What are controls?

When people think of internal audit, they often think that auditors verify records and the accuracy of financial transactions. That is true. However, internal audit as a profession continues to move toward emphasizing the review of internal controls. In short, audit looks at the processes used to support the mission statement and meet management’s objectives.

In every process there are checkpoints designed to ensure, or provide reasonable assurance, that the objectives are met. These checkpoints are the controls. Usually controls are designed around the following objectives:

  • effectiveness and efficiency of operations
  • reliability of financial and management reporting
  • compliance with applicable laws and regulations

Is internal audit responsible for internal controls?

Management is responsible for maintaining an adequate system of internal control. Internal auditors independently evaluate and test those controls. The internal audit department makes recommendations to management to improve controls.

How are review areas selected?

An audit plan is developed based on significance and risk. Input is actively solicited from the controller and other areas of the university to identify risk areas. These risk areas are rated for various risk components, including dollar loss risk, regulatory noncompliance risk, inadequate service risk, and reputation risk. Both one-year and three-year plans are developed from the risk ratings. These plans are reviewed and approved by the university board of trustees. In addition, special projects are sometimes assigned by the board of trustees.