Frequently Asked Questions
What is Internal Audit?
Internal Audit is defined as an independent, objective, assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
What is the difference between an internal auditor, external auditor and a federal or government auditor?
Each type of auditor has a different scope, perspective and objectives. Internal audit is concerned with anything in the University and is designed to add value and improve the University's operations. External auditors are independent of the University and are hired to provide an opinion on the information being audited, including annual financial statements. Federal and other government auditors audit the specific grants and awards provided by their respective agencies.
What is internal control?
Internal control is a process designed to provide reasonable assurance regarding the achievement of goals and objectives in:
- effectiveness and efficiency of operations
- reliability of financial reporting, and,
- compliance with laws and regulations.
Simply put, internal controls are the tools used every day by managers to help the organization achieve its objectives and include everything from written procedures to good business practices.
Are auditors only interested in increasing controls?
No, all controls cost money and the cost of achieving control must be balanced against the impact if things go wrong and the likelihood of that happening. Audit Services will identify and report unnecessary or uneconomic controls as part of its review and may suggest alternatives if appropriate.
How long should I keep accounting records on file?
According to the Canada Revenue Agency (CRA), generally, financial records should be kept for seven (7) years.
In general, the University must retain documentation that supports all transactions. In most cases the documents are retained by Financial Services and there is no need for individual units or departments to duplicate this retention except for Procurement Card information as the department/unit retains the original details for procurement card transactions. However, most departments and units like to keep at least one year of documentation to aid in budget planning and other events.
Exceptions to this policy may occur to meet granting agency requirements. For example, CFI records may need to be maintained for five (5) years after the project closes. It is recommended that the department or unit ensure the guidelines of granting agencies have been met before destroying any documents.
I would like to get an exemption to a University Policy or Procedure, can my supervisor sign off on this or should I have the Dean’s office review it?
The simple answer is No. Neither department supervisors nor anyone in the Dean’s office can authorize an exemption to a stated University Policy or Procedure. An exemption to a stated policy or procedure must be sought from the authorizing individual (i.e. policy owner). The authorizing individual is the person who has approved the policy or procedure. In most cases the authorizing individual (by position) is stated in the header of the policy or procedure.
What management responsibilities does Audit Services have?
None. Audit Services is independent of management to provide independence from activities that it audits.
Why is it important for Audit Services to be independent?
This ensures that Audit Services is totally impartial in the work that it carries out. It has no vested interests.
Is it Audit Services’ job to identify fraud?
No. Audit Services attempts to minimize the risk of fraud by identifying potential weaknesses in control, which might enable fraud to be perpetuated. This work sometimes results in fraud being detected and reported in which case a full investigation will be carried out.
Does Audit Services assess the ability of managers?
No. Audit Services reviews processes not people.
Can a unit or department decline to be audited?
Once the annual Audit Plan is approved by the Audit Committee of the Board of Governors, it becomes the work plan for the Audit Services department. Only under unusual circumstances (such as the long-term illness of a manager or key staff member, increased demands on the unit caused by an institutional requirement of higher priority, a large number of vacancies caused by high turnover, etc.) would a scheduled audit be delayed. Although an audit may identify risks within the unit or department, the purpose of the audit is to improve the operations through the discovery of efficiencies and more effective ways to perform functions.
Can a department or unit request an operational audit without identifying a specific problem?
Requests for an operational audit can be made to the Chief Internal Auditor by Deans or department heads. Depending on the scope of the audit (i.e. the size of the operation), time may be made available in the Audit Plan for the current year or may be included in the following year’s plan.