Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve the University’s operations. It assists an organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance procedures.
What to audit?
The process of deciding what to audit is based on a logical sequence as detailed below:
The Internal Audit Department will:
- Identify areas of impact and risk to the University. Compile an inventory of the processes representing key financial and operational activities critical to the University. This list of processes is dynamic and subject to modification. Generally, academic curricula-based initiatives are excluded.
- In conjunction with the appropriate Vice President, assign an impact and a risk evaluation to each of the individual processes. The evaluation is based on a summary of risk factors associated with the processes. Risk factors include:
Ongoing risk factors:
- Financial value
- Public image
- Process liquidity (cash)
- Budget deviations
- Regulatory guidelines.
Environmental risk factors:
- Process stability (time since last modification)
- Recent audit history
- Executive assessment
- Political environment
- Financial markets
- Technology initiatives
- Based on the assessment of each process, develop an audit plan for the current year and draft plans for the two following years. The proposed audit plan is presented to the President and the Audit, Finance and Investment Committee for review and approval.
How is an audit conducted?
The steps necessary to conduct an audit follow:
- Plan. The Internal Audit Department will develop a plan for the audit based on a review of all pertinent information.
- Notify. The Internal Audit Department will schedule a meeting with the unit manager and the divisional Vice President of the process to be audited. Identify the scope and the objectives of the audit, how long the audit is expected to last and what the responsibilities of all parties are in the audit process. Any factors that will impact the audit should be raised at this time. Factors include vacations, fiscal year end, reporting requirements, etc.
- Test. Testing will include interviews with the staff, review of procedures and manuals, compliance with University policies and government laws and regulations, and assessing the adequacy of internal controls reviewing contracts, documentation and transactions as appropriate.
- Communicate. Keep the department that is undergoing the audit updated on a regular basis of the progress of the audit and especially if there are any findings. There may be instances where a finding can be addressed immediately.
- Report Draft. The report draft will include the audit Scope and Objectives, Summary and Opinion, Findings and Audit Recommendations.
- Management’s Response. Management will receive the audit draft to confirm the facts as presented and respond to the Audit Recommendations. Management’s response should assign the responsibility to implement the recommendation(s) and have a specific target date for completion of the corrective actions.
- Review. The final version of the audit will be reviewed and all questions resolved. Management’s response will be included in the final audit report.
- Distribute. The report is then released to the department, the appropriate divisional Vice President and the President. It is also available to the members of the Audit, Finance and Investment Committee as part of the agenda at the periodic meetings when a summary of all Internal Audit activities is presented.
- Follow up. The Internal Audit Department will conduct a follow up on Management’s Responses to the audit Findings and Recommendations within an agreed upon time frame. This subsequent review will be discussed with the involved management and the comments published. The comments will also be available to the Audit, Finance and Investment Committee as part of the agenda at the periodic meetings.