Services

The objectives of a Department Review consist of identifying significant risks and risk areas in a client department and (a) determining the adequacy and effectiveness of existing procedures and controls to manage the significant risks identified, (b) assessing compliance with University and Sponsor policies and procedures in the target risk areas, and (c) identifying opportunities for improving the efficiency and effectiveness of the client’s administration.

See Conducting a Review.

Information Systems Audits include but are not limited to the review of system development and project management processes and controls, computing and data storage facilities and processes, IS security and data backup and restoration processes and controls.

The scope of a Systems Development Review includes the planning, development, testing and implementation phases of new or modified central administrative systems and their components. The objective is to evaluate the existence of adequate controls to mitigate the risk that a systems development/acquisition project will provide an information system that:

• Is ineffective or does something unintended

• Compromises the integrity and reliability of data and information

• Fails to provide appropriate management trails to demonstrate (a) proper authorization, completeness, and accuracy of transactions; and (b) proper authorization of software changes, system tables, etc.

• Is not delivered on time or is over budget

Computer facilities encompass data centres, server rooms, tape libraries, etc. The objective of a Computer Facility Review is to assess the adequacy of disaster recovery plans, backup and recovery procedures, physical security, logical security and user administration, access logs and follow-up of exceptions for controls to mitigate the risk of:

• Business interruptions arising due to unexpected events

• Unauthorized transactions and other alterations of data

• Unauthorized software/hardware changes

• Unauthorized use of confidential information

• Unauthorized use/copying of software

Internal Audit performs follow-up reviews approximately 12 months after issuing the final audit report for Department and Information Technology reviews. The objectives of the Follow-up Review are to assess the client’s progress in implementing the action plan(s) agreed upon during the original review and to assist the client’s managers and administrators where difficulties were experienced with implementation of the plan(s).

The objective of Compliance Auditing is to assess the completeness, accuracy and propriety of a monthly sample of transactions drawn from the University’s accounting system using Computer Assisted Audit Techniques (CAAT’s). CAAT’s are tools used by the Department to select audit samples and monitor transactions and data recorded in the University’s accounts for anomalies and compliance with University policies and procedures and funded agency sponsor agreements, regulations and guidelines. When a transaction is selected for audit, the initiator of the transaction is contacted and asked to supply all relevant documentation. Audit findings are discussed with the initiator who then receives a detailed letter which is copied to the appropriate supervisor. The results of compliance auditing are reported to the President and Vice-Presidents and the Audit Committee semi-annually.

Investigations may be undertaken as a result of requests by senior University administrators or department heads, findings identified in the course of an audit review or concerns reported to the Department (see Reporting Incidents of Suspected Financial Impropriety). The reviews are limited in scope to address the specified concerns only.

Reviews generally relate to loss of assets, serious non-compliance with donor and/or grant sponsor requirements, violations of policies, procedures and laws or other University business risks. Where appropriate, the Department consults with the subject matter experts, human resources, labor relations, legal counsel, law enforcement, insurers and others as considered necessary.

The Department regularly consults with the University’s external auditor to coordinate audit activities and avoid duplication of effort.

The Department assists the University’s external auditor with the undertaking of the annual external audit requirements to the extent that internal audit resources are available.

Internal audit reports are copied to the external auditor for information purposes.