By: Internal Audit Toronto  09-12-2011
Keywords: internal audit


Internal Audit provides the following services:

The objectives of a Department Review consist of identifying significant risks and risk areas in a client department and (a) determining the adequacy and effectiveness of existing procedures and controls to manage the significant risks identified, (b) assessing compliance with University and Sponsor policies and procedures in the target risk areas, and (c) identifying opportunities for improving the efficiency and effectiveness of the client’s administration.

Information Technology Reviews include System Development Reviews and Computer Facility Reviews.

The scope of a Systems Development Review includes the planning, development, testing and implementation phases of new or modified central administrative systems and their components. The objective is to evaluate the existence of adequate controls to mitigate the risk that a systems development/acquisition project will provide an information system that:

  • Is ineffective or does something unintended

  • Compromises the integrity and reliability of data and information

  • Fails to provide appropriate management trails to demonstrate (a) proper authorization, completeness, and accuracy of transactions; and (b) proper authorization of software changes, system tables, etc.

  • Is not delivered on time or is over budget

Computer facilities encompass data centres, server rooms, tape libraries, etc. The objective of a Computer Facility Review is to assess the adequacy of disaster recovery plans, backup and recovery procedures, physical security, logical security and user administration, access logs and follow-up of exceptions for controls to mitigate the risk of:

  • Business interruptions arising due to unexpected events

  • Unauthorized transactions and other alterations of data

  • Unauthorized software/hardware changes

  • Unauthorized use of confidential information

  • Unauthorized use/copying of software

Internal Audit performs follow-up reviews approximately 12 months after issuing the final audit report for Department and Information Technology reviews. The objectives of the Follow-up Review are to assess the client’s progress in implementing the action plan(s) agreed upon during the original review and to assist the client’s managers and administrators where difficulties were experienced with implementation of the plan(s).

The objective of Continuous Auditing is to assess the completeness, accuracy and propriety of a monthly sample of transactions drawn from the University’s accounting system using Computer Assisted Audit Techniques (CAAT’s).  CAAT’s are tools used by the Department to select audit samples and monitor transactions and data recorded in the University’s accounts for anomalies and compliance with University policies and procedures. When a transaction is selected for audit, the initiator of the transaction is contacted and asked to supply all relevant documentation. Audit findings are discussed with the initiator who then receives a detailed Continuous Audit letter which is copied to the appropriate supervisor. The Department summarizes the results of the Continuous Audit process in a quarterly report to the President/Vice-Presidents’ Committee.

Reviews generally relate to loss of assets, violations of policies, procedures and laws or other University business risks. Where appropriate, the Department consults with the Human Resources Department, legal counsel, law enforcement agencies or others.

The Department regularly consults with the University’s external auditor to coordinate audit activities and avoid duplication of effort.

The Department assists the University’s external auditor with the undertaking of the annual external audit requirements to the extent that internal audit resources are available.

Internal audit reports are copied to the external auditor for information purposes.

Last updated: April 25, 2007  

Keywords: internal audit