Risk Assessment and the Audit Process
Below you can find information on the Internal Audit risk assessment and audit process
Departments/Units selected for review are based on a formal risk-assessment planning process. Internal Auditor performs a risk assessment of all units (academic, administrative, research and ancillary) on an annual basis. This risk assessment encompasses a number of factors:
Ř Identification of the audit universe pertaining to the University using various sources, including University’s Financial Statements, input from University’s Senior Administration and / or Senior Management, discussions with the Audit & Compliance Committee Chair(s) and / or members, and using professional judgement.
Ř For each of the audit universe items identified, the following risk factors are considered in determining ranking for each audit area as low, moderate or high priority.
Financial Impact: impact on the University’s revenue generating activities and cost effectiveness
Quality of Controls:
o Impact on University activities – how much does the process / activity impact other areas of the University
o System / process changes – significant system or process changes that could impact existing controls
o Organizational change / staff turnover – changes to the organizational structure or changes to key personnel
o Staff and Management – quality of management, adequate staffing, experience / education of staff
o Policies and Procedures – perceived strength of existing policies and procedures
o Fraud - what is the potential for fraud in the area / unit / activity
o Regulatory compliance - how much the process / activity depends on regulatory compliance
o Public exposure - probability of an unforeseen event negatively affecting the University's public image
· Audit History: time since last audit, prior issues detected, extent of external audit coverage
The risk assessment process ensures audit resources are allocated to areas where a review would most benefit the University. The Annual Internal Audit Plan is developed by the Internal Auditor, reviewed with Senior Administration and presented to the Audit & Compliance Committee of the Board of Governors for approval.
The Audit Process
There are four phases to every audit conducted by the Internal Auditor:
- Follow up
During each phase, the department or unit under review has the opportunity to participate – audits work best with clear and open communication and collaboration between the department/unit and the Internal Auditor.
- The department/unit selected is contacted in advance of the audit and informed of the intent to perform a review.
- An introductory meeting is set up between the director/department head, or equivalent, and the Internal Auditor. The meeting serves two purposes: first, the Internal Auditor will outline the process, timing and what the client or auditee can expect during the review; second, the department/unit is able to express any issues or concerns with the audit process or areas within their units that they would like to have reviewed. The preliminary scope and objectives of the audit are then determined and shared with the department/unit.
- Following the introductory meeting, more detailed information is gathered through interviews with key operational and financial staff, review of financial and operational information and other documents available (i.e. department websites, newsletters, etc.)
- Fieldwork is the gathering of information necessary to assess the adequacy and effectiveness of internal controls, risk management and governance processes. Auditors do this through discussion and inquiry with staff, reviewing procedures and business processes, conducting tests and examining supporting documentation to meet the objectives of the audit.
- Once fieldwork is completed, the auditor will prepare a listing of all significant findings. These findings will form the basis for the audit report.
- In the conduct of their work, Internal Auditor is authorized to have unrestricted access to all functions, records, property and personnel.
- Audit findings are summarized and reviewed with department management and staff either throughout or at the end of the audit process to confirm findings and ensure all relevant facts are considered.
- A draft audit report is prepared for management and includes the findings, observations, impact of the findings and related recommendations.
- The draft audit report is then provided to the department's management for review and provides management with an opportunity to respond to the findings.
- Management is required to provide timely written responses to the findings, including an action plan of how the recommendations will be implemented.
- A closing meeting will then be scheduled where the findings, observations, recommendations and management action plans will be discussed and any disagreements or concerns addressed.
- A final audit report is then prepared in a more summarized form to be presented to the Audit & Compliance Committee of the Board of Governors. This report is also distributed to department's management and other relevant parties.
- Once the audit is completed, Internal Audit will periodically request an update on progress made in implementing recommendations. This normally occurs on an annual basis.
- In some instances, it may be necessary to revisit the department to ensure corrective actions have been taken and the actions are achieving the desired results.
- Reports of follow-up activity are provided to the Audit & Compliance Committee of the Board of Governors.