While there are four major types of internal audits, financial, operating, compliance and information technology - it is not unusual to incorporate elements of each when we review a business process or department on any of the campuses
Audits involve the evaluation of internal control processes over revenues and expenses, and the accuracy of their reporting in accordance with laws, regulations and internally developed policies and procedures. In addition, the safeguarding of the university's assets, as well as the fair presentation of its rights and obligations may be the subject of financial audits.
Audits examine the use of the university's resources to evaluate whether those resources are being used in the most efficient and effective way to fulfill the university's mission and objectives. These are sometimes called performance audits. An operational audit may include elements of both a financial and compliance audit.
Audits review both financial and operating controls and transactions to see how well they conform to established laws, standards, regulations and procedures. In addition the audit might identify gaps between regulations and university procedures, and in turn, would suggest training and follow-up programs to ensure personnel are adequately informed about compliance requirements.
Audits evaluate the internal controls related to the management of information technology environments and related infrastructure, applications and data.
The objective of Continuous Auditing is to assess the completeness, accuracy and propriety of a monthly sample of transactions drawn from the University’s accounting system using Computer Assisted Audit Techniques (CAAT’s). CAAT’s are tools used by Internal Audit to select samples and monitor transactions and data recorded in the University’s accounts for anomalies and compliance with University policies and procedures.
Special Reviews can be undertaken as a result of requests by senior university administrators or department heads, from findings identified in the course of an audit review, or concerns reported to the Department. The reviews are limited in scope to address the specified concerns only.
Sometimes internal auditors are asked to perform Special reviews by the University. The University may request specific reviews of: a department's internal controls, situations involving conflicts of interest, or financial irregularities.
On an annual basis, the Director Internal Audit develops a work plan (Audit Plan) that outlines the areas within the University where Internal Audit will be focusing its efforts for the upcoming year. The Plan is designed to support the allocation of audit resources to those areas that represent the most significant priorities for Queen’s University (“University”) and to guide the Internal Audit activities for the upcoming year. The Internal Audit Plan is presented to the Audit and Risk Committee for approval at the beginning of the fiscal year.
The annual Internal Audit Plan is developed using the following risk-based approach:
Annually, Internal Audit conduct an Enterprise Risk Assessment with senior management and faculty administrators of the University to identify the significant strategic, financial, operational, compliance and technology risks facing the University as well as the key risk mitigation activities. As part of the consultation process, Internal Audit reviews with senior administrators the goals, priority initiatives and outcomes for the faculties, administration, departments and operating units and how these priority initiatives contribute to the achievement of the overall University’s strategy. By focusing on the risks and initiatives at the “enterprise” level, Internal Audit will be able to better align its Audit Plan to the University’s strategies and maximize our resources.
The results of the risk assessment are mapped to the significant operations and critical activities of the University to identify the areas of highest risks that should be covered by the Plan. Other input to the risk assessment and mapping process include: strategic documents audit, results of previous internal audit and external audit reports, other external reports, outstanding management action plans, ongoing discussions with senior administrators as well as risk intelligence acquired through Internal Audit’s participation in operational/steering committees and working groups.
The Internal Audit Plan is designed to focus on areas that are central to the University accomplishing its strategic objectives as well as the effectiveness of key risk mitigation activities. It is important to note that not all high-risk areas will result in an audit or review of that area on the Internal Audit Plan. The appropriate audit response: i) assurance that risk is properly managed, ii) advice to improve internal controls or iii) monitoring of risk levels for the significant risk(s) identified depends on the internal control maturity of the area under question.
On an ongoing basis, Internal Audit undertake a number of departmental initiatives designed to further improve both the operation of the department and the degree of communication with the University’s administration, faculty and the Audit and Risk Committee
The Internal Audit department is comprised of 4 permanent staff. A Resource Plan is developed as part of the Annual Internal Audit Plan, Additional resources, e.g. subject matter expertise, IT audit resource not on staff are obtained from external consultants, budget permitting.
Once a decision has been made to audit a unit (based on the annual risk assessment and afterapproval of the audit plan), the following are the usual steps in the process:
Prior to undertaking a review other than Continuous Auditing, the head of the administrative units and/or the faculties is contacted and a meeting is scheduled to discuss the type of audit, the objectives, the audit process and timing.
The meeting is followed with the issuance of a letter confirming the scope and timing of the audit/review. The unit head is asked to advise his/her staff of the review and solicit their cooperation.
During this phase, Internal Audit obtains an understanding of the operating environment, processes and related risks of the area under audit/review. Information is gathered from the introductory meeting, interviews, documentation including websites, strategic plans, budgets, etc. The audit team prepares a formal risk assessment and an Audit Program (see Fieldwork) to review the client’s existing procedures and controls which relate to the significant risks identified. Using this risk-based approach, the auditor ensures the review is focused on the significant risks.
During this phase, the auditor carries out the Audit Program, which could include procedures to (a) determine the adequacy and effectiveness of client procedures and controls for managing the significant risks identified, (b) assess compliance with University and External policies and procedures in the target risk areas, and (c) identify opportunities for improving the efficiency and effectiveness of the client’s administration.
Audit procedures include interviews with client staff, observation of the client’s business processes, examination of the client’s records and supporting documentation, verification of the accuracy, propriety, and completeness of the client’s transactions, analytical reviews, and inspection of the client’s assets and facilities.
Preliminary findings are discussed with the appropriate client personnel to confirm the factual accuracy of the audit observations and findings.
At the end of the audit fieldwork, Internal Audit will meet with management of the administrative units or a senior member of the faculty to discuss the issues and findings from the audit. Management is requested to provide their comments and Management Action Plans including accountability and timeline for the implementation of the action plans upon receipt the draft audit report. The timeline for the response depends on the complexity of the area under review/audit and is agreed between Internal Audit and management.
In most cases, two final reports are issued for each engagement; the Full Report containing detailed findings, recommendations and action plans and the Summary Report. The Full Report is issued to the head of the administrative units or the dean of the faculty, Chair of the Audit and Risk Committee and the external auditor. The Summary Report, which highlights only the significant findings from the audit/review and the general management response, is issued to the Audit and Risk Committee.
In the case of Special Investigations, the report distribution will be determined, in consultation with senior management, on a case-by-case basis.
As part of Internal Audit’s follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
Annually, we request management to represent in writing whether the agreed action plan has been addressed. The extent and timing of our follow-up activity is based on the risk ranking assigned to a particular action plan. For items assessed as “Complete” by management, Internal Audit will perform specific procedures to validate the implementation. If we conclude that the recommendations from the audit have been addressed appropriately, no further audit work is performed. For items assessed as “In-Progress”, Internal Audit will review the remediation actions that have been implemented to-date and the outstanding actions to assess whether the target completion dates; or if the target have been revised, the revised target completion dates are reasonable.