Internal Audit FAQs

Internal Audit is an independent and objective assurance and consulting activity guided by a philosophy of adding value and improving the University’s operations.  Internal Audit assists the University in accomplishing its strategic objectives by bringing a systematic and disciplined approach to examining and evaluating the adequacy and effectiveness of its governance, risk management, and internal control processes.

Internal Audit maintains independence through a dual-reporting relationship which includes functional reporting to the Audit Committee of the Boad of Trustees and administrative reporting to University Compliance.

The overall goal of a typical audit is to provide the department, unit or function being reviewed with an assessment of their control environment and compliance with appropriate policies, procedures, laws, regulations and other requirements of senior management and the University. A secondary goal of our audit is to make recommendations, if necessary, that are aimed to improve the efficiency and/or effectiveness by which certain procedures are performed. Internal Audit is uniquely qualified in this respect as a result of our professionally trained, experienced staff and because it has broad exposure to operations throughout the University.

Areas are selected for review in several ways: our annual risk assessment, compliance or regulatory requirements, and special requests or other circumstances such as investigations.

Each year the internal audit staff performs a risk assessment of departments or auditable areas to determine next year’s audit schedule. The following factors are considered in determining the relative risk of each area to the University:

• Findings from prior audits
• Time since last audit
• Size and/or complexity of operations
• Recent changes in management, staff, and/or operating systems
• Public scrutiny
• Comments and concerns of senior management

We use this information to establish priorities and develop our annual audit schedule. Because Internal Audit operates as a service to management, we strive to be flexible with our timing and can make attempts to accommodate administrative requests or other special circumstances.

Internal audits are designed to be a collaborative process and we will work with management to identify any possible improvements risk management or controls in the area. Internal Audit strives to communicate clearly and effectively, and we work to make sure that each area understands any findings before an audit is concluded. Though each audit will look different, Audits typically will contain the following stages:

1. Audit Planning – During the planning phase Internal Audit will conduct research on the audit topic to gain a high-level understanding of the area and associated risks before working on the scope and objectives of the audit. Once audit objectives and scope are defined the audit program is created, which is the blueprint for conducting the audit and accomplishing the audit objectives. During this phase you can expect to receive a notification email and charter in which areas are notified in writing via email when they have been selected for review. This notification may contain a request for preliminary information. Additionally, most audits will include a kick-off meeting to introduce the audit staff and outline the audit process. The kick-off meeting is also a time for management to bring any concerns forward for consideration.
2. Audit Fieldwork – This phase will look different for each audit but will typically involve review of policies and procedures followed by conducting tests to assess the adequacy of internal controls and compliance, testing of transactions, records, and resources, and performing other procedures necessary to accomplish the objectives of the audit. It may also include interviews with some key personnel however, we do make an effort to minimize disruptions and try to work with areas to make the audit process as smooth as possible. The audit team will present management with the opportunity to respond to any audit observations, potential issues, and proposed recommendations identified throughout the audit.
3. Audit Report – Audit reports are typically prepared in draft form and if recommendations are made, management is given the opportunity to provide a response to the any findings or recommendations. Typically, a management response would be a rationale for disagreeing with a recommendation, some form of plan to implement a recommendation, or an alternative plan to address any identified concerns. The final result of every audit is a written report or memo that details the audit scope and objectives, results, recommendations for improvement, and the management response or corrective action plans if applicable.

We maintain regular communication throughout the audit. You’ll receive updates during key phases, including a kick-off meeting, periodic status updates, and at the conclusion where any preliminary findings will be discussed. Additionally, you can reach out to the audit team at any time if you have questions or concerns.

The duration of an audit varies depending on its scope and complexity. Most audits typically take several weeks to a few months, but this will be discussed at the start of the process. We aim to complete audits in a timely and efficient manner with minimal disruption to normal operations.

For scheduled audits, Internal Audit will communicate in advance to the area about an upcoming audit. We may submit an initial request for information to the unit or department. This request may include general department information, which aids us in gaining an understanding of the area being reviewed.  After being notified, you can start preparing for an audit by considering the following:

• Look at the policies and procedures you used internally and make sure they are up to date and reflect what your current processes.
• Review your prior audits or reviews and make sure your practices have not drifted back to old practices.  If you need a prior internal audit report, we are happy to provide it for internal review.
• Disclose any known operational issues relevant to the audit scope.
• Think of the strategic initiatives or activities you are doing to meet your unit’s goals.  What are the critical things going on right now that you need help with?  Be prepared to discuss this with the audit team.
• Be prepared to bring forward ways the audit team can provide insight into your operations.  What are some critical areas in your area that you need assurance are working as designed, effectively, or efficiently?  Think broadly, not just financially.