Process & Services

Audit Process

Define risk universe for the University (ERM Risk Assessment)

Basis for internal Audit Plan

Define Audit Plan: identify/define audit projects across the University (Risk-based Approach)

Execute Audit Plan and report results

The audit plan is developed by considering institutional risks and by soliciting input from others. Risk drivers considered include:

  • information understanding and communication
  • reputational risks
  • human resources
  • strategic changes
  • potential risk of financial and/or data loss
  • data integrity and security
  • size and complexity of operations
  • ineffective data management
  • major changes in programs and controls
  • research and intellectual property
  • increased regulatory accountability
  • major changes in operations or systems
  • operations subject to a high level of public scrutiny
  • new technologies
  • unexpected operating results
  • unauthorized access to data

There are many risks impacting higher education, and the following examples may be helpful:

  • Financial risks focus on managing the risks of potential loss of physical assets and financial resources. Business risks include contracts, cash and investments, revenue, and inventory.
  • Operational risks arise from the institution’s business functions or day-to-day operations. Business risks include the effectiveness and efficiencies of the operation.
  • Regulatory risks deal with the organization’s ability to ensure compliance with applicable laws, regulations, and policies. Business risks include animal and human subjects, personnel laws, safety requirements, environmental, and federal and state regulations.
  • Strategic risks pertain to competitive positioning, joint ventures and partnerships, and nontraditional academic programs. Business risks include distance education, engagement, globalization, joint ventures, partnerships, and other strategic initiatives.
  • Technology risks include integrity, infrastructure, and data safeguards. Business risks include audit trails, access privileges, backup and recovery, change management, data protection, and networks.

Primary considerations in establishing which units will be audited include evaluation of risk, the results of previous audits, changes in technologies and processes, and specific requests and other input. Audits for certain high risk areas are scheduled annually, while others are selected at varying intervals. In addition, internal audits are initiated to analyze possible irregularities.

Although unannounced audits are initiated where appropriate, typically the process consists of the stages shown below.

Step 1
Risk Evaluation
  • Risk Assessment
  • Audit Plan creation
Step 2
Audit Planning
  • Audit Scoping
  • Opening Meeting
  • Audit Notification
Step 3
Audit Fieldwork
  • Data Request
  • Status Communications
Step 4
Audit Issuance
  • Draft Report
  • Closing Meeting
  • Management Responses
  • Final Report
Step 5
Closure and Follow-Up
  • Remediation Plans Validation
  • Quarterly Reporting of Open Action Items
  • Audit Client Feedback Survey (Sent Annually)

Requests For Audit Services

Requestor Information

*This is not a 911 or Emergency Service. If you wish to file a report anonymously, please use the Purdue Hotline.

This field is for validation purposes and should be left unchanged.

Have a question or can’t find what you are looking for? We are happy to help!