Building partnerships through collaboration.
UB strives to assure the community that we comply with the laws, rules and regulations governing UB's operations. Auditing UB's operational processes is one way that we can assess this goal in collaboration with you.
Generally, a routine internal audit is an independent review of the control systems inherent in a unit's operating policies and procedures. Internal auditing can be thought of as a control that functions by reviewing other controls. Internal audit reviews can provide you with important and useful information. They can help you determine whether there are appropriate internal controls over your activities and show you ways to improve the efficiency and effectiveness of your operations.
Our audits examine controls over:
Depending on its specific purpose, an audit may concentrate on one or all of these areas.
Understanding the audit process is made easier if we know how an audit is selected, what are the phases of an audit, and the types of audits that could be performed. With this information, we may better understand the age old question — Why would I request audit services?
An audit can usually be classified into one of the following four categories:
An operational audit examines an operating process to determine if resources are being used in the most efficient and effective ways to meet the unit's mission and objectives. Internal control reviews are a major portion of an operational review. Activities such as human resources services, cash handling, procurement, and equipment inventories are generally subject to this type of audit.
A financial audit reviews the recording and reporting of financial transactions. The purpose of this type of audit is to provide management with assurance that financial information is accurately recorded in the University's financial records and that these records support the information shown in the financial reports.
A compliance audit evaluates the University's adherence to laws, regulations, and internal and external policies governing the activity being reviewed. Examples of these requirements include Federal and State laws, NCAA and OSHA regulations, and SUNY and UB policies and procedures.
An information system (IS) audit reviews the internal control environment and the use of an automated information and transaction processing system. These audits typically evaluate system input, processing, and output; system development, security and privacy; backup and recovery plans; and governance.
An audit begins with an initial meeting between the auditor and management from all interested offices and units. The entrance conference provides an opportunity for discussion of the audit process, the scope and objectives of the audit, the estimated completion date, and on-site work space requirements. It also provides management with an opportunity to discuss any questions or concerns they may have. Management's input at this stage will help us to establish a work plan to minimize audit time and avoid disruption of ongoing activities to the greatest extent possible.
The first step of the actual audit consists of interviews with managers and staff, and a review of documents and data to gain a better understanding of the unit's operations. Transactions and records are then tested to determine if controls are operating as intended. Informal communication between the audit and unit management is maintained to avoid misunderstandings, and to ensure that there are no surprises in later stages of the audit.
After all fieldwork is completed, a draft report is prepared by the auditor. The report documents our objectives, procedures performed, our conclusions as to the adequacy of controls, and specific observations and recommendations for improvement if necessary. Internal Audit management reviews the draft thoroughly before it is presented to the unit's management. This draft report is prepared only for the unit's operating management and it provides the basis for discussions at the exit conference.
A meeting is scheduled with the same individuals who attended the entrance conference. At the exit conference, the report draft is reviewed so that all of the parties understand the nature of the recommendations and agree upon the possible solutions. This meeting is also an opportunity to ensure any misunderstandings, possible misstatements or factual errors contained in the report are identified and resolved. Any issues identified during the engagement which were not significant enough to be included in the report, but still represent a potential risk, are also presented and discussed.
After the exit conference the draft report is finalized including any agreed upon changes from the exit conference. In addition, the unit head will be responsible for formulating management's response to the recommendations and forwarding them to Internal Audit. The management response is a critical element of the feedback loop. The response serves to reinforce the proactive nature of the audit process by demonstrating to the reader that improvements are being made. The response should contain three elements:
Once any changes and managements responses have been incorporated the draft is now considered final. Final reports are distributed to the appropriate managers involved in the audit and to senior executives. Audit reports are considered confidential documents.
There will be a follow-up review of all audit recommendations approximately six to twelve months after the engagement. The purpose of the follow-up is to verify that you have implemented the agreed-upon activities. The auditor may send a request for status, interview staff, perform additional tests or review new procedures.