Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

About Us

Internal Audit

Internal Audit - The Audit Process

Internal Audit Notification Letters are issued to departments that are included in the annual internal audit work plan. The departments are notified of the impending audit including (i) the estimated commencement date, (ii) the purpose of the engagement, and (iii) other applicable dates.

An introductory meeting is scheduled to discuss the audit including objectives, timing, resource requirements, and the audit reporting process. In the planning phase, the auditor gathers an understanding of the unit including applicable processes and associated risks through a review of relevant information including policies and procedures, budgets, strategic plans, departmental objectives, key performance indicators etc. Utilizing this information as well as other internal audit tools and resources, a formal audit program is prepared.

Fieldwork consists of the following:

  • Interviewing key personnel
  • Observing and documenting business processes
  • Performing various analytics
  • Evaluating the completeness, accuracy and propriety of records and transactions
  • Perform applicable testing
  • Review controls, procedures and safeguarding of assets
  • Evaluate for efficiency and effectiveness
  • Assess compliance with University policies and procedures, statutory requirements
  • Other best practices

At the completion of field work, a closing meeting is scheduled. A draft findings report is prepared and issued in advance of the closing meeting. The draft report is then updated to reflect any changes as discussed at the closing meeting, if applicable. Management is then requested to provide the Management Action Plan for the report at a date two weeks after the closing meeting date. Once an acceptable Management Action Plan has been submitted, the final report is issued to the associated report distribution list as noted on the audit report. Audit reports are presented to the Audit and Risk Committee of the Board of Governors three times annually.

Internal Audit follow-up matrixes are issued to departments with pending remedial action items three times yearly requesting a status update on the items. Based on the responses provided in the follow-up matrixes, additional audit work may be performed if necessary which could include site visits. Continuous monitoring will cease once all remedial actions have been adequately implemented.

Enterprise Risk