Internal Audit Responsibilities
The Office of Internal Audit & Consulting Services is governed by the International Standards for the Professional Practice of Internal Auditing (the Standards). Internal auditors are also expected to uphold the Core Principles as well as adhere to the Code of Ethics.
Activities performed by the internal audit team include:
- Ensuring the reliability of financial and operational controls
- Assessing compliance with laws, regulations, and contracts
- Identifying opportunities for improving efficiency and reducing costs
Beyond performing audits, there are other responsibilities that internal audit is responsible for, as follows:
The risk assessment process links internal auditing to Mines’ overall goals. It is a necessary component of an effective internal audit program and involves aligning audit activities to business priorities through a mapping process to determine where key risks lie within the University.
On an annual basis, as required by the Standards section 2010.A1, Internal Audit evaluates the risks related to the articulated goals of Mines, covering strategic, financial, operational, and compliance objectives. The assessment considers the impact of risks to stakeholders as a basis to define the audit plan. This risk-based approach enables the coverage of internal audit activities to be driven by issues that directly impact stakeholder value, with linkage to priorities of the University.
The risk assessment process ranks each area by risk type (strategic, financial, operational, compliance, and stakeholder) to identify areas of greater risk. The risk types are described below:
- Strategic Risk – Potential impact to the University being able to meet its strategic objectives. Includes general economy, strategic partner relations, market/competitor, government, infrastructure, and change management.
- Financial Risk – Risk of financial loss or impact to the University. Includes fraud, opportunity cost, cash flow, budget and planning, and financial reporting.
- Operational Risk – Risk of operational failure/impact. Includes labor supply, efficiency, accuracy, obsolescence, and leadership, limits of authority, communications, access to information, business interruption, internal control effectiveness, process documentation, and risk management.
- Compliance Risk – Risk associated with non-compliance with regulatory requirements, industry standards/expectations, and University policies. Risks include level of focus by overseer, known violations, level of change to requirements, management knowledge of requirements, and level of fines or other penalties.
- Stakeholder Risk – Risk of unfavorable impacts to University stakeholders. Stakeholders include students/customers, employees, alumni, donors, the Board of Trustees, suppliers, and the community. Risks include life safety, customer satisfaction, culture/trust, employee engagement, and employee turnover.
This process involves input of senior management to understand the risks related to their areas and to consider their specific concerns. Other factors including previous audit results, industry hot topics, significant changes in a department (personnel, process, or system), and fraud risk and hotline trends are also taken into consideration.
This risk-based approach was then combined with management’s feedback, the goals of the University, and resource availability taking into consideration areas already audited internally and externally to determine the proposed audit plan. Auditor judgment is used in selecting the audits while also considering internal audit expertise, timing, and areas where Internal Audit can provide the most value.
The proposed audit plan is presented to the Finance and Audit Committee for approval. The FY16 audit plan was approved on October 20, 2015. The plan includes the following:
- CRM System Review
- Operational Research Administration Processes
- Continuous Auditing - Accounting & Purchasing
- Human Resources
- Departmental Audit
- Graduate Studies
Throughout the year, follow-up testing is also performed on previous audit findings to ensure management action plans are implemented on a timely basis. Additionally, investigations of allegation of fraud or misconduct, special projects, and consulting can be under taken, as needed.