1. What is internal auditing?

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bring a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditing is a catalyst for improving an organization's effectiveness and efficiency by providing insight and recommendations based on analyses and assessment of data and business processes.

Audit Services' work is conducted in accordance with standards and guidance promulgated by the Institute of Internal Auditors.

2. What types of services does Audit Services provide?

Audit Services provides assurance and consulting services related to risk management, governance and control.

3. What is an assurance engagement?

An assurance engagement involves an objective assessment of evidence to provide an independent opinion or conclusion regarding the subject matter being assessed, using a formalized methodology.

4. What are consulting services?

Consulting services may include participation in committees, provision of guidance on application controls for systems under development, as well as responding to ad-hoc inquiries from faculties and administrative units on University policies and internal control.

5. What types of assurance engagements does Audit Services perform?

Audit Services provides assurance services related to risk management, governance and control.

Risk management - Risk management audits are conducted to provide assurance that the major risks to the University's objectives are being identified, managed and reported appropriately.

Governance - Governance engagements focus on the University's ethics and values objectives, policies and procedures, organizational performance management and accountability processes.

Control - There are various types of audits of controls that can be conducted. These may include:

  • Compliance audits - Assessments of whether activities are in compliance with policies, procedures, standards and applicable laws and regulations.
  • Operational audits - Assessments pertaining to whether resources are acquired economically, used efficiently and adequately safeguarded. This includes assessing the adequacy of controls designed to manage risks and ensure objectives are met.
  • Information systems audits - Information systems audits focus on the controls over the development, operation, maintenance and security of systems.

Control audits also include assessments of whether financial, managerial and operating information is accurate, reliable and timely and if quality performance and continuous improvement are fostered in control processes.

6. How does Audit Services select areas to audit?

Audit Services follows a three-year Audit Plan approved by the Audit and Risk Management Committee. The plan is developed based on risk assessment information obtained from consultations with senior management, information from prior audits and through a rotation schedule, as well as our own assessment of risks.

7. What is the difference between internal and external audit?

An internal audit is conducted by University of Manitoba employees of Audit Services, or by a firm hired by them. Internal audit's mission is to provide independent, objective assurance and consulting services designed to add value and improve University operations.

External auditors are employees of the Office of the Auditor General Manitoba, who conducts an annual audit on the University's financial statements for the purpose of providing an opinion as to whether the financial statements are free of material misstatements.

8. What does internal audit independence mean?

Though internal auditors are employees of the University, they must maintain complete independence with respect to the University units, and are not subject to restrictions in the scope of their work by senior or operating management. Our independence is ensured by the Audit Services Charter which provides for a functional reporting relationship to the Audit and Risk Management Committee.

9. What is the typical audit process?

A typical assurance engagement includes the following four stages:

Engagement planning

  • We contact operating management to discuss the overall audit objective, the timing of the audit and the initial plan.
  • Gather preliminary background information related to the area in the scope of the audit, such as the unit's goals and objectives, budgets and financial information, applicable external regulations, and any other pertinent information.
  • We develop a Term of Reference that formally outlines our audit plan, general approach, time frames, objectives and criteria. This includes obtaining input from unit management regarding risk areas to be considered in the audit.
  • Conduct a risk assessment at the engagement level. This is to ensure that all major risks within the area under review are being considered as a part of the audit.

Engagement fieldwork

  • Our fieldwork includes gathering information necessary to formulate conclusions related to the audit objectives and criteria outlined by the Term of Reference.
  • This process normally includes interviews with key staff, review of procedures and relevant documentation, selecting samples and testing data, and reviewing reports.
  • Observations are discussed throughout the fieldwork.

Audit reporting

  • An exit meeting is held with operating management to ensure accuracy of facts collected (no surprises). As a part of this meeting, potential recommendations for improved processes are discussed with management to validate their feasibility and appropriateness.
  • A draft report is prepared and issued to operating management for review and management is requested to provide management comments to any recommendations that may be provided. The management comments are to include a statement as to whether management agrees or disagrees with our recommendations, an action plan of how the recommendations will be addressed and a target date of completion.
  • Once we receive management comments, we issue a final report to management with the comments included. Copies of the report are provided to the respective Vice Presidents.

Engagement follow-up

  • A follow-up review is conducted six months to one year after an audit report has been issued. A follow-up is not a re-audit, but is designed to evaluate that corrective action has been taken on the audit observations reported in the original report.

10. What is risk management?

Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Source: Institute of Internal Auditors.

11. What is governance?

Governance is the combination of policies, processes and structures implemented to inform, direct, manage, and monitor the activities of the organization toward achievement of its objectives. Source: Institute of Internal Auditors.

12. What is control?

A control is any action taken by management, the Board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Source: Institute of Internal Auditors.

13. What is fraud and financial misconduct?

Please visit the What is Fraud and Financial Misconduct? webpage.