1. Definition of the Audit Universe

The audit universe is the aggregate of all areas that are available to be audited within the university. To define the universe, the auditor divides the organization into manageable auditable activities (auditable units), which may be defined in a number of ways, such as by function or activity, by organizational unit or division, or perhaps by project or program. Some examples of auditable activities include:

  1. Policies, procedures and practices
  2. Business units such as Residence
  3. Information systems
  4. Major contracts with funding agencies
  5. Functions such as purchasing, accounting, finance

2. The Audit Plan

The Director of Audit Services submits the annual Audit Plan to the Audit Committee of the Board of Governors for approval. The plan establishes the priorities of the internal audit activity, consistent with the organization’s goals and objectives. Audit Services currently uses the “risk-based” approach to decide which audits are to be selected for inclusion in the annual Audit Plan. The governing body for the internal audit profession, the Institute of Internal Auditors (IIA), has developed standards that provide a framework for performing a broad range of value-added internal audit activities. One of the standards developed with respect to planning audits indicates “The internal audit activity’s plan of engagements should be based on a risk assessment.”

Why do we use this approach? Simply stated, we only have so much audit time, so we can’t audit everything . . . but we can audit high risk and minimally controlled activities.

Risk Based Auditing

  1. Risk-based auditing begins by reviewing the organizational objectives, then considers the risks that impact on the achievement of those objectives, and examines the methodologies in place to mitigate those risks.
  2. Risks can be avoided, shared, or transferred rather than controlled. Risk-based auditing also explicitly accepts that there will always be some risk that must be accepted; but the acceptable amount must be kept within the limits established by the Board and management.
  3. Audit Services identifies risk factors and evaluates them. The evaluation of risk factors includes, but is not limited to, discussions with management, observations made during previous audits, and the past history of the unit. Some examples of risk factors are:
    • Size of the unit
    • Recent changes in accounting or administrative systems
    • Complexity of operations
    • Liquidity of assets
    • Recent changes in key personnel
    • Economic condition of the unit
    • Rapid growth or decline of the unit’s personnel
    • Time since last audit
    • Pressure on management to meet objectives
    • Level of employees’ moral
  4. Based on the evaluation, we assign a “Risk Rating” (low, medium or high) and a “Priority Level” of 1, 2 or 3 (with 1 being the highest priority).
  5. Audits are selected based on the identification and evaluation of significant risk exposures as mentioned above. By focusing on the risk, internal auditors are able to identify controls that are absent or ineffective, as well as those that are no longer relevant.
  6. Requests for audits may also originate from the Board of Governors, the Audit Committee, Administration or any campus unit.

3. Audit Engagement Plan

a. Knowledge of area to be audited

This step allows the auditor to obtain specific knowledge about the unit or function to be audited. Accomplishing this allows the auditor to determine the answers to the following questions:

  • What are the specific risks?
  • What controls are in place?
  • What controls does the internal auditor think should be in place?

b. Establishing the audit objectives and scope

     i. Objective of the Audit - WHY – The objective statement should answer the question “Why is Audit Services auditing this department/area/function?” The objective statement should address what Audit Services is attempting to achieve and determine in the audit - the risks, controls, and governance processes associated with the activities under review. 


  • To determine whether controls are in place and operating as intended   
  • To determine whether claims for reimbursement are properly authorized  

     ii. Scope of the Audit – WHAT – The scope statement should answer “What is Audit Services going to examine during the audit?” This should address the parameters of information being reviewed. 


  • All reimbursement claims or the period May 1, 2014 to April 30, 2015   
  • All expenditures related to capital expenditures for the past 3 years

c. Designing an appropriate audit program

An audit program is a detailed plan of tasks to be performed during the audit in order to assess the quality of management systems and practices in the organization. This will provide the auditor with sufficient evidence to support the audit conclusions. Key aspects of the audit plan include:

  • Methodology – how we plan to review items to provide evidence to the conclusions we reach. The objective here is to determine how we are going to assess the extent to which systems and procedures that should be in place are, in fact, in place, and how well they are designed and functioning.
  • Setting the criteria – these are the standards against which existing conditions may be assessed. Sources of audit criteria may include University policies and guidelines, procedure manuals, authoritative literature, benchmarking studies, and interviews with management.
  • A time-line for the audit.
  • Scope - this defines what is to be audited and the extent of our examination.

4. Terms of Reference

We prepare a document entitled the Terms of Reference which communicates to the manager of the area what the audit includes:

  • the objective of the audit
  • the inherent risks involved
  • the scope of the audit
  • the methodology
  • a list of recipients of the audit report
  • the suggested time frame in which the audit will be completed

5. Fieldwork

We identify sufficient, reliable, relevant, and useful information to achieve the objectives of the engagement. This is accomplished by completing tests and recording relevant information to support the conclusions and engagement results that will be used in the reporting phase. From the test and analysis performed we formulate tentative recommendations for improvement.

6. Draft Audit Report

As University Policy, Audit Services Recommendations indicates, “Units that are subject to audit will be provided with a draft report at the conclusion of the audit.” The draft audit report includes the objective of the audit, what was examined and the results of the fieldwork. In general terms, the audit report summarizes the observations noted during the examination phase and recommendations. Audit Services has developed a report template which provides a basic format that the majority of audit reports follow.

7. Management Comments

University Policy, Audit Services Recommendations indicates that, “The draft report will be submitted to the unit head at which time the unit head will be requested to provide a written response within 30 days. The response will include comments on each of the findings and recommendations in the draft report and will specifically indicate:

  • Agreement or disagreement with each of the findings and recommendations.
  • If there is disagreement, the unit head will provide the rationale for disagreement in the written response.
  • The time frame for implementation of the recommendations.”

8. Exit Meeting

The exit meeting concludes the formal audit process. The final draft version of the audit report is presented to management. Once the report is finalized, it is prepared for distribution to the Audit Committee.

9. Distribution of the Audit Report

Audit Committee members are provided with the Executive Summary of all audit reports. A detailed audit report is provided to Audit Committee members upon request. In addition, the respective Vice-President is provided with an Executive Summary. Detailed audit reports are distributed to management of the areas or functions that were audited.

10. Follow-up and Monitoring

In some instances, follow-up audits or monitoring may be part of the audit process. These projects are selected on an individual basis.