The Office of Internal Audit (IA) provides assurance and advisory services.
Most engagements are chosen based on an annual risk assessment which uses such factors as emergent issues, risk likelihood and impact, internal control effectiveness, last audit performed, public disclosure implications, etc. The Board of Regents or AU management may also request specific audits and reviews. Because the enterprise is subject to more and more regulation in every facet of our work, the IA’s scope has expanded beyond financial aspects to cover all enterprise risks.
The purpose of assurance engagements is to provide an independent and objective conclusion as to the adequacy of governance, risk management and control processes within the organization, and are conducted in accordance with professional auditing standards. An assurance review scope typically includes reviewing and evaluating:
A formal audit report, with agreed upon management corrective actions, is issued at the conclusion of the project.
Advisory engagements are generally requested by management and are intended to add value and improve the organization's governance, risk management and control processes. IA is typically functioning as trainers, facilitators, advisers, and counselors for these engagements, without the internal auditor assuming management responsibility over the area reviewed.
Types of Advisory Engagements
An advisory report is issued at conclusion and may contain recommendations for consideration by management; however, management action plans are not required to be provided and these recommendations are not generally followed up on by IA.
Assurance | Advisory | |
Project selection (primary reason) | Audit risk assessment | Management Request |
Focus | Retrospective/past performance; control effectiveness | Prospective/future focused; guidance to improve processes |
Scope set by | Audit, in collaboration with client | Client, in collaboration with Audit |
Sample transaction testing performed? | Yes/of controls | No |
Report issued? | Yes | Yes |
Opinion provided? | Yes, effectiveness of controls | No |
Management provides action plans? | Yes | No |
Follow up performed on recommendations? | Yes | No |