Risk Assessment
and Annual Audit Plan - IA continually assesses the risk of units and
uses this information for development of the annual Audit Plan.
a. Risk Assessment
- A detailed risk assessment
model for the University continues to be used to provide us with quantitative
and qualitative measures to identify and assess areas of high risk. This
tool is regularly updated after each audit and is the basis of our Annual
Audit Plan and schedule. IA meets with management throughout the University
to gain an understanding of any new initiatives, changes in the unit and/or
management, current issues and to identify areas of potential risk.
Effectiveness: Our
Risk Assessment process has helped us to prioritize our efforts and identified
areas of highest risk for the University. As part of IA’s own process improvement,
we have revised our risk factors to better suit our needs. IA evaluates
risk based on a combination of six different factors each weighted according
to its significance.
b. Audit Plan
– An annual
audit plan is developed each fiscal year. The audits focus on the areas
of highest risk and exposure. Our plan attempts to balance coverage between
administrative, academic and student services. Our Audit Plan is continually
evaluated based on conditions and issues which may arise. A copy of our
FY 2002-3 Audit Plan is available for review on our web site.
Effectiveness: The
objective for this year’s plan is to focus more on critical processes and
risks which impact multiple units across campus. Our plan will still incorporate
reviews where there is a change in management, CES and some select areas
of the University.
c. Communication - Our goal is to develop an open line of communication
and a strong working relationship with key individuals throughout the University.
These key areas include the Chancellor’s, Provost’s administrative units
and the colleges, Finance and Business, Extension and Engagement, Athletics,
Legal Affairs, Advancement, Research, Student Affairs, and the University
Business Officers (UBO).
Effectiveness: This has been very effective and we continually work to
maintain and strengthen these communications. Our department is regularly
contacted for requests to audit and answer questions regarding policies
and procedures. In addition, IA routinely speaks to various groups about
internal controls and the audit function. We are usually contacted directly
by the department when a misuse or fraudulent activity occurs.
3. How
well are we doing it? How do we know?
IA continues
to obtain and analyze information to develop specific performance metrics.
Given the nature of our operations, more of this will be subjective
and will need to be evaluated considering IA’s role and/or control over the
actions of the units. The following performance areas have been identified
as key indicators of the effectiveness and quality of our IA division:
A. Audit Environment,
including:
i. Management Satisfaction
– Evaluates if we are meeting Management’s expectations with the services
we provide.
IA completed a Management Survey in January 2002. This survey
was distributed to 87 individuals on campus, including Vice Chancellors,
Deans and Business Officers. IA is plans to send this survey out once a
year or at least every other year to continue to ensure we are meeting Management’s
expectations. The results of this survey are used for
our annual Audit Planning process and for overall process improvement within
our department.
Effectiveness: The comments received were very valuable and helped to
reinforce that our consultative efforts have a positive impact throughout
campus. Most individuals are comfortable contacting us and have been pleased
with our services. The IA Director contacted all individuals where there
was a potential problem or misunderstanding. In addition to the Management
Survey, IA regularly receives unsolicited comments from various individuals
on campus. From past experience, people have not hesitated to contact us
with suggestions, concerns or general issues regarding our performance.
This demonstrates an open line of communication and a good working relationship.
ii. Management Requests – Evaluates the value of our services
by identifying the voluntary requests for audits and other assistance from
Management and others throughout campus.
Each year, IA completes
several audits which are separately requested in addition to our Audit Plan.
From our Management Survey and over the past year, IA has received requests
for about 20 audits. All requests are evaluated and assigned a priority
in relation to our Audit Plan. In addition to audits, IA is contacted to
review new processes, system implementation, and general assistance with
policies and procedures.
Effectiveness: Over
the past three years, there has been a positive change in the value of IA’s
services campus wide. As noted in #1 above, IA has taken steps to build
a stronger working relationship with the campus. We want to be viewed as
more of a “partner” in helping to identify and resolve issues. This has
been effective as IA regularly receives requests from units to perform an
audit, to investigate a misuse, or to review the effectiveness of their
operation. Several of these requests are proactive, before a problem has
occurred. IA is also asked to be involved in various committees and projects
to help ensure internal controls and processes are in place. Overall, this
continues to demonstrate the value of our services and the interest on behalf
of the units in working with IA to address problems.
B. Auditor Input,
including:
i. Auditor Quality
– Measures various aspects of an auditor’s background including years of
audit experience, other work experience, education, skills, training, professional
certification, and staff turnover. This is the basis for our department,
which affects our ability to carry out our goals and objectives.
Effectiveness:
IA emphasizes the importance of staff development and encourages all types
of training. This includes auditing courses, information technology and
management development. Everyone is also encouraged to participate in various
professional associations. As noted above, a well-trained and knowledgeable
staff provides us the capabilities to meet our Plan and the overall expectations
of the University. IA has nine individuals in the department, one of which
is responsible for the University’s new Policy, Regulations and Rules website.
Over the past year, each person in the department has received the equivalent
of about one week’s worth of training and development. In addition there
are two Certified Public Accountants and one Certified Internal Auditor.
On average, each person in our group has about 9 years of Internal Audit
experience and about 16 years of business experience.
C. Audit
Process, including:
i. Auditee Relations
– Measures the performance on individual audits by distribution of a questionnaire
after the audit is complete. The auditee evaluates the audit process, staff
knowledge, performance, and the audit report.
Effectiveness: The
auditee evaluations provide us with regular feedback on our performance
and identify areas of improvement. This evaluation is provided to the auditee
at the end of the audit, when the report draft is complete. IA has revised
this evaluation over the past year and is in the process of re-evaluating
the distribution of the evaluation to obtain a higher rate of response.
The evaluation is used to identify trends (positive and negative) of the
department and as feedback for staff performance. Currently, IA does not
quantify the results since most of the comments are positive. If there has
been a problem, the IA Director has been contacted and personally addressed
the issue with the auditee(s).
ii. Audit Plan
– Measures our performance in comparison to our Annual Audit Plan (Plan).
Included are management requests and new areas audited.
Effectiveness:
IA monitors actual results in comparison to the Plan. However, this is not
necessarily an accurate measure of good or bad performance. While the Plan
is our main focus for the year, all new requests are evaluated and given
a priority based on our perceived risk and potential issues. At times, it
is important to address a new request immediately and delay an item on our
Plan. Since our Plan is completed before the fiscal year, circumstances
may change and items will arise which were not known at the time of our
Plan.
D. Audit Outputs,
including:
i. Audit Findings
Corrected and/or Repeated – Measures the responsiveness of the auditee
as to how they resolve the recommendations and repeated audit findings throughout
the University.
Effectiveness: IA
has started doing a follow-up to each audit so the recommendations by default
get implemented, since we are holding units accountable for their actions.
The follow-up audits we perform re-enforce the importance of resolving the
issues and ensure accountability by the units. IA also identifies the number
of repeat findings for the same issues to determine effectiveness of resolving
an issue. We are hoping that our continued communication to different groups
on campus will help to alleviate the reoccurrence of certain issues during
our reviews.
Effectiveness: IA
has spent a considerable amount of time revising its SAP to ensure we are
addressing the key areas of risk and using the proper audit procedures to
test and identify areas of internal control weaknesses. IA has completely
revised its SAP to include applicable audit procedures for the areas we review
and to identify specific PeopleSoft queries that meet our needs. IA consulted
with several areas on campus (i.e. Controller’s, Human Resources, Purchasing)
to incorporate their concerns into our procedures.
In addition, our department
has revised our planning procedures to include more of a “360 degree” review
during planning as compared to meeting only with the audit client. In addition
to meeting with the auditee, IA interviews the respective Management, key
clients of the auditee and individuals within the unit, such as faculty or
administrative staff. This helps to gain a broader perspective of the unit
and identify potential issues for review. Our planning process plays a critical
role for the audit as it identifies the scope and objective and sets the overall
direction.
Finally, IA has re-evaluated
its reporting process. We are aware of the sensitivity of the report, both
internally and externally, and this will be an important consideration in
our changes.
Based on the feedback
received by IA, our processes are working well. IA works hard to develop an
open line of communication and a strong working relationship with key individuals
throughout the University. This has been very effective and we continually
work to maintain and strengthen these communications. Our department is regularly
contacted for requests to audit and answer questions regarding policies and
procedures. In addition, IA routinely speaks to various groups about internal
controls and the audit function. We are usually contacted directly by the
department when a misuse or fraudulent activity occurs.
Accreditation