Internal Audit

Annually, the Director of Internal Audit prepares an audit plan. The goal of the annual planning process is to identify what units can most benefit from assurance services and ensure that Internal Audit resources are being focused to best meet the needs of the university. Typically, a risk assessment is performed of the major functional areas using industry trends, past audit experience and campus input. In addition, random selection ensures periodic service to all units. Some factors considered in the assessment of risk include: 

• Critical nature of the unit in meeting university objectives
• Length of time since and results of previous audits — internal and external
• The size and complexity of the operation
• Changes in personnel, operations, programs, systems or controls
• Regulatory requirements of the operation
• Sensitivity of unit's operations to the university’s image and reputation
• Amount of fiscal activity and resources

An audit begins with an initial meeting between the auditor and management from all interested offices and units. The entrance conference provides an opportunity for discussion of the audit process, the scope and objectives of the audit, the estimated completion date, and on-site work space requirements. It also provides management with an opportunity to discuss any questions or concerns they may have. Management's input at this stage will help us to establish a work plan to minimize audit time and avoid disruption of ongoing activities to the greatest extent possible.

The first step of the actual audit consists of interviews with managers and staff, and a review of documents and data to gain a better understanding of the unit's operations. Transactions and records are then tested to determine if controls are operating as intended. Informal communication between the audit and unit management is maintained to avoid misunderstandings, and to ensure that there are no surprises in later stages of the audit.

After all fieldwork is completed, a draft report is prepared by the auditor. The report documents our objectives, procedures performed, our conclusions as to the adequacy of controls, and specific observations and recommendations for improvement if necessary. Internal Audit management reviews the draft thoroughly before it is presented to the unit's management. This draft report is prepared only for the unit's operating management and it provides the basis for discussions at the exit conference.

A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, the report draft is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions. This meeting is also an opportunity to ensure any misunderstandings, possible misstatements or factual errors contained in the report are identified and resolved. Any issues identified during the engagement which were not significant enough to be included in the report, but still represent a potential risk, are also presented and discussed.

After the exit conference the draft report is finalized including any agreed upon changes from the exit conference.  In addition, the unit head will be responsible for formulating management's response to the recommendations and forwarding them to Internal Audit. The management response is a critical element of the feedback loop. The response serves to reinforce the proactive nature of the audit process by demonstrating to the reader that improvements are being made. The response should contain three elements:

1. A statement of whether management agrees or disagrees with the recommendations
2. An action plan of activities to take place
3. A timeline by which the activities will be completed

Once any changes and managements responses have been incorporated the draft is now considered final.  Final reports are distributed to the appropriate managers involved in the audit and to senior executives.  Audit reports are considered confidential documents.

There will be a follow-up review of all audit recommendations approximately six to twelve months after the engagement. The purpose of the follow-up is to verify that you have implemented the agreed-upon activities. The auditor may send a request for status, interview staff, perform additional tests or review new procedures.

An operational audit examines an operating process to determine if resources are being used in the most efficient and effective ways to meet the unit's mission and objectives. Internal control reviews are a major portion of an operational review. Activities such as human resources services, cash handling, procurement, and equipment inventories are generally subject to this type of audit.

A financial audit reviews the recording and reporting of financial transactions. The purpose of this type of audit is to provide management with assurance that financial information is accurately recorded in the University's financial records and that these records support the information shown in the financial reports.

A compliance audit evaluates the University's adherence to laws, regulations, and internal and external policies governing the activity being reviewed. Examples of these requirements include Federal and State laws, NCAA and OSHA regulations, and SUNY and UB policies and procedures.

An information system (IS) audit reviews the internal control environment and the use of an automated information and transaction processing system. These audits typically evaluate system input, processing, and output; system development, security and privacy; backup and recovery plans; and governance.