Internal Audit Services

Internal Audit Services is an independent objective assurance and consulting activity designed to evaluate and improve the organization's operations as a service to the Board of Governors and management.

Our mission is to assist the Board of Governors and management in achieving their goals and objectives by:

  • Performing independent and objective assessments of MacEwan University’s processes and controls
  • Providing assistance and guidance in the management of risks and opportunities
  • Recommending and promoting improvements to processes and the control environment


The Internal Audit Services Charter defines the vision, mission, responsibility, and authority of Internal Audit Services at MacEwan University. The full charter outlines the responsibility and authority of IAS.

Read the complete IAS charter 

Reporting Relationship

The director of Internal Audit Services reports functionally to the Audit Committee of the Board of Governors and administratively to the Vice-President and General Counsel.


IAS Reporting Relationship

Audit and Risk Committee

The Audit and Risk Committee is a standing committee of the Board of Governors.

The Audit and Risk Committee Terms of Reference are accessible on the Board and Committee Structure webpage.

The Difference Between Internal Audit and the Auditor General of Alberta (OAG)

As internal auditors we are focused on the identification, assessment, and management of risks and opportunities. We are employees of the university and our audits are generally prioritized to concentrate on areas where the university has the greatest perceived risk of not achieving objectives, or the greatest opportunities for savings or improved performance.

The Auditor General of Alberta is the external auditor for MacEwan University. They are the independent auditor of every Government of Alberta ministry, department, regulated fund and agency. They audit the university’s financial statements.

Types of Audits

Internal Audit Services (IAS) at MacEwan University focuses primarily on the following types of audits:

Operational – Audits are designed to look at efficiency and effectiveness of the University’s business processes. These audits can be risk-based, focus on processes and/or on performance. Often, an Operational Audit may have components of other types of audits.

Compliance – Audits are focused on both financial and operating controls to ensure that the University is compliant with regulations, standards, procedures and any legislation.

Information Technology – Audits are conducted to ensure the controls in place related to the management of information technology infrastructure, applications, software and data are in place and working as designed. 

Fraud Investigations: Internal Audit must be notified and is responsible for investigating frauds at the University. However, IAS may request the assistance of other departments or external providers when needed.

Consulting and Advisory Services - Consulting and reviews requested by management may be accommodated as time permits. Typically, these would be limited in scope to address specific concerns.


Annual Audit Planning Process


Risk based, extensive process, audit universe, discussions with management, etc.

The Annual Audit Plan is developed based on a prioritization of the Audit Universe using a risk-based methodology, input of senior management and the Board. The result is the Annual Audit Plan that must be approved by the Audit and Risk Committee of the Board. After the Committee approves the plan, IAS will distribute it to the senior executives for dissemination to their affected areas.

IAS uses a risk based agile audit methodology, so the audit plan is focused on areas where internal audit can add the greatest value and as the needs of the University change in any given year, IAS can readjust the Annual Audit Plan accordingly. 


Annual Audit Plan approved by the Audit and Risk Committee and then for distribution.


Audit Phases

Kick off Meeting

Introduction of auditors to key personnel and management. Discussion of initial scoping and what the area would like to see as an outcome of the audit.


IAS will meet with key personnel and management and through interviews, discussions, review of process documents and risk assessment will determine the scope of the audit.

The scope of the audit is not always formally established at the beginning of the audit. A risk-based audit methodology allows for some areas to be descoped or added based on identified risk or controls in place. 


IAS will review interview staff, supporting documentation, conduct analyses and record our initial findings.


Ideally, findings will be provided to management as they are identified throughout the audit.

Draft Report

  • IAS will prepare a draft report with the findings and recommendations for improvement or to address a specific risk. IAS’s objective is to ensure that the report is factual, clear and concise.

  • Executive management and the Audit and Risk Committee of the Board are the intended audience for internal audit reports.

  • The draft report will then be sent directly to management (typically those directly involved in the engagement) for review to ensure that they agree with the findings and that the recommendations seem reasonable. At this point, management may identify items that IAS may have to review again or ask for further information.

  • Once the draft report is finalized, IAS will send out a request to management for an action plan that will address the risk(s) that the recommendation has highlighted or improvements to a process and an estimated date of completion.

  • Before finalizing the report, IAS will ensure that management’s action plans address the recommendations and have reasonable timelines for implementation. 

Final Report

  • IAS will finalize the audit report by creating a final copy marked Confidential.

  • The final report will be distributed to management of the area being audited, executive management and the Audit and Risk Committee of the Board.

Follow ups

Three times per year IAS will follow up with management on outstanding Internal Audit recommendations. Management’s responsibility is to provide an assertion of the status of the recommendations. IAS then presents the status of all outstanding recommendations to the Audit and Risk Committee of the Board.


Frequently Asked Questions

What is the purpose of internal audit?

Internal audit helps an organization achieve its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes and provide independent assurance that these processes are operating effectively.

Why is my area being audited?

Internal Audit Services goes through a comprehensive process to create a risk-based audit plan for each fiscal year. This is done by filling out the “Audit Universe” and ranking the risks, interviews with senior management and trends in the industry (post-secondary and internal audit).  If areas of concern have been brought up to IAS during the year, they could end up on the Annual Audit Plan as well.

What is an audit universe?

An Audit Universe represents the potential range of all audit activities and is comprised of a number of auditable entities. These entities generally include a range of programs, activities, functions, structures and initiatives which collectively contribute to the achievement of the University’s strategic objectives

How long will the audit take?

Unfortunately, we cannot predict exactly how long an audit will take. It depends on the scope of the audit, risks to the objectives in the area we are auditing, how quickly you respond to us and other projects that Internal Audit may have on at the time.

Can I ask the internal auditor questions?

Absolutely! Please do. We are more than happy to answer questions.

What if I don't know the answers to the internal auditor's questions?

If you don’t know the answer, be honest and let us know. Offer to take it away, find out the answer and respond at a later date.

What if I’m too busy to answer the internal auditors or can’t make a deadline?

Internal Audit Services requires management’s cooperation in providing information and responses on a timely basis, including management action plans and status reports on action plans. We will work with you to try and shift a deadline where possible. In some cases, deadlines cannot be missed in terms of providing access to documentation.

Related Information

Fraud Prevention Resources

Toolkit for Fraud Prevention and Detection

Introduction: The University is committed to sustaining an environment free of fraudulent or irregular activity and has a responsibility to provide fraud awareness and prevention training. The University holds all Members of the MacEwan Community to a high ethical standard and all members have a responsibility to report suspected fraudulent or irregular activity.

Management, as defined in the Fraud and Irregularities policy, has a duty to familiarize themselves with the types of fraudulent or irregular activity that could occur within their areas of responsibility and to be alert for any indications of fraudulent or irregular activity. This includes identifying the risks to which systems and procedures are exposed, developing and maintaining effective controls to prevent and detect fraud, and setting the appropriate tone of intolerance of fraudulent or irregular activity.

This toolkit has been designed for Management to use to help fulfill that requirement. Contact IAS to get a copy of the full toolkit until further notice.

Fraud Presentation

This presentation is intended to provide an overview of fraud prevention and education to all employees at the University.

Download the presentation (.pdf)

Fraud Bulletin Series

Fraud Bulletin 1

Fraud Bulletin 2

Fraud Bulletin 3

Fraud Bulletin 4

What to do if you suspect a fraud

You can report a suspected fraud to:

  • Your Supervisor, Director, Chair or Dean

  • Any member of senior administration

  • Internal Audit Services

Or you can use the University’s Whistleblower Hotline ConfidenceLine

Toll-free at 1-800-661-9675 or contact online at

Contact Information

If you need more information or have questions about Internal Audit Services, please contact:


Barry Horan, Associate Vice President, Internal Audit and Risk Management

Lisa M. Vallee, Internal Auditor