As defined by the Institute of Internal Auditors (IIA), "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Internal Audit's roles at Queen’s are to monitor, assess, and analyze the university’s risks and controls; and to review and confirm information and compliance with policies, procedures, and laws. Working in partnership with management, Internal Audit provides the Board of Trustees, the Audit and Risk Committee, and executive management of the university reasonable assurance that risks are adequately mitigated and that the university's governance process is effective. Recommendations for improvement to processes, policies, and procedures are provided by Internal Audit where needed.
Audits are selected through a risk assessment process. Internal Audit develops an annual audit plan that outlines the areas within the university where Internal Audit will be focusing its efforts for the upcoming year. The Plan is risk-based and is designed to support the allocation of audit resources to those areas that represent the most significant priorities for the university.
There are four phases to an audit at Queen's University:
- Planning: determining the audit objectives, scope and timing of the engagement;
- Fieldwork: interviews are conducted and internal controls, systems, policies and procedures are tested for efficiency and adequacy;
- Reporting: the results of the audit are presented in draft form for discussion and the final report are issued to management and the Audit and Risk Committee; and
- Follow-Up: conducted annually to ensure that corrective actions have been implemented to address significant issues identified in our audits.
Internal control is a process in which all university employees participate. It is designed to provide reasonable assurance to unit management that:
- Management data used in decision making and reporting is reliable, accurate, and timely;
- Assets are accounted for and safeguarded from loss;
- Operations are effective and efficient; and
- Compliance with applicable laws and regulations is at an acceptable level.
Internal control is intended to:
- prevent, or lessen the risk of, errors or irregularities;
- identify problems; and
- ensure that corrective action is taken.
Examples of common internal controls include:
- Policies and procedures (at the University, campus, and unit level) that are communicated and that establish what should be done, how, and by whom;
- Approvals and authorizations that include a thorough review of supporting information to verify the propriety and validity of transactions;
- Verifications and reconciliations (e.g., review and reconciliation of Banner statements, petty cash verifications, comparison of budgeted to actual amounts);
- Supervision including training, keeping employees informed of new policies and procedures, and performance reviews;
- Safeguarding of assets (including passwords and other restricted information) against theft, destruction, deterioration, or misuse (for example by locking your office, depositing cash receipts timely, and limiting access to procurement cards); and
- Segregation of duties (dividing authorization, custody, and record keeping duties among different people so that someone can't both perpetrate and conceal an error or irregularity).
Internal Audit works closely with management to provide recommendations for improvement. It is the responsibility of management to assess the cost/benefits of implementing our recommendations relative to the risks involved and determine whether the residual risk is acceptable to the university.
The Full Report containing detailed findings, recommendations and action plans and the Summary Report is issued to the Chair of the Audit and Risk Committee and the Summary Report, which highlights only the significant findings from the audit/review and the general management response, is issued to the Audit and Risk Committee.
Each type of auditor has a different scope, perspective and objectives.
- Internal audit is concerned with anything in the university and is designed to add value and improve the University's operations.
- External auditors are independent of the university and are hired to provide an opinion on the information being audited.
- Federal and other governmental auditors audit the specific grants and awards provided by their respective agencies.