Internal Audit - Frequently Asked Questions
General Information about Internal Auditing
1.1 What is internal auditing?
1.2 What standards guide the work of internal audit professionals?
1.3 How do internal and external auditors differ?
1.4 Who audits the internal auditors?
1.5 Why should organizations have internal auditing?
Office of Internal Audit at the University of Regina
2.1 What is the authority of the Office of Internal Audit?
2.2 To whom does the Office of Internal Audit report?
2.3 What services are provided by the Office of Internal Audit?
2.4 What types of audits are conducted?
2.5 Can the Office of Internal Audit provide advisory services?
Audit Process
3.2 What should I expect during an audit?
3.3 How long does an audit take?
3.4 Who gets copies of audit reports?
3.5 How confidential will the information I provide to you and audit report be?
3.6 Are internal audit recommendations mandatory for implementation?
3.7 What happens when internal audit identifies a control deficiency or non-compliance?
3.9 Does the Office of Internal Audit charge any fee if we request an audit or information?
Risks and Controls
4.3 Who is responsible for internal controls?
4.4 What is the role of internal auditors in risk management?
4.5 How does Office of Internal Audit differ from the Office of Enterprise Risk Management?
Safe Disclosure Reporting
5.1 What can I do if I become aware of illegal, fraudulent, or questionable activities?
5.2 Are internal auditors looking for fraud when performing audits?
Other
6.1 How can I contact the Office of Internal Audit?
6.2 Can I request an audit, consulting, or investigation services?
6.3 What if I have more questions?
General Information about Internal Auditing
1.1 What is internal auditing?
The Institute of Internal Auditors (IIA) definition is:
‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.’
In more general terms, the internal audit activity provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.
The internal auditors are expected to provide recommendations for improvement in those areas where opportunities or deficiencies are identified. While management is responsible for internal controls, the internal audit activity provides assurance to management and the Board of Governors that internal controls are effective and working as intended.
1.2 What standards guide the work of internal audit professionals?
As part of The IIA's International Professional Practices Framework (IPPF), the International Standards for the Professional Practice of Internal Auditing (Standards) outline the requirements for the internal audit professionals. The IPPF comprises the official definition of internal auditing, the Standards, the Code of Ethics, Core Principles, and Recommended Guidance. Conformance with the Standards and the Code of Ethics is mandatory for all members of The IIA and Certified Internal Auditors (CIAs). The IIA also provides guidance on assessing, maintaining, and improving quality within the internal audit activity.
1.3 How do internal and external auditors differ?
Although they are independent of the activities they audit, internal auditors are usually employees of an organization and provide ongoing monitoring and assessment of all activities. External auditors are independent of the organization, and usually provide an annual independent opinion on the financial statements or an independent opinion on another subject matter on an ad-hoc basis. The work of the internal and external auditors should be coordinated for optimal effectiveness and efficiency.
Internal and external auditors have mutual interests regarding the effectiveness of internal financial controls. Both professions adhere to codes of ethics and professional standards set by their respective professional associations. There are, however, major differences with regard to their relationships to the organization, and to their scope of work and objectives.
Internal auditors are usually part of an organization, and their objectives are determined by professional standards, the board, and management. The objectives of external auditors are set primarily by their primary client.
1.4 Who audits the internal auditors?
The IIA requires that an external review of the internal audit function be performed at least once every five years. These reviews can be performed by an external review team or can be a self-assessment with independent validation by a qualified reviewer. These reviews cover compliance with IIA standards including independence and objectivity, audit planning and coverage, audit documentation and reporting, and staffing.
1.5 Why should organizations have internal auditing?
Organizations have a range of activities to provide assurance to the Board of Governors, the Audit Committee, the President, and stakeholders that the organization is effectively governed.
Internal audit is a key component in the assurance structure of an organization. Whilst all assurance mechanisms (management controls, management of risk, independent assurance) are important, co–ordination of the various assurance activities will provide a holistic assurance environment. Internal audit features prominently in that assurance environment.
Internal audit is a cornerstone of good corporate governance in organizations and can play an important role to improve management and accountability, both financial and non–financial. Because of its unique and objective perspective, in-depth organizational knowledge, and application of sound audit and consulting principles, a well-functioning, fully resourced and independent internal audit activity is well positioned to provide valuable support and assurance to management and Board of Governors.
Office of Internal Audit at the University of Regina
2.1 What is the authority of the Office of Internal Audit?
The office of Internal Audit is established by the Board of Governors through its Audit and Risk Management Committee. The responsibilities of the Office of Internal Audit are defined by the Audit and Risk Management Committee as part of its oversight role.
The Office of Internal Audit, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the University records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the Office of Internal Audit in fulfilling its roles and responsibilities.
The Office of Internal Audit will not have direct authority over or responsibility for any of the activities reviewed during the course of its work. Internal Audit will not develop and implement procedures, prepare records, make management decisions, or engage in any other activity that could be reasonably construed to compromise their independence. Internal Audit neither substitutes nor relieves other University personnel from their assigned responsibilities.
2.2 To whom does the Office of Internal Audit report?
The Office of Internal Audit reports functionally through the President to the Audit and Risk Management Committee of the Board of Governors and administratively to the Executive Director, University Governance and University Secretary.
2.3 What services are provided by the Office of Internal Audit?
Assurance services – these services include the assessment of evidence by the internal audit to provide an independent opinion or conclusions and recommendations regarding an operation, function, process, system, or other subject matter.
Consulting services – these services are advisory in nature, and are generally performed at the specific request of the Board of Governors, the Audit and Risk Management Committee, or management. Examples of outcomes from these services can include counsel, advice, facilitation, and training.
Investigations – the Office of Internal Audit may be involved in investigating and/or supporting investigations of alleged violations of policies, procedures, errors, fraud or misuse of University assets or resources, including activities that relate to research and other grants. Investigations will be performed upon request from the Audit and Risk Management Committee and University management.
2.4 What types of audits are conducted?
Financial audit - assurance engagement which involves independent evaluation of the fairness, accuracy, and reliability of University’s financial data. It is historically oriented.
Compliance audit - assurance engagement which involves independent evaluation of the degree to which the University or a University unit adheres to laws, regulations, policies, procedures, or contract agreements.
Operational audit - assurance engagement which involves independent evaluation of the University processes and procedures, internal controls and efficiencies, and achievement of objectives. It is more future-oriented.
IT audit – assurance engagement which involves the examination and evaluation of the University information technology infrastructure, policies and operations.
Investigations - Internal Audit undertakes investigative audits when circumstances or evidence suggest an irregularity involving University resources occurred.
Follow-up audits – audit performed to determine whether management has taken appropriate, effective and timely action to address previously reported issues.
2.5 Can the Office of Internal Audit provide advisory services?
Yes, the Office of Internal Audit can provide recommendations or advice on management issues or concerns. If you consider requesting advisory services that will potentially involve substantive amount of time spent by the Office of Internal Audit, the request should be approved by the member of the University Executive Team.
Audit Process
Annually, the internal audit plan with the suggested audit projects is developed based on a prioritization of the University’s auditable areas using a risk-based methodology which includes the input of the University Executive Team and is aligned with the strategies, objectives, and risks of the University. The plan is reviewed at least annually and recommended for approval to the Board of Governors by the Audit and Risk Management Committee.
3.2 What should I expect during an audit?
Unless an investigation is conducted, an audited unit is notified in advance that an audit will be starting. The planning meeting is requested by the Office of Internal Audit with the management and key stakeholders of an audited unit. The purpose of the planning meeting is to explain the audit and the audit process, and discuss the Terms of Reference for the project. During the planning meeting, please ask questions, express your concerns, and make any special requests you might have.
After the planning meeting, the field work will begin. Once fieldwork is complete, a draft of all audit observations and recommendations is prepared.
The audit close-out meeting will be schedule to discuss the observations with the management of an audited area. During the close-out meeting it is important that you communicate concerns and identify errors. If you disagree with an audit observation, please provide extra information to support your position and the work will be re-performed if necessary. After the close-out meeting, management of an audited area is given 30 days to provide formal management responses to the Office of Internal Audit.
Once the management responses are received by the Office of Internal Audit, the final audit report (including management responses) is prepared and submitted to stakeholders.
Here you can find more details on the general audit process.
3.3 How long does an audit take?
The length of an audit depends on an area’s size, complexity, and the scope of an audit. In general, an audit may last from several weeks to several months. Not all this time will be spent in an audited unit.
The availability of audit documentation and the responsiveness of your unit to audit requests and questions also affect the time required to complete an audit.
3.4 Who gets copies of audit reports?
A draft audit report is issued to those in a position to see that corrective actions are taken and those with a need to know, generally, the University Executive Team and management of an audited unit. In general, a final audit report, including management responses, is distributed to the University Executive Team, management of an audited unit, and the Audit and Risk Management Committee of the Board of Governors.
The distribution of reports to other stakeholders is to be approved by the University Executive Team.
3.5 How confidential will the information I provide to you and audit report be?
All information received and managed by the Office of Internal Audit is held at the appropriate level of confidentiality. Please see the Office of Internal Audit Charter and the Code of Conduct for additional information on confidentiality.
3.6 Are internal audit recommendations mandatory for implementation?
Management that is the recipient of an audit recommendation is in the position to accept or reject a recommendation. According to the University policy Internal Audit GOV-080-015, “recommendations made by the Internal Auditor will be provided to the Administrator responsible for the Faculty/Department to implement and will be required to report progress to address recommendations to the University Executive Team and Audit and Risk Management Committee, or reasons for acceptance of risk of non-compliance. Recommendations that are not implemented or responded to with reasonable resolutions will be provided to the University Executive Team and as part of the report to the Audit and Risk Management Committee for possible disciplinary action.”
3.7 What happens when internal audit identifies a control deficiency or non-compliance?
The issue will be fully explored and, if confirmed, an observation and recommendation will typically be developed and included in the audit report. All issues will be fully vetted with the unit's management and a recommendation will be developed to best suit the unit's individual needs.
3.8 Will I be kept informed during the audit process and will I have a chance for input before the audit report is issued?
Yes. During the audit, an auditor will keep you and your employees informed of progress. Auditor may discuss some audit issues with you or your staff during the fieldwork. However, all issues will be discussed with the management of a unit during the close-out meeting at the end of field work.
During the fieldwork please ask questions and talk to an auditor. An auditor will try not to interrupt your work as much as possible. If you would like more frequent updates or are simply curious, just ask.
Take advantage of the close-out meeting. Ask questions and don’t be afraid to disagree with an audit observation. The purpose of the close-out meeting is to communicate issues and resolve any mistakes or misunderstandings. An auditor will make reasonable efforts to work with you.
3.9 Does the Office of Internal Audit charge any fee if we request an audit or information?
No. Internal Audit services are provided at no cost to the University units. However, if you consider requesting internal audit services, the request should be approved by the member of the executive team.
Risks and Controls
Risk is the possibility of an event occurring that will have an impact on the achievement of objectives (a general example is: an objective is to keep a home and belongings safe; one of the risks is that a house can be broken into).
Internal controls are those structures, activities, processes, and systems that help management effectively mitigate the risks to an institution's achievement of objectives (continued example from 4.1, possible controls will be the following: installation of a superior lock technology, installation of electronic security system etc.).
4.3 Who is responsible for internal controls?
Management is responsible for establishing and maintaining a system of internal controls within an institution. Management is charged with this responsibility on behalf of the university's stakeholders and is held accountable for this responsibility by the Board of Governors.
4.4 What is the role of internal auditors in risk management?
The internal audit activity evaluates the effectiveness and contributes to the improvement of risk management processes by assessing how
- organizational objectives support and align with the organization’s mission;
- significant risks are identified and assessed;
- appropriate risk responses are selected that align risks with the organization’s risk appetite;
- relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
The internal audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization’s risk management processes and their effectiveness.
4.5 How does Office of Internal Audit differ from the Office of Enterprise Risk Management (ERM)?
The mission of the Office of Internal Audit is to assist the University in accomplishing its objectives and meeting its fiduciary and administrative responsibilities by providing independent and objective assurance and consulting activity and by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of University governance, risk management, and the system of internal controls and administrative processes.
The mission of the Office of ERM is to apply a systematic approach to identifying, monitoring and managing risks and opportunities in order to promote strategic and risk-aware decision making throughout the organization.
Despite being two independent offices in the University Secretariat, both offices collaborate in a number of ways:
- Linking enterprise risk assessment and internal audit plan
- Assessing and monitoring strategic risks in a more focused way
- Sharing work products and using risk information to plan work and produce reports
- Providing required communication depth and consistency at the board and management levels
Safe Disclosure Reporting
5.1 What can I do if I become aware of illegal, fraudulent, or questionable activities?
According to the University policy Safe Disclosure (Whistleblower Protection) GOV-022-020, “any member who has reasonable grounds to believe that another member has committed fraud or wrongdoing shall report the allegation to the Office of Internal Audit.
All reports must be in writing, but they may be anonymous.”
For more information on process and procedures, please refer to the full text of this policy.
5.2 Are internal auditors looking for fraud when performing audits?
Unless the Office of Internal Audit is performing an investigative audit, auditors are not specifically searching for the existence of fraud. During a routine audit they are more concerned with ensuring that adequate systems of internal control exist to reduce the risk of fraud. However, procedures are performed that are meant to detect potential fraud and to assess your area’s exposure to fraud related risk.
Other
6.1 How can I contact the Office of Internal Audit?
The Office of Internal Audit is located in the Administration-Humanities Building on the fifth floor in the office AH509.5. You can contact the University Internal Auditor at yulia.yevlanova@uregina.ca or by calling 306-337-3127. Also, you can submit a form located here.
6.2 Can I request an audit, consulting, or investigation services?
Members of the Senior Leadership Team (SLT) can request the services of the Office of Internal Audit through their executive sponsor on the University Executive Team (UET).
If you are not a member of the SLT but consider requesting internal audit services, please contact the University Internal Auditor at yulia.yevlanova@uregina.ca or 306-337-3127 for more information.
6.3 What if I have more questions?
Please contact the University Internal Auditor at yulia.yevlanova@uregina.ca or 306-337-3127. Alternatively, contact the University Secretariat office at 306-585-4436 or 306-586-4956.
Sources of information:The International Standards for the Professional Practice of Internal Auditing (Standards).