1. What is internal auditing?

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bring a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organization's effectiveness and efficiency by providing insight and recommendations based on analyses and assessment of data and business processes.

Audit Services' work is conducted in accordance with standards and guidance promulgated by the Institute of Internal Auditors.

2. What types of services does Audit Services provide?

Audit Services provides assurance and consulting services related to risk management, governance and control.

3. What is an assurance engagement?

An assurance engagement involves an objective assessment of evidence to provide an independent opinion or conclusion regarding the subject matter being assessed, using a formalized methodology. The methodology is comprised of three key stages, including planning, conducting and reporting; these stages are outlined below. There are different types of assurance engagements that may be performed depending on the topic being reviewed, as further discussed.

4. What are consulting services?

Consulting services may include participation in committees, provision of guidance on application controls for systems under development, as well as facilitation of risk assessments in cooperation with the Office of Risk Management and Security. When providing services related to risk management, Audit Services does not have a role in managing risks or setting what is often called the "risk appetite", that is management's responsibility.

5. What types of assurance engagements does Audit Services perform?

Audit Services provides assurance services related to risk management, governance and control.

Risk management - Risk management audits are conducted to provide assurance that the major risks to the University's objectives are being identified, managed and reported appropriately.

Governance - Governance engagements focus on the University's ethics and values objectives, programs and activities, organizational performance management and accountability processes, as well as information technology governance.

Control - There are various types of audits of controls that can be conducted. These may include:

  • Compliance audits - Assessments of whether activities are in compliance with policies, procedures, standards and applicable laws and regulations.
  • Operational audits - Assessments pertaining to whether resources are acquired economically, used efficiently and adequately safeguarded. This includes assessing the adequacy of controls designed to manage risks and ensure objectives are met.
  • Information systems audits - There are many types of information systems audits that focus on the controls that govern the development, operation, maintenance, and security of application systems in a particular environment. This type of audit might involve reviewing a data centre, an operating system, a security software tool, or processes and procedures (such as the procedure for controlling production program changes), etc.

Control audits also include assessments of whether financial, managerial and operating information is accurate, reliable and timely and if quality performance and continuous improvement are fostered in control processes.

6. How does Audit Services select areas to audit?

Audit Services follows three-year Audit Plan approved by the Audit and Risk Management Committee. The plan is developed based on risk assessment information obtained from the University's Enterprise Risk Management framework and also from consultations with senior management as well as our own assessment of risks.

7. What is the difference between internal and external audit?

An internal audit is conducted by University of Manitoba employees of Audit Services, or by a firm hired by them. Internal audit's mission is to provide independent, objective assurance and consulting services designed to add value and improve University operations.

External auditors are employees of the Office of the Auditor General Manitoba, who conducts an annual audit on the University's financial statements for the purpose of providing an opinion as to whether the financial statements are free of material misstatements.

8. What does internal audit independence mean?

Though internal auditors are employees of the University, they must maintain complete independence with respect to the University units, and are not subject to restrictions in the scope of their work by senior or operating management. Our independence is ensured by the Audit Services Charter which provides for a functional reporting relationship to the Audit and Risk Management Committee .

9. What is the typical audit process?

A typical assurance engagement includes the following four stages:

Engagement planning

  • We contact operating management to discuss the overall audit objective, the timing of the audit and the initial plan.
  • Gather preliminary background information related to the area in the scope of the audit, such as the unit's goals and objectives, budgets and financial infromation, applicable external regulations, and any other pertinent information.
  • We develop a Term of Reference that formally outlines our audit plan, general approach, time frames, objectives and criteria.
  • Conduct a risk assessment at the engagement level. This is to ensure that all major risks within the area under review are being considered as a part of the audit.

Engagement fieldwork

  • Our fieldwork includes gathering information necessary and formulating conclusions related to the audit objectives outlined by the Term of Reference. The information gathering process normally includes interviews with key staff, review of procedures and relevant documentation, and conducting tests to verify effectiveness of controls.
  • Our fieldwork typically includes conducting interviews with management and staff, testing data, reviewing reports, and other tests and procedures necessary to develop conclusions to the audit objectives and criteria that were established.

Audit reporting

  • An exit meeting is held with operating management to ensure all relevant facts are considered and to ensure accuracy of facts collected. Management is also informed of all findings identified to enable management to take actions as may be appropriate. As a part of this meeting, potential recommendations for improved processes are discussed with management to validate their feasibility and appropriateness.
  • A draft report is prepared to summarize all major audit findings and provide audit recommendations. The draft report is issued to operating management for review and management is requested to provide management comments to any recommendations that may be provided. The management comments are to include a statement as to whether management agrees or disagrees with our recommendations; an action plan of how the recommendations will be addressed and a target date of completion.
  • Once we receive management comments, we issue a final report to management with the comments included. Copies of the report are provided to the respective Vice Presidents.

Engagement follow-up

  • A follow-up review is conducted six months to one year after an audit report has been issued. A follow-up is not a re-audit, but is designed to evaluate that corrective actions as been taken on the audit issues reported in the original report. Essentially, we validate that there has been progress on the management action plan that was included in their responses to our audit recommendations.

10. What is risk?

Risk is the possibility of an event occuring that will have an impact on the acheivement of objectives. Risk is measured in terms of impact and likeihood. Source: Institute of Internal Auditors.

11. What is risk management?

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Source: Risk management is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Source: Institute of Internal Auditors.

12. What is governance?

Governance is the combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization toward achievement of its objectives. Source: Institute of Internal Auditors.

13. What is control?

A control is any action taken by management, the Board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Source: Institute of Internal Auditors.

14. What is fraud?

Fraud is generally any attempt to deceive another party to gain a benefit. There is a broad range of acts that can constitute fraud, but all fraudulent acts involve a violation of trust. The Association of Certified Fraud Examiners categorizes fraud into the following three categories:

Asset misappropriation - schemes in which an employee steals or misuses the organization's resources. Some of the types of asset misappropriation schemes are:

  • Skimming - collecting cash receipts from customers and not recording them.
  • Expense reimbursement - personal or nonexistent items being claimed on expense claims.
  • Payroll manipulations - claims for hours not worked, pay rate adjustment, adding nonexistent employees to the payroll.
  • Cash misappropriation - simply stealing cash from the cash register or petty cash.
  • Non-cash items misappropriation - theft of non-cash items such as inventory, equipment and supplies.

Corruption - Corruption involves the misuse of influence in a business transaction in a way that violates duty to the employer in order to gain direct or indirect benefit. It could include bribery, receipt of kickbacks and gratitudes and aiding and abetting fraud by other parties.

Financial statement fraud - Financial statement fraud involves intentional manipulation of financial statements, which can lead to inappropriately reported revenue, expenses or balance sheet amounts, or concealing misappropriation of assets.