On an annual basis, the Director Internal Audit develops a work plan (Audit Plan) that outlines the areas within the University where Internal Audit will be focusing its efforts for the upcoming year. The Plan is designed to support the allocation of audit resources to those areas that represent the most significant priorities for Queen’s University (“University”) and to guide the Internal Audit activities for the upcoming year. The Internal Audit Plan is presented to the Audit and Risk Committee for approval at the beginning of the fiscal year.
The annual Internal Audit Plan is developed using the following risk-based approach:
Annually, Internal Audit conduct an Enterprise Risk Assessment with senior management and faculty administrators of the University to identify the significant strategic, financial, operational, compliance and technology risks facing the University as well as the key risk mitigation activities. As part of the consultation process, Internal Audit reviews with senior administrators the goals, priority initiatives and outcomes for the faculties, administration, departments and operating units and how these priority initiatives contribute to the achievement of the overall University’s strategy. By focusing on the risks and initiatives at the “enterprise” level, Internal Audit will be able to better align its Audit Plan to the University’s strategies and maximize our resources.
The results of the risk assessment are mapped to the significant operations and critical activities of the University to identify the areas of highest risks that should be covered by the Audit Plan. Other input to the risk assessment and mapping process include: strategic documents audit, results of previous internal audit and external audit reports, other external reports, outstanding management action plans, ongoing discussions with senior administrators as well as risk intelligence acquired through Internal Audit’s participation in operational/steering committees and working groups.
The Internal Audit Plan is designed to focus on areas that are central to the University accomplishing its strategic objectives as well as the effectiveness of key risk mitigation activities. It is important to note that not all high-risk areas will result in an audit or review of that area on the Internal Audit Plan. The appropriate audit response: i) assurance that risk is properly managed, ii) advice to improve internal controls or iii) monitoring of risk levels for the significant risk(s) identified depends on the internal control maturity of the area under question.
On an ongoing basis, Internal Audit undertake a number of departmental initiatives designed to further improve both the operation of the department and the degree of communication with the University’s administration, faculty and the Audit and Risk Committee
The Internal Audit department is comprised of 4 permanent staff. A Resource Plan is developed as part of the Annual Internal Audit Plan, Additional resources, e.g. subject matter expertise, IT audit resource not on staff are obtained from external consultants, budget permitting.