Introduction
On an annual basis, the Executive Director, Internal Audit develops a risk based “Annual Audit Plan” that outlines the areas within the University where Internal Audit will be focusing its efforts for the upcoming fiscal year. The Plan is designed to support the allocation of audit resources to those areas that represent the most significant priorities for McGill University and to guide the Internal Audit activities for the upcoming fiscal year. The Internal Audit Plan is presented to the Audit Committee for approval at the beginning of each fiscal year.
Once a decision has been made to audit a Unit (based on the annual risk assessment and after approval of the Audit Plan), following are the usual steps in the process:
1. Planning and Risk Assessment
During this phase, the Internal Audit team obtains an understanding of the operating environment, processes and related risks of the Unit/area/process under audit. Information is gathered from the introductory meeting(s), interviews, documentation including websites, strategic plans, budgets, etc.
The information gathered during the planning phase enables Internal Audit to establish the preliminary scope and objectives (which is communicated to the Unit). The Audit team also prepares a formal risk assessment and an Audit Program (see Fieldwork) to review the Unit’s existing procedures and controls which relate to the risks identified. Using this risk-based approach, the auditor ensures the review is focused on the significant risks.
2. Fieldwork
During this phase, the Internal Audit team carries out the Audit Program, which generally include procedures to (a) determine the adequacy and effectiveness of client procedures and controls for managing the significant risks identified, (b) assess compliance with University and external policies, and (c) identify opportunities for improving the efficiency and effectiveness of the Unit’s processes and controls.
Audit procedures performed in this phase typically include interviews with staff, walkthroughs of key processes, examination of the Unit’s records and supporting documentation, analytical reviews, and testing of a sample of controls and transactions.
Any preliminary findings identified in this phase of the audit are discussed with the Unit to confirm the factual accuracy of the finding.
3. Reporting
Once the fieldwork is completed, the Internal Audit team will hold a closing meeting with Management of the Unit to discuss the audit findings and recommendations. Following the closing meeting, the Internal Audit team will prepare a draft report, taking into account any revisions resulting from the closing meeting. Following receipt of the draft report, Management is requested to provide timely written responses to the findings, including the following: (a) an action plan of how the recommendations will be implemented, (b) when it will be implemented (timing), and (c) who is responsible for the implementation. Once the Management responses have been received, the Internal Audit team will incorporate the responses into the draft report, creating the final report.
The final report is distributed to the head of the Unit and other appropriate members of the University's Senior Management. The report is also distributed to the Audit Committee of the Board of Governors as well as to the University’s external auditors.
4. Follow-up
The objective of the follow-up phase is to ensure that Management actions have been effectively implemented according to the timelines agreed to in the final report. Reports on the progress of the remediation of identified issues are provided to the Audit Committee of the Board of Governors.
In order to streamline the follow-up of issues, the Internal Audit team launched a secured on-line Follow up Application which tracks the issues and resolution status. This application allows the Unit to directly update the status of corrective actions taken and to upload supporting documentation.
Note: The extent and timing of our follow-up activity is based on the risk ranking assigned to a particular finding and the report rating. If reported observations and recommendations pose a significant risk, Internal Audit may conduct a more in-depth and formal follow-up audit.
Last updated: Oct-2016