What is Internal Audit?

According to The Institute of Internal Auditors (IIA), the governing body for the internal auditing profession, internal auditing is defined as an

Independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

What are the primary functions of Internal Audit?

Internal audit is an independent, objective function that evaluates processes to ensure or determine:

  • Compliance with applicable laws, regulations, policies, and procedures;
  • Effectiveness and efficiency of college operations, including internal controls;
  • Risks to college operations or activities are appropriately managed; and,
  • Opportunities for improvement in the above areas are identified and make necessary recommendations to the Board and management.

Internal Audit is also responsible for monitoring the college’s Ethics Hotline and reviewing reports when received.

What is internal control?

According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control is defined as

A process…designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

It is important to note that Internal Audit is responsible only for evaluating and making recommendations for improvement to internal controls.  Internal Audit may not design, implement, or manage internal controls.

Why are internal controls important, and what are some examples?

Internal controls are important because they serve to increase confidence that the objectives of a process, department, or the college are being achieved.

Examples of internal controls include:

  • Separation of duties – such as requiring more than one individual to participate in a transaction process.  This helps ensure all funds received are deposited correctly and in full.
  • Physical safeguards – such as locking doors to secure areas via locks, keycard access, unique codes, etc.  This helps protect the college’s assets and information from theft, unauthorized use, etc.
  • Required approvals – such as requiring review and approval of transactions over a certain dollar amount by a senior official and/or the Board of Trustees.  This helps ensure funds are appropriately spent and comply with applicable laws and college policies.

What is the standard audit process?

  1. Notification of Engagement
    • Internal Audit will officially inform department or process owner (client) of the upcoming audit.
  2. Audit Research
    • Internal Audit gathers information on area, such as reviewing:
      • Mission, goals, and objectives;
      • Federal and State regulations; and,
      • Policies and procedures.
  3. Entrance Conference
    • Internal Audit and the client will meet to discuss:
      • Audit process;
      • Department/process objectives, risks, and controls; and,
      • Any client concerns about the department/process.
  4. Audit Planning
    • This is an important phase wherein Internal Audit will determine:
      • Engagement objectives (the purpose of the audit);
      • Engagement scope (boundaries of the audit – such as the specific process/area or period of time); and,
      • Engagement procedures (specific steps/tests to achieve the objectives).
  5. Fieldwork
    • Internal Audit performs procedures, including:
      • Reviewing transactions and records;
      • Interviewing and walking through processes with personnel; and,
      • Frequently communicating with the client.
  6. Draft Audit Report
    • Internal Audit will draft an audit report documenting the work conducted, including:
      • Objective;
      • Scope;
      • Risks and controls;
      • Audit procedures; and,
      • Results of procedures.
  7. Management Responses to Audit Observations and Recommendations
    • Internal Audit will send the draft report to the client for review and ask for a response to any observations or opportunities for improvement.
    • At this step, Internal Audit and the client will discuss the report and changes made if necessary to correct an omission, inaccuracy, or to clarify.
  8. Exit Conference
    • Internal Audit and the client, along with the vice chancellor or equivalent, will meet to discuss the review, results, and any related matters.
    • By this stage, Internal Audit and the client should be in agreement concerning the contents of the report.
  9. Final Audit Report
    • Internal Audit will provide the audit report, including any responses from management, to the Board of Trustees and chancellor as required.
  10. Follow-Up
    • Internal Audit will follow up with the client on the current status of observations and corrective actions.  The goal is for this to occur within 1 year of the conclusion of the audit.
    • The nature and extent of follow up may vary depending on the audit.

Please note management knowledge and input are imperative during an audit, especially in the early phases of the audit process.

Please click here to view a flowchart of the typical audit process described above.

What can I expect from Internal Audit during a typical audit?

Internal Audit is committed to:

  • Approaching engagements with a positive, value-oriented mindset and demonstrating professionalism and respect in all interactions;
  • Clear, open communication throughout the audit process;
  • Working with departments and individuals to minimize interference with previously scheduled critical activities and deadlines to the extent possible;
  • Punctuality throughout the audit process; and,
  • Developing a robust understanding of the area under review and the related objectives, risks, and controls.  This means Internal Audit will have numerous questions and requests during the audit process.

What is requested from me during a typical audit?

Internal Audit requests:

  • Responses and/or access to documents, questions, or personnel be provided as promptly as possible and within agreed-upon timeframes unless noted otherwise;
  • Assistance from individuals in fully understanding the process or area through techniques such as questionnaires, interviews, walkthroughs, and written procedures; and,
  • Individuals ask questions to clarify if an audit question or request is unclear or incomplete.