Internal Audit and Advisory Services performs three types of projects:
- Audits – are assurance services defined as examinations of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples include financial, performance, compliance, systems security and due diligence engagements.
- Consulting Services – the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include reviews, advice, facilitation/training and participation on campus committees and work groups.
- Investigations – are independent evaluations of allegations generally focused on improper governmental activities including misuse of university resources, fraud, financial irregularities, significant control weaknesses and unethical behavior or actions.
Nature of Assurance and Consulting Services
The Internal Audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:
Promoting appropriate ethics and values within the organization; ensuring effective organizational performance management and accountability; communicating risk and control information to appropriate areas of the organization; and coordinating the activities of and communicating information among the board, external and internal auditors, and management.
- The Internal Audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities.
- The Internal Audit activity must assess whether the information technology governance of the organization supports the organizations' strategies and objectives.
The Internal Audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. Interpretation: Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:
- Organizational objectives support and align with the organization's mission;
- Significant risks are identified and assessed;
- Appropriate risk responses are selected that align risks with the organization's risk appetite; and,
- Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
The Internal Audit activity may gather the information to support this assessment during multiple engagements. The results of these engagements, when viewed together, provide an understanding of the organization's risk management processes and their effectiveness.
The Internal Audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.