Types of Audits and Services
The following describes types of engagements performed the Office of Audit and Compliance Services (A&CS). The majority of audits performed by the department are operational/managerial, compliance, and information systems/information technology. The type of audit performed on a particular auditable unit can be any combination of the types described below. The type of audit to be performed is determined in the initial planning process.
High-Level Review of Procedures
A high‑level review is a review that measures general compliance with critical business or organizational policies and with sound business practices. The objectives of this review are to provide the auditor with an understanding of an operation and to determine the nature of detailed testing that may be needed in certain areas.
Procedures for this review consist primarily of inquiries and analytical review concerning significant accounting matters relating to financial information being reviewed. Additionally, the internal auditor should obtain an understanding of the entity's systems of accounting and internal controls. Compliance and some substantive tests are to be performed over certain areas of an entity; including cash, accounts receivable, travel and expense, purchasing, property, and inventory.
An operational audit can be defined as an extension of a financial audit. A financial audit tells you where you were and where you are; an operational audit tends to answer the questions why you are where you are and how you got there. In this sense, the operational audit falls into the category of a management service by evaluating the four functions of management: (1) planning,(2) organizing, (3) directing and (4) controlling. The operational audit can be broken down further as a functional review, i.e. Purchasing as a department versus the overall Procurement operation. Several reasons for performing an operational audit are compliance with policies and procedures, adverse variances, financial irregularities, or personnel turnover. The timeliness of an operational audit is determined by the reason for the audit and the areas to be audited.
A compliance audit involves two different, though closely related, types of issues:
- The nature and scope of the transaction against which the compliance is to be ascertained
- The degree to which it is practicable, or even desirable, to determine the compliance.
Therefore, a compliance audit can be defined as a rerun of a given task over a prescribed course which is monitored by various checkpoints to reach a desired conclusion.
Reasons for a compliance audit can vary with the size and complexity of the organization, locations of sites or levels of centralization. A compliance audit may be performed due to a recent history of significant problems, proposed realignment of responsibilities, personnel turnover, or a routine review of procedures.
The internal auditor will obtain a package of financial and other documentary information and perform limited procedures. In most cases, all procedures will be performed from the auditors’ offices.
Several benefits result from desk reviews. The internal auditor can determine if previous recommendations were implemented and operating as intended. The office can expand audit coverage to nearly the entire organization without making trips to every location. A related benefit is reduced travel time and travel expenses. Finally, desk reviews are ideal for training new internal auditors.
Information Systems Audits
Information systems, technology, and security audits are the examination of an organization’s information technology infrastructure, applications, data use and management, governance, and operational activities against recognized frameworks, standards, and organizational policies. Audits evaluate whether controls over technology assets:
- Reasonably mitigate risks to confidentiality, integrity, and availability of data.
- Support organizational goals, objectives, and strategy.
Our office occasionally receives requests from management for assistance with information gathering and analysis that does not require a full audit. Upon agreement between A&CS and management, the request can be accomplished as a consulting engagement. Examples of consulting engagements include: assisting with inventory observation for a unit, reviewing a process or tentative revisions to a process for internal control weaknesses, reviewing position descriptions for a department or process to provide feedback regarding segregation of duties, polling other higher education institutions regarding a topic that management is interested in and researching new or revised compliance requirements for applicability to the University of Alaska.
The internal audit profession is closely linked with the identification and mitigation of risk. As such, we are happy to assist with facilitating risk assessments for individual departments or for specific functions, processes or systems. Contact us to discuss tools commonly used to facilitate risk assessments.
Individual campuses may have mandatory requirements, so we encourage you to also discuss your inquiry with the campus risk management department.
A&CS has experience facilitating risk assessments that include the following elements:
- Identification of risks that can prohibit achievement of the mission, stated objectives or goals.
- Identification of opportunities that can enable achievement of mission, stated objectives or goals.
- Discussion of the controls that currently mitigate the identified risks.
- Involving groups of individuals for the ranking of risks and opportunities.
- Prioritizing the ranked risks and opportunities and formatting as a visually appealing risk footprint or chart.
- Assignment of a responsible party for the highest ranking risks.
- Developing a risk management plan for the responsible party.
We strive to incorporate the concepts of enterprise risk management into our risk assessment processes.