Internal Audit Services is an independent objective assurance and consulting activity designed to evaluate and improve the organization's operations as a service to the Board of Governors and management.
Our mission is to assist the Board of Governors and management in achieving their goals and objectives by:
- Performing independent and objective assessments of MacEwan University’s processes and controls
- Providing assistance and guidance in the management of risks and opportunities
- Recommending and promoting improvements to processes and the control environment
The Internal Audit Services Charter defines the vision, mission, responsibility, and authority of Internal Audit Services at MacEwan University. The full charter outlines the responsibility and authority of IAS.
The director of Internal Audit Services reports functionally to the Audit Committee of the Board of Governors and administratively to the Vice-President and General Counsel.
The Audit and Risk Committee is a standing committee of the Board of Governors.
The Audit and Risk Committee Terms of Reference are accessible on the Board and Committee Structure webpage.
As internal auditors we are focused on the identification, assessment, and management of risks and opportunities. We are employees of the university and our audits are generally prioritized to concentrate on areas where the university has the greatest perceived risk of not achieving objectives, or the greatest opportunities for savings or improved performance.
The Auditor General of Alberta is the external auditor for MacEwan University. They are the independent auditor of every Government of Alberta ministry, department, regulated fund and agency. They audit the university’s financial statements.
Internal Audit Services (IAS) at MacEwan University focuses primarily on the following types of audits:
Operational – Audits are designed to look at efficiency and effectiveness of the University’s business processes. These audits can be risk-based, focus on processes and/or on performance. Often, an Operational Audit may have components of other types of audits.
Compliance – Audits are focused on both financial and operating controls to ensure that the University is compliant with regulations, standards, procedures and any legislation.
Information Technology – Audits are conducted to ensure the controls in place related to the management of information technology infrastructure, applications, software and data are in place and working as designed.
Fraud Investigations: Internal Audit must be notified and is responsible for investigating frauds at the University. However, IAS may request the assistance of other departments or external providers when needed.
Consulting and Advisory Services - Consulting and reviews requested by management may be accommodated as time permits. Typically, these would be limited in scope to address specific concerns.
Annual Audit Planning Process
Risk based, extensive process, audit universe, discussions with management, etc.
The Annual Audit Plan is developed based on a prioritization of the Audit Universe using a risk-based methodology, input of senior management and the Board. The result is the Annual Audit Plan that must be approved by the Audit and Risk Committee of the Board. After the Committee approves the plan, IAS will distribute it to the senior executives for dissemination to their affected areas.
IAS uses a risk based agile audit methodology, so the audit plan is focused on areas where internal audit can add the greatest value and as the needs of the University change in any given year, IAS can readjust the Annual Audit Plan accordingly.
Annual Audit Plan approved by the Audit and Risk Committee and then for distribution.
Introduction of auditors to key personnel and management. Discussion of initial scoping and what the area would like to see as an outcome of the audit.
IAS will meet with key personnel and management and through interviews, discussions, review of process documents and risk assessment will determine the scope of the audit.
The scope of the audit is not always formally established at the beginning of the audit. A risk-based audit methodology allows for some areas to be descoped or added based on identified risk or controls in place.
IAS will review interview staff, supporting documentation, conduct analyses and record our initial findings.
Ideally, findings will be provided to management as they are identified throughout the audit.
IAS will prepare a draft report with the findings and recommendations for improvement or to address a specific risk. IAS’s objective is to ensure that the report is factual, clear and concise.
Executive management and the Audit and Risk Committee of the Board are the intended audience for internal audit reports.
The draft report will then be sent directly to management (typically those directly involved in the engagement) for review to ensure that they agree with the findings and that the recommendations seem reasonable. At this point, management may identify items that IAS may have to review again or ask for further information.
Once the draft report is finalized, IAS will send out a request to management for an action plan that will address the risk(s) that the recommendation has highlighted or improvements to a process and an estimated date of completion.
Before finalizing the report, IAS will ensure that management’s action plans address the recommendations and have reasonable timelines for implementation.
IAS will finalize the audit report by creating a final copy marked Confidential.
The final report will be distributed to management of the area being audited, executive management and the Audit and Risk Committee of the Board.
Three times per year IAS will follow up with management on outstanding Internal Audit recommendations. Management’s responsibility is to provide an assertion of the status of the recommendations. IAS then presents the status of all outstanding recommendations to the Audit and Risk Committee of the Board.
Frequently Asked Questions
Internal audit helps an organization achieve its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes and provide independent assurance that these processes are operating effectively.
Internal Audit Services goes through a comprehensive process to create a risk-based audit plan for each fiscal year. This is done by filling out the “Audit Universe” and ranking the risks, interviews with senior management and trends in the industry (post-secondary and internal audit). If areas of concern have been brought up to IAS during the year, they could end up on the Annual Audit Plan as well.
An Audit Universe represents the potential range of all audit activities and is comprised of a number of auditable entities. These entities generally include a range of programs, activities, functions, structures and initiatives which collectively contribute to the achievement of the University’s strategic objectives
Unfortunately, we cannot predict exactly how long an audit will take. It depends on the scope of the audit, risks to the objectives in the area we are auditing, how quickly you respond to us and other projects that Internal Audit may have on at the time.
Absolutely! Please do. We are more than happy to answer questions.
If you don’t know the answer, be honest and let us know. Offer to take it away, find out the answer and respond at a later date.
Internal Audit Services requires management’s cooperation in providing information and responses on a timely basis, including management action plans and status reports on action plans. We will work with you to try and shift a deadline where possible. In some cases, deadlines cannot be missed in terms of providing access to documentation.
Toolkit for Fraud Prevention and Detection
Introduction: The University is committed to sustaining an environment free of fraudulent or irregular activity and has a responsibility to provide fraud awareness and prevention training. The University holds all Members of the MacEwan Community to a high ethical standard and all members have a responsibility to report suspected fraudulent or irregular activity.
Management, as defined in the Fraud and Irregularities policy, has a duty to familiarize themselves with the types of fraudulent or irregular activity that could occur within their areas of responsibility and to be alert for any indications of fraudulent or irregular activity. This includes identifying the risks to which systems and procedures are exposed, developing and maintaining effective controls to prevent and detect fraud, and setting the appropriate tone of intolerance of fraudulent or irregular activity.
This toolkit has been designed for Management to use to help fulfill that requirement. Contact IAS to get a copy of the full toolkit until further notice.
This presentation is intended to provide an overview of fraud prevention and education to all employees at the University.
Fraud Bulletin Series
You can report a suspected fraud to:
Your Supervisor, Director, Chair or Dean
Any member of senior administration
Internal Audit Services
Or you can use the University’s Whistleblower Hotline ConfidenceLine
Toll-free at 1-800-661-9675 or contact online at www.MacEwan.ConfidenceLine.net