Internal Audit identifies all auditable activities and relevant risk factors, and assesses their significance through an annual risk assessment, utilizing the Committee of Sponsoring Organization's (COSO) Internal Control – Integrated Framework risk model.
The Internal Audit Department notifies audit clients in writing when their department is selected for an audit. This letter is sent to the leadership roles responsible for the department. The notification letter states the scope, the objectives to be accomplished in the audit, and an anticipated timeline for completion.
The audit process consists of the following main phases:
- Planning and Risk Assessment
- Report and Follow-Up
- Management Action Plan
PLANNING AND RISK ASSESSMENT
The purpose of this phase is to plan the audit and conduct an initial risk assessment of the area under review. This enables the auditor to identify and focus on the critical risks.
Risk is assessed in four major areas of the business unit:
- Operational (processes and procedures)
- Financial (financial data from internal and external statements)
- Regulatory (federal, state, local, organizational policy)
- Reputational (institutional opinions of business operations)
Conduct Opening Meeting
The Internal Audit Office schedules an opening meeting with the head of the department under audit to discuss the purpose and scope. Auditees are encouraged to discuss any concerns or questions they have about the audit and invite any of their direct reports to the meeting.
During the planning and risk assessment phase, the auditor typically requests the following information from the department:
- financial information;
- organizational chart;
- policies and procedures;
- management reports utilized by the department;
- agreements / contracts;
- job descriptions; and/or
- strategic documents / mission statements.
While performing the risk assessment, the auditor will:
- conduct interviews to obtain an understanding of the process under review;
- conduct walk-throughs of the process to ensure the process operates as stated;
- prioritize the noted risks based on the preliminary review; and
- develop the work program, audit scope, objectives and audit tests.
At the conclusion of the planning and risk assessment phase, the auditor will create the work program and discuss this program with the Chief Audit Executive. The work program contains the audit scope, objectives and specific testing that will be performed during the audit. The work program and audit tests are determined based on the results of the planning and risk assessment phase.
Fieldwork includes further walk-throughs, interviews, data analysis, control and process testing, and transaction and detail testing. The focus of fieldwork is to determine if there is an adequate system of internal control and whether the system is functioning as intended. Controls are measured against University policies and procedures, state and federal regulations, and generally accepted accounting principles. Areas of deficiency and potential recommendations are discussed with the appropriate staff and are documented in the audit work papers.
The audit work, noted deficiencies and potential recommendations are discussed with and approved by the Chief Audit Executive. All findings and conclusions are based on the work performed in the fieldwork phase of the audit.
All findings (opportunities) are transcribed into a formal written report based on the Internal Audit Office's five-step approach:
- Condition (what is)
- Criteria (what should be)
- Cause (root cause that allowed the control weakness to occur)
- Effect (the adverse result of the control weakness, it is highly recommended that the auditor quantify the result or potential result of the control weakness)
- Recommendation (steps taken to mitigate or transfer the risk)
Once the formal report is complete, it is sent to the process owner prior to the closing conference. All findings are discussed thoroughly and agreed upon before the Internal Audit Office issues the report. Internal Audit adheres to a "no surprises" promise and discusses all observations and recommendations with the auditees before the closing conference and issuance of the report.
Once the report is agreed upon between Internal Audit and the auditees, the report is formally issued.
Work papers are submitted to the Executive Director for final review and approval. The Chief Audit Executive reviews the final report and sign-offs.
At the end of each audit, a closing conference is conducted and all comments in the report are fully discussed with the process owner and anyone who will be impacted by the report.
MANAGEMENT ACTION PLAN FOLLOW-UP AND ESCALATION
In order to ensure compliance with the Institute of Internal Auditors' (IIA) International Standards for the Professional Practice of Internal Auditing ("The Standards"), the Chief Audit Executive has implemented a Management Action Plan (MAP) Follow-Up and Escalation Procedure. Internal Audit will review evidence to ensure that action plans are sufficiently closed, or escalate an overdue action item for follow-up.
Management Action Plan Follow-up
The successful completion of Management Action Plans contributes to strengthening controls, adding value, and safeguarding Drexel University's assets. As such, it is important that management of the audited area prioritizes audit remediation plans and completes them within the specified time frame.
Although it is the responsibility of the control owner to implement the agreed upon action, Internal Audit will perform monthly follow-up with management regarding open action items. Specifically, Internal Audit will reach out to the auditees at month-end to remind them of their open action plans and request a status update. During the month of the due date, Internal Audit will reach out weekly to the auditees for a status update.
If an auditee believes that an action item is closed, Internal Audit will request supporting evidence or conduct a brief review to ensure that the action item has been adequately remediated. Internal Audit will maintain a log of the supporting evidence / review performed and the reason why the action item was closed.
The Chief Audit Executive will report quarterly to the Audit Committee on the status of Management Action Plans. Overdue items will be highlighted along the revised due date and action plan.
Once an action item is overdue, it will be escalated to the Office of Program Management and Organizational Effectiveness (PMOE) for further follow-up and to assist departments with achieving the corrective action and implementation of audit recommendations. PMOE will work with the auditees to determine a revised due date and understanding of the missed deadline. PMOE will report results to Internal Audit for reporting to the Audit Committee.