Services Offered by Internal Auditing
Audits: Auditing is the primary function of the department and may include operational, compliance, vendor, cyber security, information technology, and financial focus areas. Annually, an audit plan is presented and approved by the Board of Trustees.
Consulting: Consulting services are performed at management’s request and range from phone consultation, brief meeting, or formal reviews. Depending on the nature of the engagement, the scope may be defined in an announcement memo and a detailed report may be issued at the conclusion of the engagement.
Special Investigations: Based on information reported to the department or discovered during an audit, suspected fraud, waste, abuse, or violations of rules or regulations will be investigated and reported, as appropriate, to law enforcement or other entity(s).
Standing Committees: The Audit Director or member of the team may participate in University committees to stay informed of management activities and to enhance our ability to perform consulting and audit activities.
How/Why is an Area Selected for Audit?
Multiple risk factors are considered when establishing priorities and developing audit schedules:
- Size/complexity of an area
- Prior audit recommendations
- Time since last audit
- New operations
- Recent changes in management, staff or systems
- Comments or concerns of senior management
- Public sensitivity
The audit schedule is subject to change due to management requests or special circumstances.
Audit Cycle Synopsis
The following steps are followed in most audits conducted:
- Selection of Unit to be Audited Based on:
- Input from President, Vice Presidents, Business Officers, and other University management level personnel
- Level of Risk: Volume of activity, stability of management/staff, last time audited, public relations exposure, external regulatory requirements.
- Notification to Audit Client and Vice President – Allows for input into the audit process by the Vice President or other appropriate intermediaries.
- Entrance Conference – Scope/objectives and purpose of audit are explained. Allows for audit client input into the audit process.
- Field Work – Auditor performs work. Findings/recommendations are shared with audit client as audit progresses.
- Work Paper Review – Director or audit manager reviews work papers and interacts with audit client and University management as audit progresses.
- Draft Report – Sent to audit client via email for review and discussion at the Exit Conference. The audit client is expected to have drafted written responses prior to the exit conference. Typically, a two-week period is provided between the draft report and exit conference.
- Exit Conference – Contents of draft report and proposed responses are discussed and agreement reached on any necessary changes. Draft responses will include planned or completed changes made and the expected completion date.
- Final Report – Email copy sent to audit client with their response incorporated. Email copies sent to appropriate intermediaries.
- Audit Findings – Findings denoted within the report are entered and tracked within the audit software of TeamMate. Open issues are summarized and reported to executive management and the Board of Trustees on issues that are past due.
- Follow-up Audit/Review – Within 12 months, the implemented recommendations may be reviewed for their effectiveness.
External Quality Assessment (Who Audits the Auditors?)
An external quality assessment is performed every five years to evaluate the efficiency and effectiveness of IA activities. Compliance with the International Standards for the Professional Practice of Internal Auditing is also reviewed.