Auditing 101

Internal Audit Responsibilities

The Office of Internal Audit is governed by the International Standards for the Professional Practice of Internal Auditing (the Standards).  Internal auditors are also expected to uphold the Core Principles as well as adhere to the Code of Ethics.

Activities performed by the internal audit team include:

  • Ensuring the reliability of financial and operational controls
  • Assessing compliance with laws, regulations, and contracts
  • Identifying opportunities for improving efficiency and reducing costs

Beyond performing audits, there are other responsibilities that internal audit is responsible for, as follows:

Risk Assessment

The risk assessment process links internal auditing to Mines’ overall goals.  It is a necessary component of an effective internal audit program and involves aligning audit activities to business priorities through a mapping process to determine where key risks lie within the University.

On an annual basis, as required by the Standards section 2010.A1, Internal Audit evaluates the risks related to the articulated goals of Mines, covering strategic, financial, operational, and compliance objectives.  The assessment considers the impact of risks to stakeholders as a basis to define the audit plan.  This risk-based approach enables the coverage of internal audit activities to be driven by issues that directly impact stakeholder value, with linkage to priorities of the University.

The risk assessment process ranks each area by risk type (strategic, financial, operational, compliance, and stakeholder) to identify areas of greater risk.  The risk types are described below:

  • Strategic Risk – Potential impact to the University being able to meet its strategic objectives. Includes general economy, strategic partner relations, market/competitor, government, infrastructure, and change management.
  • Financial Risk – Risk of financial loss or impact to the University. Includes fraud, opportunity cost, cash flow, budget and planning, and financial reporting.
  • Operational Risk – Risk of operational failure/impact.  Includes labor supply, efficiency, accuracy, obsolescence, and leadership, limits of authority, communications, access to information, business interruption, internal control effectiveness, process documentation, and risk management.
  • Compliance Risk – Risk associated with non-compliance with regulatory requirements, industry standards/expectations, and University policies.  Risks include level of focus by overseer, known violations, level of change to requirements, management knowledge of requirements, and level of fines or other penalties.
  • Stakeholder Risk – Risk of unfavorable impacts to University stakeholders.  Stakeholders include students/customers, employees, alumni, donors, the Board of Trustees, suppliers, and the community.  Risks include life safety, customer satisfaction, culture/trust, employee engagement, and employee turnover.

This process involves input of senior management to understand the risks related to their areas and to consider their specific concerns. Other factors including previous audit results, industry hot topics, significant changes in a department (personnel, process, or system), and fraud risk and hotline trends are also taken into consideration.

This risk-based approach was then combined with management’s feedback, the goals of the University, and resource availability taking into consideration areas already audited internally and externally to determine the proposed audit plan.  Auditor judgment is used in selecting the audits while also considering internal audit expertise, timing, and areas where Internal Audit can provide the most value.

Audit Plan

The proposed audit plan is presented to the Finance and Audit Committee for approval. The FY16 audit plan was approved on October 20, 2015. The plan includes the following:

  • CRM System Review
  • Operational Research Administration Processes
  • Continuous Auditing – Accounting & Purchasing
  • Registrar
  • Human Resources
  • Departmental Audit
  • Graduate Studies

Throughout the year, follow-up testing is also performed on previous audit findings to ensure management action plans are implemented on a timely basis. Additionally, investigations of allegation of fraud or misconduct, special projects, and consulting can be under taken, as needed.

Auditing Process at Mines

This is a collaborative process between management and Internal Audit. Your involvement is essential for the success of the audit. Two-way communication will help the audit go smoothly. We will work together to agree to any findings during the audit – there should not be any surprises by the reporting phase. While we recognize the audit will involve some of your time, one of our objectives is to avoid disruptions as much as possible.

The Office of Internal Audit is granted full and complete access to any of the School’s records, physical properties, personnel and material relevant to an audit or review.  This authority is granted by our Internal Audit Charter as approved by the Board of Trustees. Audits generally follow the below process:

 Notification

The Director of Internal Audit will inform you of the audit through a formal communication.

Information Gathering Sessions

The goal of this step is to gain an understanding of the processes in place. Key personnel are interviewed and departmental policies and other information are reviewed to determine your system of internal controls. Any promotional materials or internal documents that can lend to the understanding should be provided during this meeting. It is important for you to take this opportunity to identify concerns or issues you would like to be considered. Additionally, completion of the Audit Questionnaire in advance of the meeting can help make the meetings more productive. The Audit Questionnaire can be accessed at the Resources and Tools page.

Kickoff Meeting

The next step is the initial conference where we meet with the organization’s manager and any staff members he or she wishes to include. During this meeting, we will discuss the scope and the logistics of conducting the audit. The scope of the audit is agreed to at this time and is set to address the risk areas within the process.

Fieldwork

During fieldwork we test to verify the controls identified in our preliminary work are operating as expected and that risks are sufficiently mitigated. We generally do this by sampling transactions and tracing them through the operating processes. Audit tests can be conducted in various formats to address the risks and controls in place.

Audit results that differ from expectation are discussed with you before a conclusion is drawn. Perhaps there is additional information that needs to be considered. Once exceptions are agreed upon, they become a finding, which is drafted and provided to you for review. Positive outcomes are also included within the final audit report.

Exit Conference

At the conclusion of the audit, we prepare a draft of the audit report which you review before the final report is issued. This report is discussed with your management team during the conference to make certain the recommendations are practical and there are no misunderstood facts. We will also discuss the action you plan to take as a result of our recommendations.

Final Audit Report

We will incorporate your responses to each of our recommendations in our final report. We request you state whether you agree with each of the recommendations and include a timeline for corrective action in your response. Each audit finding receives a risk rating of high, medium, or low. This rating is primarily based on the circumstances of the finding as it relates to the specific area of audit as well as the controls in place, and its significance in relation to the institution as a whole.

Final reports are distributed to the executive responsible for corrective action, as well as their superiors. They are also distributed to the President, Executive Vice President for Finance and Administration, Office of Compliance and Policy, and the Controller’s Office. As the Director reports to the Finance and Audit Committee, summary audit results are shared during the regular meetings.

Customer Survey

Once the audit is complete, we will send you a customer service survey which ask you to help us improve our audit process. Please take the time to complete the survey and return it to our office.

Report to Finance & Audit Committee

As the Office of Internal Audit reports functionally to the Finance and Audit Committee, a summary of the audit results are presented at those meetings.

Follow-Up Audit

Reported internal audit findings will be reviewed with the auditee (department head, unit manager) at six-month intervals until all findings are resolved. Resolution means satisfactory corrective action is taken. Where resolution of findings is untimely, or will result in significant exposure from control weaknesses or lost opportunity to improve productivity, resolution will be pursued at appropriate higher administrative levels.

Governance

As the Office of Internal Audit reports functionally to the Finance and Audit Committee, a summary of the audit results are presented at those meetings.

Consulting

The Office of Internal Audit also provides advice to management by request.  Normally these are to assist in solving specific problems related to control issues, efficiency, or risk management. The nature and scope are subject to agreement with the department. When performing these services, Internal Audit is to maintain objectivity and not assume management responsibility. Some examples of services include data analytics, business process review, or compliance review.

Requests for review should be sent to the Director, Shannon Sinclair at ssinclair@mines.edu or 303-384-2504.

Continuous Monitoring and Auditing

Continuous auditing (CA) is the gathering of evidence by an internal auditor on people, processes, systems and the related controls on a frequent basis. Continuous monitoring (CM) is a feedback mechanism used by management to ensure the processes and controls in place work as they are intended to. This monitoring can be an important element of the School’s internal control framework as defined by the Committee of Sponsoring Organizations (COSO).

CA is often confused with CM since they are similar in nature. For instance, both analyze organizational data for key attributes of interest.  However, they are markedly different functions. The most obvious difference who is performing the function:  CA is a function of the Office of Internal Audit and CM is the responsibility of management. Additionally, the differences are even better seen as it relates to the School’s enterprise risk management framework.

There is a Three Lines of Defense model that distinguishes among three groups or lines involved in an effective risk management framework: (1) functions that own and manage risks, (2) functions that oversee risks, and (3) functions that provide independent assurance.  ( Steve – any images we can use for this? I like the image on p.2 of the “Three Lines of Defense article from the IIA I saved on your I:/drive. Should we see if we can use that?):

  • 1st Line of Defense: Operational Management – They are responsible for maintaining effective internal controls and executing risk and control procedures on a day-to-day basis. Such risks may be operational in nature or may have to do with finance and compliance. There should be adequate oversight in place to ensure control breakdowns and unexpected events are identified timely.
  • 2nd Line of Defense: Risk Management and Compliance Functions – These functions help ensure the first line of defense is properly designed, in place, and operating as intended. The responsibilities of these functions could include identifying known and emerging issues, identifying shifts in risk appetites, providing guidance and training, as well as monitoring controls or compliance with laws and regulations.
  • 3rd Line of Defense: Internal Audit – Internal audit provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives. This comprehensive assurance is at the highest level of independence and objectivity within the organization.

Basically, CM can serve as the first two lines of defense that is driven by management. And CA, as an internal audit function, can serve within the third line of defense for the School.

The best method to get the most value out of these processes is to use a combination of both. However, each can be implemented without the other. And coordinated efforts are important to avoid duplication of efforts and unproductive use of resources. If done right, the benefits of a successfully implemented CA program include a better understanding of risks to the enterprise, increased control effectiveness, support for compliance efforts, and optimal use of IA resources and potential adoption of CM procedures.

Examples of areas that can be continuously monitored (or audited) include: student financial aid, research administration, procurement, and financial policy compliance.