Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.1How is an audit decided?
The process of deciding what to audit is based on a logical sequence as detailed below:
The Internal Audit Department will:
How is an audit conducted?
- Identify areas of risk. Compile an inventory of the key processes representing key financial and operational activities critical to the University. This list of processes is dynamic and subject to modification. Generally, academic and curricula based initiatives are excluded.
- Assign a risk value to each of the individual processes. The risk value is based on an analysis of risk factors associated with the process. Risk factors include:
- Ongoing risk factors
- Financial value
- Public image
- Process complexity
- Asset liquidity
- Budget deviations
- Regulatory guidelines.
- Environmental risk factors
- Process stability
- Recent audit history
- Executive assessment
- Political environment
- Financial markets
- Technology initiatives.
- Based on the values assigned to each of the processes, develop an audit plan for the current year and draft audit plans for the next two years. The proposed audit plan is presented to the Audit committee for their review and approval.
The steps necessary to conduct an audit follow:
- Plan. The Internal Audit Department will develop a plan for the audit based on a review of all pertinent information.
- Notify. The Internal Audit Department will schedule a meeting with the unit manger and the senior managers of the process to be audited. Identify the scope and the objectives of the audit, how long it is expected to last and what the responsibilities for all parties are in the audit process. Any factors that will impact the audit should be raised at this time. Factors include vacations, fiscal year end, reporting requirements, etc.
- Test. Testing will include interviews with the staff, review of procedures and manuals, compliance with University policies and governmental laws and regulations and assessing the adequacy of internal controls.
- Communicate. Keep the department that is undergoing the audit updated on a regular basis of the progress of the audit and especially if there are any findings. There may be instances where the finding can be addressed immediately.
- Draft. The report draft will include the audit Scope and Objectives, Summary and Opinion, Findings and Audit Recommendations.
- Management response. Management will receive the audit draft to confirm the facts and respond to the Audit Recommendations. Their response should assign the responsibility to implement the recommendation and have a specific target date for completion of the corrective actions.
- Review. The final version of the audit will be reviewed and all issues resolved.
- Distribute. The report is then immediately released to the audited department, divisional Vice President and the Executive Vice President for Administration. It is also released to the Audit Committee as part of the agenda at the periodic meetings.
- Verify. The Internal Audit Department will conduct a follow up on the Management Responses to the Audit Findings and Recommendations within a three month period. This subsequent review will be discussed with the involved management and the comments published. The comments will also be released to the Audit Committee as part of the agenda at the periodic meetings.
1Source: Institute of Internal Auditors (IIA)