Internal Auditors act as consultants both to senior administrators/managers and to the Board of Governors. Our contribution to the success of the University is measured in our ability to assist senior administrators/managers and the Board of Governors in the performance of their duties. The internal audit function accomplishes this by independently identifying risks, evaluating the design and implementation of management’s control systems, and making recommendations for improvement. Internal auditing aids the University by helping managers manage better and by bringing to management’s attention opportunities for improvement.
Direct assistance to the Board is provided in the form of audit reports. This in turn, provides assurance to the Board with respect to those processes found to be working appropriately and assurance that management is aware of any identified opportunities for improvement. To help understand what is involved in an audit conducted by Audit Services, the audit process is presented as a 10-step process.
The audit universe is the aggregate of all areas that are available to be audited within the University. To define the universe, the auditor divides the organization into manageable auditable activities (auditable units), which may be defined in a number of ways, such as by function or activity, by organizational unit or division, or perhaps by project or program. Some examples of auditable activities include:
The Director of Audit Services submits the annual Audit Plan to the Audit Committee of the Board of Governors for approval. The plan establishes the priorities of the internal audit activity, consistent with the organization’s goals and objectives. Audit Services currently uses the “risk-based” approach to decide which audits are to be selected for inclusion in the annual Audit Plan. The governing body for the internal audit profession, the Institute of Internal Auditors (IIA), has developed standards that provide a framework for performing a broad range of value-added internal audit activities. One of the standards developed with respect to planning audits indicates “The internal audit activity’s plan of engagements should be based on a risk assessment.”
Why do we use this approach? Simply stated, we only have so much audit time, so we can’t audit everything . . . but we can audit high risk and minimally controlled activities.
Risk-based auditing begins by reviewing the organizational objectives, then considers the risks that impact on the achievement of those objectives, and examines the methodologies in place to mitigate those risks.
Risks can be avoided, shared, or transferred rather than controlled. Risk-based auditing also explicitly accepts that there will always be some risk that must be accepted; but the acceptable amount must be kept within the limits established by the Board and management.
Audit Services identifies risk factors and evaluates them. The evaluation of risk factors includes, but is not limited to, discussions with management, observations made during previous audits, and the past history of the unit. Some examples of risk factors are:
Size of the unit
Recent changes in accounting or administrative systems
Complexity of operations
Liquidity of assets
Recent changes in key personnel
Economic condition of the unit
Rapid growth or decline of the unit’s personnel
Time since last audit
Pressure on management to meet objectives
Level of employees’ moral
Based on the evaluation, we assign a “Risk Rating” (low, medium or high) and a “Priority Level” of 1, 2 or 3 (with 1 being the highest priority).
Audits are selected based on the identification and evaluation of significant risk exposures as mentioned above. By focusing on the risk, internal auditors are able to identify controls that are absent or ineffective, as well as those that are no longer relevant.
Requests for audits may also originate from the Board of Governors, the Audit Committee, Administration or any campus unit.
This step allows the auditor to obtain specific knowledge about the unit or function to be audited. Accomplishing this allows the auditor to determine the answers to the following questions:
What are the specific risks?
What controls are in place?
What controls does the internal auditor think should be in place?
Establishing the audit objectives and scope
Objective of the Audit – WHY – The objective statement should answer the question “Why is Audit Services auditing this department/area/function?” The objective statement should address what Audit Services is attempting to achieve and determine in the audit - the risks, controls, and governance processes associated with the activities under review. Examples:
To determine whether controls are in place and operating as intended.
To determine whether claims for reimbursement are properly authorized
Scope of the Audit – WHAT – The scope statement should answer “What is Audit Services going to examine during the audit?” This should address the parameters of information being reviewed. Examples:
All reimbursement claims for the period May 1, 2004 to April 30, 2005.
All expenditures related to capital expenditures for the past 3 years.
Designing an appropriate audit program
An audit program is a detailed plan of tasks to be performed during the audit in order to assess the quality of management systems and practices in the organization. This will provide the auditor with sufficient evidence to support the audit conclusions. Key aspects of the audit plan include:
Methodology – how we plan to review items to provide evidence to the conclusions we reach. The objective here is to determine how we are going to assess the extent to which systems and procedures that should be in place are, in fact, in place, and how well they are designed and functioning.
Setting the criteria – these are the standards against which existing conditions may be assessed. Sources of audit criteria may include University policies and guidelines, procedure manuals, authoritative literature, benchmarking studies, and interviews with management.
A time-line for the audit
Scope - this defines what is to be audited and the extent of our examination.
We identify sufficient, reliable, relevant, and useful information to achieve the objectives of the engagement. This is accomplished by completing tests and recording relevant information to support the conclusions and engagement results that will be used in the reporting phase. From the test and analysis performed we formulate tentative recommendations for improvement.
As University Policy 4.30 indicates, “units that are subject to audit will be provided with a draft report at the conclusion of the audit.” The draft audit report includes the objective of the audit, what was examined and the results of the fieldwork. In general terms, the audit report summarizes the observations noted during the examination phase and recommendations. Audit Services has developed a report template which provides a basic format that the majority of audit reports follow.
University Policy 4.30 indicates that “The draft report will be submitted to the unit head at which time the unit head will be requested to provide a written response within 30 days. The response will include comments on each of the findings and recommendations in the draft report and will specifically indicate:
Agreement or disagreement with each of the findings and recommendations.
If there is disagreement, the unit head will provide the rationale for disagreement in the written response.
The time frame for implementation of the recommendations.”
The exit meeting concludes the formal audit process. The final draft version of the audit report is presented to management. Once the report is finalized, it is prepared for distribution to the Audit Committee.
Audit Committee members are provided with the Executive Summary of all audit reports. A detailed audit report is provided to Audit Committee members upon request. In addition, the respective Vice-President is provided with an Executive Summary. Detailed audit reports are distributed to management of the areas or functions that were audited.