Welcome to the First Edition of Audit Insights

AUDIT INSIGHTS

EWU - Internal Audit Department July 2008

Welcome to the first edition of Audit Insights.

The focus of this periodic newsletter is to provide you with information about good business practices, internal controls, compliance requirements and need-to-know information from EWU’s Internal Auditor.

Who is the Internal Auditor?

Name: Carmel Melton Long

Background:

State Auditor’s Office (10 yrs)

Community Colleges of Spokane (2 yrs)

What is an Internal Auditor?

An Internal Auditor is an employee of the organization who provides independent audit and review services. The goal is to assist management by providing analyses, appraisals, recommendations, and information about the activities that are reviewed.

Internal auditors work to improve internal controls over the effectiveness and efficiency of operations, reliability of financial information, safeguarding assets, and compliance with laws, regulations and organizational policies.

About… PASSWORDS

. A password comprised of 8 letters can be breached in 4 days or less.

. A password comprised of 8 numbers and letters takes 65 days.

. A password comprised of 8 letters, numbers, and symbols takes 463 years to be breached.

80% of all computer security problems are caused by bad passwords.

Don’t use any names or numbers that can be connected to you. Names of spouses, children, pets, phone numbers, name of your high school… These are the first pieces of info that bad guys try.

Don’t use sequential characters from your keyboard.

The most common passwords nationwide are: 12345 and qwerty (alpha characters on upper left side of your keyboard.)

Don’t use a real word or variation of a real word.

Hacker programs try words spelled backward, common misspellings, slang profanity, etc.

Don’t give your password to anyone.

Periodically change your password.

The Best passwords are a combination of upper and lower case letters, numbers, and symbols of 8 characters or more. And they don’t contain real words or variations of real words.

Improper Governmental Actions

All state employees are responsible for being good stewards of state resources.

University employees are responsible for reporting improper governmental actions to either the State Auditor’s Office or to EWU’s Internal Audit Department.

Whistleblower Act

The Whistleblower Act, enacted by the Washington State Legislature, provides an avenue for state employees to report suspected improper governmental action. It makes retaliation against people who file whistleblower assertions unlawful.

The State Auditor’s Office investigates and reports on assertions of improper governmental action and the Human Rights Commission is responsible for investigating asserted retaliatory actions. (See Whistleblower reporting form attached.)

Internal Audit Department

University employees may report assertions of improper governmental actions to the EWU Internal Audit Department. However, employees should be aware that while all such assertions will be confidential, the provisions of Washington State’s Whistleblower Act do not apply to communications between University employees and the Internal Audit Department

Contact Internal Audit

Carmel Melton Long

Director of Internal Audit

104 Showalter Hall

Phone: (509)359-4024

Email:

What is an “improper governmental action”?

As per RCW 42.40, it is any action undertaken in the performance of the employee’s official duties which:

. Is a gross waste of public funds or resources.

. Is in violation of federal or state law or rule.

. Is of substantial and specific danger to the public

health or safety.

. Involves gross mismanagement.

. Prevents the dissemination of scientific opinion or

alters technical findings without valid justification.

Malicious or False Assertions

Whistleblowers must file assertions in good faith. RCW 42.40.020 states that an employee must not knowingly report false, malicious or frivolous information, recklessly disregard the truth or omit relevant information. It states that the identity of any person, who in good faith provides information in a whistleblower investigation, will be given confidentiality.

Personnel Issues

The Whistleblower Act specifically excludes personnel actions, for which other remedies exist. Such actions include: employee grievances, violations of state civil service laws, labor agreement violations, reprimands, and other disciplinary actions.

Risk Assessment & Audit Scheduling

University administration and management will be participating in a risk assessment process over the next couple of months. Those results, combined with input from various levels of the University will be used to develop the annual audit plan. Areas with the highest assessed risk will be given priority in audit scheduling. Specific requests by administration will also impact the audit schedule.

A reminder about….Internal Controls

Managers and Supervisors are responsible for establishing appropriate internal controls and for monitoring their effectiveness. Have you identified the key risks in your operations? Are controls in place and operational to mitigate those risks?