Annual Audit Plan
Sources of the Annual Plan
Internal Audit’s primary means of serving our customers is the annual audit plan. Each fiscal year the Director of Internal Audit prepares an audit plan for approval by the Finance & Audit Committee of the Board of Trustees. The sources used to prepare the annual plan include, but are not limited to the following:
- University and departmental risk assessments
- Requests from the Finance & Audit Committee and management
- Prior audits and / or historical trends regarding governance, risk, and compliance management issues and goals
- Information from external sources, e.g., the University’s external auditor for its financial statements
- Federal and local oversight or regulatory trends
- University business cycles, e.g., student accounts, IT systems, and grant management
- New or significant University initiatives
- Feedback or information from Faculty, Staff, or other persons highlighting compliance concerns
- Known or suspected high risk financial, legal, compliance, or reputational issues
Risk Exposure and Audit Coverage
The sources described above create an audit universe. The number and significance of events captured in the audit universe could be numerous. Events are prioritized and matched against audit resources. In addition, a certain amount of audit resources are reserved for special projects or emerging issues, e.g., investigations. However, in any one fiscal year and over a three year planning cycle, audits attempt to address the University’s significant risk exposures. University risk exposure areas may include: asset protection, liability management, legal/regulatory compliance, data integrity and security, process improvement, financial reporting, and business continuity.
See the Chronology of an Audit for a description of how an audit is implemented and audit reports issued.
The audit process is a sequential order of steps followed by the auditor in the examination of client records. The audit process may vary depending on the nature of the engagement, its objectives and type of audit assurance desired.
The Internal Audit Department's goal is to assist departments and to make the audit process as smooth as possible. University personnel are encouraged to contact Internal Audit for advice on internal control procedures, efficiency and productivity questions or to share concerns regarding possible irregularities. All sensitive information received will be kept confidential to the extent possible by law.
The purpose of the planning stage is to define the subject and scope of the audit, establish customer expectations, and identify the criteria used to evaluate the audit subject. In this stage, the auditor should obtain an overall view of the department or function, and the operating context and constraints. Several methods of gathering information may be appropriate including the following:
- Initial meeting(s) with the department management and process owners
- Internal control questionnaire or surveys of process stakeholders
- Review of Internal Audit projects
- Review of external audit files and other appropriate external information
- Audit program and fieldwork
Fieldwork means executing the planned audit, and if applicable updating the audit plan based on information learned during the course of the audit. During fieldwork the auditor will obtain and analyze information in order to prepare a draft report and to regularly update key stakeholders on the audit’s progress.
The Exit Conference is an opportunity for the auditor and key stakeholders to review and validate audit outcomes. The Exit Conference should accomplish the following:
- Present observations and determine if the current operating context might affect past transactions, e.g. reduce the severity of a finding
- Confirm facts, observations, and conclusions, e.g., that the findings are accurate
- Validate the root cause leading to findings and present recommendations to eliminate the root cause, and / or achieve control objectives
- Estimate the effect of the findings on University operations or its risk management and compliance objectives
- Solicit draft management comments on the audit findings and determine if alternative recommendations adequately eliminate the root cause of findings
- Define the timeline for issuing the final audit report and implementing recommendations
On a high level audit reports or supporting work papers should summarize the following information:
- Condition: the facts, observations, and conclusions
- Criteria: the standard or benchmark to measure a condition against
- Root Cause: why the conditions don’t measure up
- Effect: what happened or will happen if the condition is not corrected, e.g., how important is this
- Recommendation: practical, specific, and implementable to eliminate the root cause, and therefore correct the condition
The actual audit report format should be functional and provide management with an efficient method of reviewing and responding to audit recommendations and to expedite the implementation of recommendations. One example of an audit report format is the following:
- Executive Summary
- Distribution List – who is receiving the report
- Introduction – statement of the auditor’s objectives, results obtained, and a summary of department or function audited including key operating context and constraints
- Conclusion – the professional opinion of the area under review
- Findings and Recommendations – by organizational unit and / or process in sufficient detail to identify the issues and solutions
- Management Comments – key summary information necessary to put the finding into context and written agreement that recommendations will be implemented
- Status of prior audit recommendations, if any
- Appendices and exhibits including statistical summaries of audit test results
After the exit conference, the draft audit report is circulated for review and comment to the process owner and at the Vice President levels responsible for the department or function. Whenever possible the final audit report should be issued in no more than 14 business days after the exit conference.
Internal control is defined as a process, affected by the University’s board of trustees, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations.
The internal control environment is defined as the people, processes, technology, and culture that enable us to achieve our objectives.
Controls and the control environment concepts apply equally to the University as a whole or a specific department or unit within the broader community. In fact the internal control environment found in any one organizational unit of the University (college, department, etc.) can influence the internal control environment of related units; and collectively all the units may impact the internal control environment of the University as a whole.
The strength or health of the internal control environment plays a part in determining the University’s risk exposures and our ability to respond to and manage those risks. In addition, the health of the internal control environment influences audit planning. Over time Internal Audit will add resources to this page to encourage faculty and staff to think about how to improve the University’s internal control environment. Check back and/or make requests for tools or information that would help your work and create an appropriate internal control environment.
One tool to help assess the health of an internal control environment is a Control Self-Assessment Questionnaire. The questionnaire evaluates certain financial controls. The tool should aid in the proactive assessment and management of issues and concerns.
Operations and Cycle
The three categories that establish University-wide context and significant inputs into internal audits are:
- Vision for and the design of services and strategy to achieve our mission
- Basis for gauging the value-add of its reporting to the Finance and Audit Committee and Management