The International Standards for the Professional Practice of Internal Auditing (Standards) require that the chief audit executive develop a plan of engagement to prioritize the work of the audit activity.

The audit plan is developed by considering institutional risks and by soliciting input from the Insurance and Audit Committee members, University administrators, deans, and others. Risk drivers considered included:

• new technologies
• strategic changes
• data integrity and security
• unexpected operating results
• research and intellectual property
• major changes in operations or systems
• human resources
• potential risk of financial loss
• size and complexity of operations
• major changes in programs, controls, or staff
• increased regulatory scrutiny and accountability
• operations subject to a high level of public scrutiny

Regulatory, technological, and auditing changes dramatically affect how and what is audited. Trends in the profession of internal auditing include globalization, talent and organizational issues, and technological advancement.

Basic risk categories considered in the audit plan development are:

• Financial risks focus on managing the risks of potential loss of physical assets and financial resources. Business risks include contracts, cash and investments, revenue, and inventory.
• Operational risks arise from the institution's business functions or day-to-day operations. Business risks include the effectiveness and efficiencies of the operation.
• Regulatory risks deal with the organization's ability to ensure compliance with applicable laws, regulations, and policies. Business risks include animal and human subjects, personnel laws, safety requirements, environmental, and federal and state regulations.
• Strategic risks pertain to competitive positioning, joint ventures and partnerships, and nontraditional academic programs. Business risks include distance education, engagement, globalization, joint ventures, partnerships, and other strategic initiatives.
• Technology risks include integrity, infrastructure, and data safeguards. Business risks include audit trails, access privileges, backup and recovery, change management, data protection, and networks.

Internal Audit Process

Although every audit project is unique, the audit process is similar and usually consists of four stages. It is recognized that an audit results in a certain amount of time being diverted from an auditee’s usual routine. The objective is to perform the audit efficiently and effectively, minimizing the disruption of that routine.

Audit Process

Preliminary Review

In the preliminary review stage, University administrators, who are responsible for coordinating the implementation of recommendations, if any, are notified before the audit begins. An opening conference is held with the auditee to define the scope of the audit and identify any areas of concern noted by the auditee. Unannounced audits are initiated where appropriate.

Fieldwork

Fieldwork is performed in accordance with the Standards adopted by the Internal Audit Office. Audit concerns are discussed with the auditee when identified. After the fieldwork is completed, University administrators, who have the responsibility for areas audited, receive a draft of the audit report. An exit (closing) conference is scheduled to review the report and respond to any questions prior to final issuance of the report.

Report Issuance

The final audit report is issued. If recommendations are made, a response is expected within 45-days of the report issuance.

Closure

After assurance that all issues have been satisfactorily addressed, the audit is closed. Upon closure of the audit, the President and members of the Audit and Insurance Committee receive the audit report and the closure recommendation document, if applicable, containing the actions relative to the recommendations.