What to Expect from Internal Audit
As defined by the Institute of Internal Auditors (IIA), "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Reporting to the Audit Committee of the Board of Governors, Internal Audit assists the Board in fulfilling its oversight responsibilities. Internal Audit will assess and analyze the University’s risks and controls; review and confirm compliance with policies, procedures, and legislation; provide the Audit Committee of the Board of Governors and executive management of the University reasonable assurance that risks are adequately mitigated and that the University's governance process is effective. Where required, Internal Audit will suggest recommendations for improvement to processes, procedures, policies and systems.
Internal Audit reports functionally to the Audit Committee of the Board of Governors and administratively to the Vice-President, Finance and Chief Financial Officer.
Working from Enterprise Risk Management’s identified institutional risks, Internal Audit also considers emerging risks and designs the Annual Audit Plan accordingly. Audits are identified for the year using a risk-based assessment process. Internal Audit works with management while still striving to be agile in their approach to addressing priority areas for the University.
There are four phases to an audit at the University of Calgary:
- Planning: information gathering to determine the audit objectives, scope, approach and timing of the engagement;
- Fieldwork: perform interviews and walkthroughs and test internal controls, systems, policies and procedures for efficiency, effectiveness and adequacy;
- Reporting: compilation of the results of the audit are presented in draft form for discussion and the final report is issued to management and the Audit Committee; and
- Follow-Up: quarterly follow-up with management to ensure that corrective actions are being implemented to address significant issues identified in the audit. If remediation is complete and passes testing, the recommendation is closed.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) “Internal control helps entities achieve important objectives and sustain and improve performance. COSO’s Internal Control-Integrated Framework enables organizations to effectively and efficiently develop systems of internal control that adapt to changing business and operating environments, mitigate risks to acceptable levels, and support sound decision making and governance of the organization.”
An environment of control is the responsibility of every employee at the University. Internal controls within an area of responsibility are designed and implemented to effectively mitigate risks inherent in the process. Internal controls are designed to provide reasonable assurance to management on:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations
- Safeguarding resources against loss, misuse and damage.
Examples of common internal controls include:
- Policies and procedures (at the University, campus, and unit level) that are communicated and that establish what should be done, how, and by whom;
- Approvals and authorizations that include a thorough review of supporting information to verify the propriety and validity of transactions;
- Verifications and reconciliations (e.g., review and reconciliation of PeopleSoft transactions, financial statements, petty cash verifications, comparison of budget to actual amounts);
- Supervision including training, keeping employees informed of new policies and procedures, and performance reviews;
- Safeguarding of assets (including passwords and other restricted information) against theft, destruction, deterioration, or misuse (for example by locking your office, depositing cash receipts timely, and limiting access to procurement cards); and
- Segregation of duties (dividing authorization, custody, and record keeping duties among different people so that someone can't both perpetrate and conceal an error or irregularity).
Internal Audit works closely with management to provide recommendations for improvement. It is the responsibility of management to assess the cost/benefits of implementing Internal Audit's recommendations relative to the risks involved and determine whether the residual risk is acceptable to the University.
Yes. Internal Audit will consider requests for audit and to provide advisory/consulting services. The ability to perform the audit or advisory/consulting service will be dependent on the availability of Internal Audit staffing resources, the risk level of the area in question, Internal Audit’s progress on the annual plan and other deadlines. Internal Audit will work with you to determine the most appropriate course of action to address the risk within the area in your department.
The Executive Summary Report containing only the significant findings from the audit/review and the general management response are issued to the Audit Committee.