The Office of Internal Audit (IA) provides assurance and advisory services.


Most engagements are chosen based on an annual risk assessment which uses such factors as emergent issues, risk likelihood and impact, internal control effectiveness, last audit performed, public disclosure implications, etc. The Board of Regents or AU management may also request specific audits and reviews. Because the enterprise is subject to more and more regulation in every facet of our work, the IA’s scope has expanded beyond financial aspects to cover all enterprise risks.

The purpose of assurance engagements is to provide an independent and objective conclusion as to the adequacy of governance, risk management and control processes within the organization, and are conducted in accordance with professional auditing standards. An assurance review scope typically includes reviewing and evaluating:

  • Internal controls to ensure compliance with applicable policies, plans, procedures, laws, regulations, and contracts.
  • The means with which assets are safeguarded.
  • The reliability and integrity of financial and operating information.
  • The economy, efficiency, and effectiveness with which resources are deployed.
  • IT systems to determine if they are appropriately managed, controlled, and protected.

A formal audit report, with agreed upon management corrective actions, is issued at the conclusion of the project.



Advisory engagements are generally requested by management and are intended to add value and improve the organization's governance, risk management and control processes. IA is typically functioning as trainers, facilitators, advisers, and counselors for these engagements, without the internal auditor assuming management responsibility over the area reviewed. 

Types of Advisory Engagements

  • knowledge sharing of best practices, industry benchmarks, and insights,
  • collaboration and advice on campus initiatives including system implementations and process improvements,
  • consultation on risk evaluation and the design of mitigation controls,
  • input on policy/procedure development,
  • advice provided through participation on campus committees, and
  • training in the areas of governance, risk management and controls.

An advisory report is issued at conclusion and may contain recommendations for consideration by management; however, management action plans are not required to be provided and these recommendations are not generally followed up on by IA. 

Engagement Comparison

  Assurance Advisory
Project selection (primary reason) Audit risk assessment Management Request
Focus Retrospective/past performance; control effectiveness Prospective/future focused; guidance to improve processes
Scope set by Audit, in collaboration with client Client, in collaboration with Audit
Sample transaction testing performed? Yes/of controls No
Report issued? Yes Yes
Opinion provided? Yes, effectiveness of controls No
Management provides action plans? Yes No
Follow up performed on recommendations? Yes No