Internal Audit

Internal Audit

University of Lethbridge > Finance and Administration > Internal Audit

Core Services

Assurance

"Assurance services involve the internal auditor's objective assessment of evidence to provide an independent opinion or conclusions regarding an entity, operation, function, process, system, or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the entity, operation, function, process, system, or other subject matter - the process owner, (2) the person or group making the assessment - the internal auditor, and (3) the person or group using the assessment - the user." (www.theiia.org)

Examples of assurance engagements include financial statement audits and compliance audits where an opinion is rendered on the overall level of compliance.

Consulting

"Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice - the internal auditor, and (2) the person or group seeking and receiving the advice - the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility." (www.theiia.org)

Business process reviews are a type of consulting engagement. Due to the nature of consulting engagements, the Internal Auditor must be wary of impairments to independence and objectivity.

What can I expect during an audit?

Although every audit project is unique, the audit process is similar for most engagements and normally consists of four stages:


  1. Planning
    • a. The Client is informed of the audit through a draft announcement letter outlining the scope and objectives of the audit, the expected timeline, the records/documents to be accessed and any other relevant information.

    • b. The internal auditor meets with the management of the unit under review, including any other staff member(s) that may be involved or germane to the audit. It is important at this time that the client identifies issues or areas of special concern that they would like to see addressed during the review.

  2. Fieldwork
    • a. In this phase, the internal auditor gathers relevant information about the unit in order to obtain a general overview of operations. S/he talks with key personnel and reviews reports, files, and other sources of information.

    • b. The Internal Auditor conducts all relevant testing and discusses the findings with the client.

  3. Audit Report
    • a. The internal auditor expresses his/her opinions, audit findings and recommendations in the audit report. To facilitate communication and ensure that the recommendations included in the final report are practical and accurate, the internal auditor shall discuss the rough audit report draft with the client prior to issuing the final report.

    • b. The internal auditor distributes the final report to the auditee's management, the Vice-President (Finance & Administration), Audit Committee Chair, and other appropriate members of senior University management.

  4. Follow-up Review
    • a. Within approximately one year of the final report, internal audit shall perform a follow-up review to verify the resolution of the report findings.

Can Internal Audit help me?

Maybe. Internal Audit prioritizes projects using a systematic methodology. According to the Standards for the Professional Practice of Internal Auditing:

"The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organization's risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consultation with senior management and the board."

2010.A1- The internal audit activity's plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

2010.C1- The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization's operations. Accepted engagements must be included in the plan."

If you would like to request assistance from the Internal Auditor, please fill out the "Request an Audit" form. Alternatively, check out the Resources page for helpful control checklists.

Request An Audit


First Name:
Last Name:
Department:
Description of Request:

Decline an Audit

Internal Audit wants to review something in my department; how do I decline an audit?

Although you cannot decline an audit, the Internal Auditor is aware that certain times of the year are better for various university departments. If you feel that the timing of a scheduled audit will place too much strain on your department, please contact the Internal Auditor.