As the Internal Audit branch of the Office of Audit and Risk Services, it is our duty to assist and serve members of the University in the effective execution of their responsibilities by providing them with analysis, appraisals, information, counsel and recommendations pertaining to the activities reviewed and by promoting effective internal controls, sound business practices and continuous improvement.
A risk-based internal audit work plan is developed annually with input from various stakeholders and presented to the Audit and Risk Committee for approval at the annual fall Audit and Risk Committee meeting. The internal audit work plan summarizes the internal audits that will be performed during that audit cycle.
Internal Audit - The Audit Process
Internal Audit Notification Letters are issued to departments that are included in the annual internal audit work plan. The departments are notified of the impending audit including (i) the estimated commencement date, (ii) the purpose of the engagement, and (iii) other applicable dates.
An introductory meeting is scheduled to discuss the audit including objectives, timing, resource requirements, and the audit reporting process. In the planning phase, the auditor gathers an understanding of the unit including applicable processes and associated risks through a review of relevant information including policies and procedures, budgets, strategic plans, departmental objectives, key performance indicators etc. Utilizing this information as well as other internal audit tools and resources, a formal audit program is prepared.
Fieldwork consists of the following:
- Interviewing key personnel
- Observing and documenting business processes
- Performing various analytics
- Evaluating the completeness, accuracy and propriety of records and transactions
- Perform applicable testing
- Review controls, procedures and safeguarding of assets
- Evaluate for efficiency and effectiveness
- Assess compliance with University policies and procedures, statutory requirements
- Other best practices
At the completion of field work, a closing meeting is scheduled. A draft findings report is prepared and issued in advance of the closing meeting. The draft report is then updated to reflect any changes as discussed at the closing meeting, if applicable. Management is then requested to provide the Management Action Plan for the report at a date two weeks after the closing meeting date. Once an acceptable Management Action Plan has been submitted, the final report is issued to the associated report distribution list as noted on the audit report. Audit reports are presented to the Audit and Risk Committee of the Board of Governors three times annually.
Internal Audit follow-up matrixes are issued to departments with pending remedial action items three times yearly requesting a status update on the items. Based on the responses provided in the follow-up matrixes, additional audit work may be performed if necessary which could include site visits. Continuous monitoring will cease once all remedial actions have been adequately implemented.
McMaster’s Enterprise Risk Program has adopted a framework based on the ISO 31000 guidelines. Our approach is unique as it integrates the University’s culture, organizational structure and processes. It assists in supporting and informing the University’s approaches to strategic planning, operational decision-making, mitigation and monitoring. Using a top-down approach, the program’s primary goal is to facilitate and manage program processes and activities in collaboration with stakeholders.
Enterprise Risk Management (ERM) Approach at McMaster
- a university-wide risk management process applied in a strategic and operational objective setting across the university
- designed to identify potential events that may positively or negatively affect the institution
- designed to manage the risks so they are within the university’s defined risk appetite, thus contributing to the assurance that the institution’s objectives can be achieved