Audit Services provides independent and objective assessments of governance, risk management and control processes. We conduct four main types of internal audits, frequently incorporating aspects of each when we review a university faculty or unit.
Types of audits
Financial audits involve reviews of internal control processes over revenues and expenses. This includes reviews focused on the safeguarding of assets. We also will review the accuracy of financial reporting in accordance with laws, regulations and university policies and procedures.
Operational audits focus on whether the university’s resources are being used efficiently and effectively. During these reviews, we typically develop flowcharts of existing processes, and identify opportunities to streamline processes, while at the same time maintaining adequate internal control.
Compliance audits review financial and operational controls and transactions to see how well they conform to university policies and procedures, or applicable legislation and regulations. Our “unit control” projects are an example of a typical compliance audit.
Information technology audits are conducted on the information technology environment, including infrastructure and applications, to assess their adequacy to protect the confidentiality, integrity and availability of information and data.
Annual audit planning
Faculty and unit audit priorities are identified through an annual risk assessment process. An annual audit plan is developed and submitted for review and approval by senior administration and the Audit and Risk Management Committee.
Upon approval of the audit plan, faculties and units are notified of the planned audit. The notification will include a discussion of the overall audit objective, the initial planned audit approach, and arranging a mutually convenient time to complete the audit.
When we initiate an audit engagement, we develop a “Term of Reference” that formally outlines our audit plan, general approach, time frames, objectives and criteria. We solicit input from unit management regarding risk areas to be considered in the audit.
Our fieldwork includes gathering information necessary to formulate conclusions related to the audit objectives and criteria outlined in the Term of Reference.
This process normally includes interviews with key staff, review of procedures and relevant documentation, selecting samples and testing data, and reviewing reports.
An exit meeting is held with operating management to ensure the accuracy of the facts collected. As a part of this meeting, potential recommendations for improved processes are discussed with management to validate their feasibility and appropriateness.
A draft report is prepared and issued to operating management for review, and management is requested to provide comments to any recommendations that may be provided. The management comments are to include an action plan of how the recommendations will be addressed and a target date of completion.
Once we receive management comments, we issue a final report to management with the comments included. Copies of the report are provided to the relevant senior management.
A follow-up review is initiated six months to one year after an audit report has been issued. A follow-up is not a re-audit, but is designed to evaluate that corrective action has been taken on the audit observations reported in the original report.