Audit Plan Development
The audit plan is developed by considering institutional risks and by soliciting input from others. Risk drivers considered include:
- reputational risks
- human resources
- strategic changes
- potential risk of financial and/or data loss
- data integrity and security
- size and complexity of operations
- ineffective data management
- major changes in programs and controls
- research and intellectual property
- increased regulatory accountability
- major changes in operations or systems
- operations subject to a high level of public scrutiny
- new technologies
- unexpected operating results
- unauthorized access to data
- information understanding and communication
There are many risks impacting higher education, and the following examples may be helpful:
- Financial risks focus on managing the risks of potential loss of physical assets and financial resources. Business risks include contracts, cash and investments, revenue, and inventory.
- Operational risks arise from the institution's business functions or day-to-day operations. Business risks include the effectiveness and efficiencies of the operation.
- Regulatory risks deal with the organization's ability to ensure compliance with applicable laws, regulations, and policies. Business risks include animal and human subjects, personnel laws, safety requirements, environmental, and federal and state regulations.
- Strategic risks pertain to competitive positioning, joint ventures and partnerships, and nontraditional academic programs. Business risks include distance education, engagement, globalization, joint ventures, partnerships, and other strategic initiatives.
- Technology risks include integrity, infrastructure, and data safeguards. Business risks include audit trails, access privileges, backup and recovery, change management, data protection, and networks.
Primary considerations in establishing which units will be audited include evaluation of risk, the results of previous audits, changes in technologies and processes, and specific requests and other input. Audits for certain high risk areas are scheduled annually, while others are selected at varying intervals. In addition, internal audits are initiated to analyze possible irregularities.
Requests For Audit Services
Requests for audit services may be submitted to the Chief Audit Executive at any time.
Although unannounced audits are initiated where appropriate, typically the process consists of the stages shown below.
University personnel, who are responsible for coordinating the implementation of recommendations, if any, are notified before the audit begins. An opening conference is held with the auditee to define the scope of the audit and identify any areas of concern noted by the auditee. Unannounced audits are initiated where appropriate.
Fieldwork is performed in accordance with the Standards adopted by the Internal Audit Office. Audit concerns are discussed with the auditee when identified. After the fieldwork is completed, University personnel who have the responsibility for areas audited receive a draft of the audit report. An exit (closing) conference is scheduled to review the report and respond to any questions prior to final issuance of the report.
The final audit report is issued. If recommendations are made, a response is expected within 45 days of the report issuance.
Upon assurance that all recommendations have been satisfactorily addressed, the audit is closed.
The follow-up may occur at the time of closure or at a future date. This phase allows for validation that actions were implemented accordingly.