Campus Bulletins

May is Internal Audit Awareness Month

Posted Tuesday, May 24, 2022


To bring about awareness during this month, the Management Audit Department on the St. Augustine Campus will be launching an information campaign that will provide knowledge about the department and its work. At the end of the month, a quiz will be launched based on information shared over the weeks prior. Participants will have the chance to win a voucher from Massy Stores.

What is Internal Audit?

As defined by the Institute of Internal Auditors (IIA), “Internal Audit is an independent, objective assurance and consulting activity designed to add value to and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.

·      What does internal mean? We are a department of the University established by Council to support the work of the Campus Audit Committee. An external auditor is not a part of the University structure.

·      What does independent and objective mean? Independent means that we are not involved in the activity under review, and we are not part of the management hierarchy. Objectivity is a state of mind and ensures that our results are based on verifiable facts without bias.

·      What is Assurance and Consulting Activity? Assurance is a service of informing the management of the university and wider stakeholder, that controls, risk management and governance processes within the University are operating as expected. With consultancy our role our aim is to provide help and guidance to the University in strengthening internal processes.

·      What is meant by systematic and disciplined approach? Our work is based on well-established frameworks and guidance that has been issued by regulators, professional bodies and through internal training of staff

How does IA fit into the UWIverse?

The department is led by the University Management Auditor (UMA), Ms. Judith Nelson who has regional responsibility for the internal audit function. The UMA is supported by three campus-based teams each led by a Campus Management Auditor (CMA) and supported by an IS Senior Audit Manager, for St. Augustine these are Mr. Darren Ali and Ms. Deborah Isaac. The UMA reports functionally into the Campus Audit Committees as well at the University Audit Committee which a sub-committee of the University Council. The UMA reports administratively to the Vice Chancellor through the University Bursar. 

What do we do?

We offer the following services to the University:

1.     Assurance Services: We perform a range of information systems, operational & financial audits to gain assurance on the effectiveness of risk management, management oversight, internal controls and the effectiveness of operations.

2.     Advisory/Consultancy Services: We accept management requests for advisory and special purpose projects. These may include:

1.     Reviews and recommendations on new processes and procedures, participation on committees in an advisory capacity,  

2.     Data analysis and validation for decision making,

3.     Assistance with interpreting University policies and procedures and

4.     Advisory capacity on IT project committees

3.     Investigations: As required by the University’s Financial Code, our office is called upon to investigate allegations of fraud, misuse of University assets or suspicion of violation of legal or financial regulations, or University policies and procedures.

4.     Training: We provide training sessions and workshops from to time for management to build awareness and knowledge in these key areas:

1.     Improving their understanding of the role of internal audit and the internal audit process

2.     Building awareness of risk identification and management,

3.     Understanding the requirements of legal and regulatory compliance,

4.     Building awareness of internal controls, their design, implementation and monitoring,

5.     Building fraud awareness

What is Risk and Risk Management?

ISO 31000 defines risk as the effect of uncertainty on the objectives of the organisation. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) similarly defines risk in terms of the probability that events will occur that affect the achievement of the organisation’s strategy and business objectives. Risks are often defined in terms of a combination of impact on the organisation’s objective or processes and the likelihood of the risk occurring.

Risk Management can be considered the activities conducted by all levels within the organisation to direct and control an organisation in its response to risk. It’s often implemented via a framework that includes policies, relationships, accountabilities, resources, processes and activities to manage risk.

What is an Internal Control System?

As defined by COSO an Internal control is the process designed and effected by management to provide reasonable assurance about the achievement of the entity's objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

Control definition reflects certain fundamental concepts:

· Internal control is a process. It is a means to an end, not an end in itself.

· Internal control is effected by people. It is not merely policy manuals and forms, but also people at every level of an organization.

· Internal control can be expected to provide only reasonable, not absolute, assurance to an entity’s management and board.

What is the role of Internal Audit?

1. Internal Audit ‘s role in relation to risk management and internal controls includes:

i. monitoring the overall process and providing assurance to those charged with governance that the risk management and internal control systems which departments have designed meet their objectives and operate effectively.

ii. Working collaboratively with the Risk management department to ensure that the framework of risk management is effectively implement throughout the organisation

iii. To educate and inform staff at all levels about risk management and internal controls.

iv. Tasked with investigating breaches in internal controls that result in loss of assets by the organisation.

v. To advise, counsel management on systems of internal controls.

What is your role?

Your role in terms of Risk management and internal controls include:

· To ensure that adequately designed systems of internal controls are in place over critical processes.

· To ensure that internal controls are operating effectively through compliance with policies, procedures and standards that have been established by the organisation

· In terms of risk management, risk owners are tasked with ensuring that there is a process in place to monitor, assess and address risks that affect key processes.

· To safeguard the organisation’s assets

· To report failures of internal controls and in particular fraud to management as soon as possible.

Given your role, how can you help us help you?

You can help Internal Audit by:

· To facilitating through meetings and discussions our understanding of key risks and controls within specific processes and systems.

· Facilitate the timely request for information that Internal audit has made e.g., meetings with key personnel and requests for internal documents.

· Discussing and providing recommendations on the improvement on key controls.

· To ensure that there is timely reporting of suspected cases of fraud to Internal Audit.

· Identify areas of improvement in internal controls that Internal Audit can advise or consult on including the development of new systems or processes. 

 

Internal Audit utilises a systematic and disciplined approach to the conduct of its reviews of the University’s Internal Controls, Risk Management and Governance Processes. Our approach is guided by a rigorous methodology built upon standards and best practices that have been promulgated by various standard setting bodies

Click the link below to find out more about our work.

 What are the stages we go through in conducting an internal Audit?

Within the Audit Department, there are five (5) stages of an audit. These stages are categorized as: pre-planning, planning, execution, reporting and follow-up.

      I.         Pre-Planning

This stage takes place before the audit starts and will be the first time the audit team meets with the engagement manager (i.e. the manager of the department/unit to be audited) to arrange a date to start the audit. Once a time has been scheduled, the audit team will arrange a date for an opening conference meeting with the engagement manager when the scheduled date has arrived.

     II.         Planning

The Opening Conference Meeting signifies the official start of the audit and the transition to the planning stage. During this meeting, the participants will discuss the audit’s objectives, documents to be requested, potential start dates for audit fieldwork, audit expectations, and any concerns relating to the audit. After the meeting and during the rest of this stage, relevant documents and information are obtained and reviewed to gain an in-depth understanding of the area being audited and document the business process. Key departmental personnel may also be interviewed during this time. After performing a risk assessment and identifying key points of interest, the audit team will then design a detailed audit programme and select the items to be audited.

   III.         Execution

During this stage, the audit fieldwork activities performed may include the assessment of internal controls or compliance with policies and procedures, testing of transactions, records, and resources; and performing any other procedures necessary to accomplish the objectives of the audit. Key departmental personnel may also be interviewed during this time. Any exceptions that are identified will be noted in written audit issues (i.e., findings) along with audit suggestions for how the exceptions can be corrected. Once all audit fieldwork activities have been completed and all written audit comments have been finalized, a notice that audit fieldwork has been completed will be the sent to the engagement manager.

    IV.         Reporting

After the fieldwork has been completed, a draft audit report will be prepared outlining the results of the audit, along with opinions formed on matters within the scope of the review. The draft audit report will then be sent to the engagement manager along with a request for a meeting to discuss the contents of the audit report to ensure its accuracy and to determine if any additional audit fieldwork is requested to complete the audit. During the meeting, the engagement manager will also be requested to propose detailed corrective action plans to resolve the exceptions identified during the audit. Once received and agreed upon by the audit team, the action plans will be incorporated into a second draft of the audit report, which will be sent to the engagement manager for a final review. The final audit report will then be released to all relevant parties, including the campus principal, campus audit committee, vice chancellor and the university’s external auditors. 

     V.         Follow Up

Following the release of the final audit report, the engagement manager has a specific amount of time to implement their action plans to resolve the exceptions identified in the audit report. Once this time has passed, the audit team will seek to verify that the action plans have been implemented and the exceptions have been fully resolved. After the corrective action plans have been determined to be effectively implemented and expected results are being achieved, the audit will be classified as completed. 

2.     What are MAP’s?

Management Action Plans (MAPs) are agreed upon actions that process owners will pursue to address the identified control/ issue in the audit report. These are discussed with process owners before then are included in Internal Audit’s published Audit Reports. MAPs have three main components to them: 1) The actions to be taken to address the identified issue 2) the timetable within which the issue is to be addressed and 3) the person(s) that will be responsible for implementation of the action plan.

3.     How is follow-up done?

Agreed MAPs that are provided by process owners are uploaded into our Audit application called Resolver GRC for tracking. The application allows process owners to provide updates to Audit on the progress of these action plans as well as to request Internal Audit to validate that the action plans have been completed as planned. The application also facilitates requests from process owners for extensions on the deadlines for Management Action Plans To assist process owners in tracking MAPs Resolver GRC provides emails notifications to process owners when the due dates for action items are coming due. In addition, member of the Internal Audit team may reach out from time to time to discuss the progress of MAPs with process owners. 

Where are we located/how can you contact us?

Our St. Augustine offices are located in the Sir Frank Stockdale Building (just south of the Bursary, Old Admin Building). We can be contacted via phone @ 868-662-2002 Ext. 82762 via email at sta-audit@sta.uwi.edu or in person at the location mentioned above. Please be reminded that all COVID protocols are observed on visits to the office.

More information about the internal audit profession can be found at https://www.theiia.org/en/