Internal Audit – Identifies all auditable activities and relevant risk factors, and assess their significance through an annual risk assessment.
Internal Audit utilizes the Committee of Sponsoring Organization’s (COSO) Internal Control – Integrated Framework risk model
Risk is viewed in four major areas:
- Operational (Processes and procedures)
- Financial (Data rolling up to internal/external statements)
- Regulatory (Federal, State, Local, Organizational Policy)
- Reputation (Institutional)
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
- Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
- Internal control is geared to the achievement of organizational objectives.
The Internal audit plan is designed to meet the objective of providing the most efficient and effective deployment of internal audit resources in a manner that addresses
- areas of highest relative risk,
- core business activities of the University,
- broad coverage across the University and the College of Medicine.
Audit Scope – involves assessing the five interrelated components of Internal Control:
The control environment,
Information and communication