How are departments selected for an internal audit?
Areas are selected for internal audit on an assessment of risk. Risk can take various forms such as loss of assets, loss of receipts, inappropriate payment of expenses, failure to properly record transactions accurately, errors or omissions (either accidental or intentional), or failure to follow established policies and procedures. Those areas with a high degree of expected risk are subject to more frequent audit.
Some audits are required by governmental agencies or other outside entities and maybe performed annually. Other audits are discretionary and involve departmental, operational, or process reviews. These reviews are scheduled in consultation with management. The Director of Internal Audit prioritizes internal audit work based on the following factors:
- Assessment of the risk
- Management referrals - feedback from deans, directors, or departmental heads (audit requests are solicited continually)
- Significant organizational policy or procedural changes
- Information system installation or modification
- Changes in funding agency policies
Did we do something wrong?
No, audits are rarely scheduled because someone did something wrong, unless it involves suspected misconduct or fraud. We view a single event as an exception, or a symptom and don't redirect resources to deal with isolated events. Only if a single event turns into a series of problems will an activity rise to the top of our audit schedule. What "doing something wrong" may trigger is a management request to us for a consulting engagement to determine whether a process is functioning as intended. We view these assignments as proactive, intended to assist you in your efforts to improve existing processes. A consult of this nature may be as simple as a phone call or brief meeting, or as complex as the assignment of staff to a formal project spanning several months.
Internal audit does not target individuals or departments for audit. We establish an annual audit plan that is based on a number of risk factors, the primary ones being:
- The amount and nature of revenue or receipts (the larger your revenue the more likely you are to be audited).
- The potential impact on the university if something goes wrong (will it affect just your department or the University on a wider scale).
- How new an activity is, or whether it has undergone major change in the recent past. (startup or change generally creates added risks).
- Regulatory environment for the activity (are there special regulations for your department and do violations carry heavy penalties).
- Time since last audit and previous findings (the longer it's been since our last visit the higher the likelihood we will be visiting you).
Some departments or processes, by the risk they present, will always get more audit attention, while others because of regulatory or legislative action will be audited periodically. If the university experiences problems in a given department or process, it may prompt additional audits until we are convinced no serious exposure exists.
What occurs during an audit?
Once an audit is assigned, the auditor responsible will contact you to advise you of the coming audit and ensure that your workload and staffing makes such an undertaking feasible at the planned time. When possible, audits are assigned for a time period that will create the least disruption for your department.
An entrance conference will be scheduled to introduce the auditor(s) to your department and discuss the general scope and objectives of the audit. We will give you the projected timeframe for the audit through completion; however, there are no guarantees as staff on occasion must suspend work to deal with special time sensitive assignments. If your project is delayed because of a special assignment the auditor will advise you of the delay and keep you appraised of the revised completion schedule.
Our goal is to provide you a draft copy of the audit report within three weeks of completion of fieldwork.
1. Preliminary Survey
During this stage, the auditor:
- reviews prior audit reports and other existing information on the client (much of this is done at our office and will not affect your daily work),
- interviews key employees on how processes work (we try to work with you on scheduling interviews, but to complete our work in a timely manner we may cause some disruption),
- assesses whether the processes are functioning as described (while this does not involve extensive meetings with you, some interaction with your staff will be required to clarify points of concern)
- identifies any additional processes that present risks.
This stage identifies the risks the department faces, and the potential impact (both financial and compliance) such risks might have on the department and university. The auditor then ranks them for audit purposes. The approach, selection of, and degree of testing is then based on these rankings.
2. Fieldwork and Testing
During this stage, based on the rankings and findings from the preliminary survey, the auditor will select the transactions to be tested for accuracy and completeness. This can include anything from review of deposit reconciliations to testing supporting detail for internal transfers or rate calculations. Testing also involves verification of the accuracy of assertions made during the preliminary survey to source documentation.
The amount of testing performed is dependent upon the adequacy of documentation, internal controls in place and test results. An organization with good internal controls usually requires a limited amount of testing, but it may be increased if problems are discovered.
Transactions chosen to be tested are determined using sampling methods tailored to fit the process under review. Sampling for our purposes is generally done randomly, and may not be statistical in nature as that generally entails a substantially larger test. A statistically valid sample is generally not necessary to assess the adequacy of a system.
You will be kept appraised of findings during the testing stage so there are no surprises when the report is issued. Interim meetings with the client to discuss findings are a part of our audit process.
3. Concluding the audit
Completion of an audit involves more than just issuing the audit report. In our process it includes:
- write-up of findings and confirmation of these results with the client,
- issuance of a draft report and the accompanying exit conference at which potential discrepancies are identified, discussed, and corrected if necessary,
- issuance of a final report with findings and corresponding recommendations.
The client is always afforded the opportunity to comment on our findings, during the audit, at the exit conference and with a formal response. It is our practice to provide the client the opportunity to include their response with the final report or following its issuance. We prefer the response be included in the final report so external audiences see our client's replies to our recommendations in a single document.