Each year, the Director of Internal Audit Administration prepares a risk-based audit plan that is presented to and approved by the Audit Committee. A risk-based approach is used so that audits are performed on areas of greatest risk and opportunity for improvement. Additional audits may be performed upon request from the Audit Committee, Board of Trustees, Executive Director, or other management.
The Division of Internal Audit Administration follows standards set forth by the Institute of Internal Auditors, The International Professional Practices Framework. Each audit consists of the following phases:
1. Planning: Internal auditor meets with management and other staff to gain an understanding of the operational processes for the area under audit. A risk assessment is performed. Internal auditor develops testing procedures to address identified risks.
2. Fieldwork: Internal auditor performs testing procedures that address compliance and/or effectiveness of internal controls in place for the area under audit. Internal auditor makes note of findings, which must be supported by adequate evidence and develops preliminary opportunities for improvement.
3. Completion: Internal auditor meets with management to discuss preliminary findings and opportunities for improvement. If there is a disagreement, staff is given the opportunity to provide additional information to the internal audit team. Once all findings are final, a draft audit report summarizing observations and opportunities for improvement is issued (electronically). The area under audit is requested to provide a response to the draft report within 14 days of the audit report's issuance date. After management’s responses are received, internal audit provides their response, if applicable, and a final report is issued. An electronic copy of the final report is provided to auditee management, the Audit Committee, and Executive management.
4. Follow-up: Periodically, the Division of Internal Audit Administration reviews outstanding opportunities for improvement and follows up with management to determine the status of the agreed upon improvements.