Conducting a Review

Prior to undertaking a review other than Continuous Auditing, the unit head is contacted and a meeting is scheduled to discuss the type of audit, the objectives and timing, the required resources including working space and information systems access, and the audit reporting process. Prior to the meeting, the head administrative officer is asked to complete an Introductory Meeting Questionnaire to obtain background information about the unit and establish the scope of the review.

The meeting is attended by at least one management member of the Internal Audit Department, the lead auditor, the unit head and the unit’s head administrative officer. The meeting is followed with the issuance of a letter confirming the scope and objectives of the review as well as the scheduled timing of the review and indicating the names of the auditors. The unit head is asked to advise his/her staff of the review and solicit their cooperation.

During this phase, the auditor develops an understanding of the client’s environment, business processes and related risks. Information is gathered from the introductory meeting questionnaire, client interviews (including the introductory meeting), AMS data and client documentation including websites, annual reports, strategic plans, budgets, etc. The auditor prepares a formal risk assessment and an Audit Program (see Fieldwork) to review the client’s existing procedures and controls which relate to the significant risks identified. Using this risk-based approach, the auditor ensures the review is focused on the significant risks.

During this phase, the auditor carries out the Audit Program, which includes procedures to (a) determine the adequacy and effectiveness of client procedures and controls for managing the significant risks identified, (b) assess compliance with University and Sponsor policies and procedures in the target risk areas, and (c) identify opportunities for improving the efficiency and effectiveness of the client’s administration.

Audit procedures include interviews with client staff, observation of the client’s business processes, examination of the client’s records and supporting documentation, verification of the accuracy, propriety, and completeness of the client’s transactions, analytical reviews, and inspection of the client’s assets and facilities.

Preliminary findings are discussed with the appropriate client personnel to ensure that audit findings are not based on misunderstood information.t

In most cases, two reports are issued for each review engagement; the Detailed Findings, Recommendations and Action Plan and the Executive Summary. The Detailed Findings, Recommendations and Action Plan report is issued only to the unit head and documents, as its title suggests, audit findings, recommendations and the client’s action plan. The Executive Summary report, which highlights only significant findings from the review and related action plan comments is issued to:

  1. the unit head and the unit head’s direct report(s);

  2. the Vice-President, Business Affairs and other Vice-Presidents where relevant;

  3. the President and the Secretary of the Governing Council (Internal Audit’s direct report);

  4. the Controller and Director of Financial Services (for information only); and

  5. the University's external auditors (for information only).

In the case of Special Investigations, the report distribution is restricted to those individuals who need to be aware of the results of the investigation.

Audit reports are initially issued in draft to the unit head for review and comment. If necessary, the unit head can request a meeting to discuss the draft reports before they are finalized and issued.

The questionnaire is designed to encourage client feedback about the efficiency and effectiveness of the audit review. The feedback is intended to assist us with our goal of providing the best service possible. The questionnaire should be completed by the client at the conclusion of the review.

Within 12 months after the audit reports (Executive Summary and the Detailed Findings, Recommendations and Action Plan) are issued, Internal Audit performs a follow-up review to assess the implementation of the audit recommendations. A request is sent to the unit head to provide details about the disposition of the recommendations and implementation of previously agreed upon Action Plans.

Internal Audit evaluates the actions taken as described in the unit head’s response. Additional audit work may be performed if necessary and could include an on-site visit. If we conclude that the recommendations from the original audit reports have been addressed appropriately, no further audit work is performed. Where the results of our review indicate that further consideration of the recommendations is required, this is discussed with the client and, if considered necessary, with the responsible Vice-President or, in the case of the following divisions, to the appropriate divisional head:

  • Applied Science and Engineering

  • Arts and Science

  • Graduate Studies (for Graduate Centres and Institutes)

  • Medicine

  • UTM

  • UTSC

Comments on the disposition of the recommendations may be incorporated in the quarterly reports to the President/Vice-Presidents and biannual reports to the Audit Committee at the Internal Audit Director's discretion.