funds to be lost or records destroyed.  In these situations, Internal Audit will notify management as soon as possible after the investigation begins.  If allegations involve possible misuse by management of an area, Audit will coordinate any investigation through an organizational level to which this area reports.

If an investigation reveals a potential violation of any federal, state, or local law, we will consult with the Office of University Counsel for guidance.  If appropriate, we will also obtain guidance from the Campus Police or the SBI.

Working Paper Documentation and Communicating Results

The process of conducting and reporting the results of a misuse investigation is similar to the process followed for a routine audit.  However, the working papers will follow a different format as will correspondence used to communicate the results of investigation.  Refer to the Standard Workingpaper Format for Misuse Investigations.

Extreme care must be taken to ensure that information in any documents prepared in connection with a misuse investigation is presented neutrally and objectively.  We cannot assume allegations are true unless we have obtained evidence that proves them; the language and tone of our working papers should reflect this concept.  Our working papers may end up as evidence in a criminal trial; keep in mind how a defense attorney might respond to a choice of words or presentation of information as you document the results of a review.  Never put anything in the working papers that you wouldn’t want to have read back to you and challenged if testifying in a trial.  For example, instead of referring to something as “duplicate payment” use the term “possible overpayment.”  When presenting information from a complaint or misuse report, use qualifiers such as “according to the complainant” or “caller alleged.”  Simply stating the claims may imply a presumption of guilt.

As a general rule, avoid identifying by name an individual who may be the target of the investigation or who made the complaint.

Background Summary
Briefly describe the nature of the complaint and whatever information has been provided or obtained in the early stages of the review.

Conclude regarding whether or not any further investigation by Internal Audit will be needed.

Briefly describe the nature of the complaint and whatever information has been provided or obtained in the early stages of the review.

Conclude regarding whether or not any further investigation by Internal Audit will be needed.

Audit Program


List the specific procedures that will be used to investigate the issue raised in the complaint, preferably in the order they will be performed. 

Procedures will often need to be presented as a contingency.  For example, “if any payments to XYZ, Inc. are found, obtain copies of documents supporting these transactions.”

Close-out Letter or Report

Should identify the source and general nature of the complaint, broadly describe the procedures used to conduct the investigation, and state whether or not any evidence of misuse was found.

Minor findings do not need to be stated individually, but we should indicate whether or not we discussed these issues with management and whether they agreed to correct any weaknesses noted.

Significant findings should be reported individually and accompanied by recommendations and responses by management.

Complex investigations or those that involve significant loses or cross departmental lines may need to be reported using the standard report format for routine audits.

In general, close-out letters or reports should contain only enough information to allow the reader to identify the nature of the allegations and the outcome of Internal Audit’s investigation.  Never include names of individuals in these letters or reports.

These letters or reports should be addressed to the Chancellor, with copies to the Senior University Counsel; the Provost or Executive Vice-Chancellor (whichever is responsible for the area reviewed); the appropriate dean or vice-chancellor, associate vice-chancellor, and department head; the Associate Vice-Chancellor for Finance, and the Chief of the UNC Police.

When a misuse investigations is complete, the Office Assistant should assign a report number and the auditor-in-charge should complete a Report Entry Form so the project and be entered into the Findings2000 database.  If no written report was issued, a dummy report number is assigned and the report date is left blank.  If the project report contains findings, the auditor-in-charge should also complete a Finding Entry form for each finding.  See Chapter 16 – Communicating Results for additional information. 

 Once these forms are complete, the auditor-in-charge gives them to the Director for review. 

After the forms have been reviewed and approved, the Office Assistant enters them into the Findings 2000 database.  See Chapter 18.

Return to Home Page Table of Contents