1. What is internal auditing?
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bring a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organization's effectiveness and efficiency by providing insight and recommendations based on analyses and assessment of data and business processes.
Audit Services' work is conducted in accordance with standards and guidance promulgated by the Institute of Internal Auditors.
2. What types of services does Audit Services provide?
Audit Services provides assurance and consulting services related to risk management, governance and control.
3. What is an assurance engagement?
An assurance engagement involves an objective assessment of evidence to provide an independent opinion or conclusion regarding the subject matter being assessed, using a formalized methodology. The methodology is comprised of three key stages, including planning, conducting and reporting; these stages are outlined below. There are different types of assurance engagements that may be performed depending on the topic being reviewed, as further discussed.
4. What are consulting services?
Consulting services may include participation in committees, provision of guidance on application controls for systems under development, as well as facilitation of risk assessments in cooperation with the Office of Risk Management and Security. When providing services related to risk management, Audit Services does not have a role in managing risks or setting what is often called the "risk appetite", that is management's responsibility.
5. What types of assurance engagements does Audit Services perform?
Audit Services provides assurance services related to risk management, governance and control.
Risk management - Risk management audits are conducted to provide assurance that the major risks to the University's objectives are being identified, managed and reported appropriately.
Governance - Governance engagements focus on the University's ethics and values objectives, programs and activities, organizational performance management and accountability processes, as well as information technology governance.
Control - There are various types of audits of controls that can be conducted. These may include:
Control audits also include assessments of whether financial, managerial and operating information is accurate, reliable and timely and if quality performance and continuous improvement are fostered in control processes.
6. How does Audit Services select areas to audit?
Audit Services follows three-year Audit Plan approved by the Audit and Risk Management Committee. The plan is developed based on risk assessment information obtained from the University's Enterprise Risk Management framework and also from consultations with senior management as well as our own assessment of risks.
7. What is the difference between internal and external audit?
An internal audit is conducted by University of Manitoba employees of Audit Services, or by a firm hired by them. Internal audit's mission is to provide independent, objective assurance and consulting services designed to add value and improve University operations.
External auditors are employees of the Office of the Auditor General Manitoba, who conducts an annual audit on the University's financial statements for the purpose of providing an opinion as to whether the financial statements are free of material misstatements.
8. What does internal audit independence mean?
Though internal auditors are employees of the University, they must maintain complete independence with respect to the University units, and are not subject to restrictions in the scope of their work by senior or operating management. Our independence is ensured by the Audit Services Charter which provides for a functional reporting relationship to the Audit and Risk Management Committee .
9. What is the typical audit process?
A typical assurance engagement includes the following four stages:
10. What is risk?
Risk is the possibility of an event occuring that will have an impact on the acheivement of objectives. Risk is measured in terms of impact and likeihood. Source: Institute of Internal Auditors.
11. What is risk management?
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Source: Risk management is a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Source: Institute of Internal Auditors.
12. What is governance?
Governance is the combination of processes and structures implemented by the Board to inform, direct, manage, and monitor the activities of the organization toward achievement of its objectives. Source: Institute of Internal Auditors.
13. What is control?
A control is any action taken by management, the Board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Source: Institute of Internal Auditors.
14. What is fraud?
Fraud is generally any attempt to deceive another party to gain a benefit. There is a broad range of acts that can constitute fraud, but all fraudulent acts involve a violation of trust. The Association of Certified Fraud Examiners categorizes fraud into the following three categories:
Asset misappropriation - schemes in which an employee steals or misuses the organization's resources. Some of the types of asset misappropriation schemes are:
Corruption - Corruption involves the misuse of influence in a business transaction in a way that violates duty to the employer in order to gain direct or indirect benefit. It could include bribery, receipt of kickbacks and gratitudes and aiding and abetting fraud by other parties.
Financial statement fraud - Financial statement fraud involves intentional manipulation of financial statements, which can lead to inappropriately reported revenue, expenses or balance sheet amounts, or concealing misappropriation of assets.