Once a decision has been made to audit a unit (based on the annual risk assessment and afterapproval of the audit plan), the following are the usual steps in the process:
Prior to undertaking a review other than Continuous Auditing, the head of the administrative units and/or the faculties is contacted and a meeting is scheduled to discuss the type of audit, the objectives, the audit process and timing.
The meeting is followed with the issuance of a letter confirming the scope and timing of the audit/review. The unit head is asked to advise his/her staff of the review and solicit their cooperation.
During this phase, Internal Audit obtains an understanding of the operating environment, processes and related risks. Information is gathered from the introductory meeting, interviews, documentation including websites, strategic plans, budgets, etc. The audit team prepares a formal risk assessment and an Audit Program (see Fieldwork) to review the client’s existing procedures and controls which relate to the significant risks identified. Using this risk-based approach, the auditor ensures the review is focused on the significant risks.
During this phase, the auditor carries out the Audit Program, which could include procedures to (a) determine the adequacy and effectiveness of client procedures and controls for managing the significant risks identified, (b) assess compliance with University and External policies and procedures in the target risk areas, and (c) identify opportunities for improving the efficiency and effectiveness of the client’s administration.
Audit procedures include interviews with client staff, observation of the client’s business processes, examination of the client’s records and supporting documentation, verification of the accuracy, propriety, and completeness of the client’s transactions, analytical reviews, and inspection of the client’s assets and facilities.
Preliminary findings are discussed with the appropriate client personnel to confirm the factual accuracy of the audit observations and findings.
At the end of the audit fieldwork, Internal Audit will meet with management of the administrative units or a senior member of the faculty to discuss the issues and findings from the audit. Management is requested to provide their comments and Management Action Plans including accountability and timeline for the implementation of the action plans upon receipt the draft audit report. The timeline for the response depends on the complexity of the area under review/audit and is agreed between Internal Audit and management.
In most cases, two final reports are issued for each engagement; the Full Report containing detailed findings, recommendations and action plans and the Summary Report. The Full Report is issued to the head of the administrative units or the dean of the faculty, Chair of the Audit and Risk Committee and the external auditor. The Summary Report, which highlights only the significant findings from the audit/review and the general management response, is issued to the Audit and Risk Committee.
In the case of Special Investigations, the report distribution will be determined, in consultation with senior management, on a case-by-case basis.
As part of Internal Audit’s follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.
Annually, we request management to represent in writing whether the agreed action plan has been addressed. The extent and timing of our follow-up activity is based on the risk ranking assigned to a particular action plan. For items assessed as “Complete” by management, Internal Audit will perform specific procedures to validate the implementation. If we conclude that the recommendations from the audit have been addressed appropriately, no further audit work is performed. For items assessed as “In-Progress”, Internal Audit will review the remediation actions that have been implemented to-date and the outstanding actions to assess whether the target completion dates; or if the target have been revised, the revised target completion dates are reasonable.