Types of Audits and Services
The following descriptions are of the audit types performed by Audit and Consulting Services. The majority of audits performed by the department are operational/managerial, compliance, and information systems (IS). The type of audit performed on a particular auditable unit can be any combination of the types described below. The type of audit to be performed is determined in the initial planning process.
High-Level Review of Procedures
A high-level review is a special type of review that measures general compliance with key corporate policies and with sound business practices. The objectives of this review are to provide the auditor with an understanding of an operation and to determine the nature of detailed testing that may be needed in certain areas.
Procedures for this review consist primarily of inquiries and analytical review concerning significant accounting matters relating to financial information being reviewed. Additionally, the auditor should obtain an understanding of the entity's systems of accounting and internal controls. Compliance and some substantive tests are to be performed over certain areas of an entity; including cash, accounts receivable, credit, travel and expense, property, and inventory.
An operational audit can be defined as an extension of a financial audit. A financial audit tells you where you were and where you are; an operational audit tends to answer the questions why you are where you are and how you got there. In this sense, the operational audit falls into the category of a management service by evaluating the four functions of management: (1) planning,(2) organizing, (3) directing and (4) controlling. The operational audit can be broken down further as a functional review, i.e. Purchasing as a department versus the overall Procurement operation. Several reasons for performing an operational audit are compliance with policies and procedures, adverse variances, thefts, or personnel turnover. The timeliness of an operational audit is determined by the reason for the audit and the areas to be audited.
A compliance audit involves two different, though closely related, types of issues:
· The nature and scope of the transaction against which the compliance is to be ascertained
· The degree to which it is practicable, or even desirable, to determine the compliance.
Therefore, a compliance audit can be defined as a rerun of a given task over a prescribed course which is monitored by various checkpoints to reach a desired conclusion.
Reasons for a compliance audit can vary with the size and complexity of the organization, locations of sites or levels of centralization. A compliance audit may be performed due to a recent history of excessive problems, proposed realignment of responsibilities, manpower turnover, or a routine review of procedures.
The auditor will obtain a package of financial and other documentary information from the auditee and perform limited procedures. In most cases, all procedures will be performed from statewide offices and not at the auditee location.
Several benefits result from desk reviews. The auditor can determine if previous recommendations to the auditee are currently complied with. The auditor can expand the coverage of his audits to nearly the entire organization without making trips to every location. A related benefit is reduced travel time and travel expenses. Finally, the desk review is ideal for training new auditors, allowing them to gain understanding of an entity's operations prior to doing a field audit.
Information Systems Audits
Information Systems (IS) audits are the examination of significant aspects of the electronic data processing environment. There may be several different IS environments, such as: mainframe or mini- or microcomputers—including Local Area and/or Wide Area Networks (LANs or WANs) and wireless networks.
In addition, each environment should have identified audit units. The following is a list of major audit units to be considered for each environment but the list may not be fully inclusive:
· General Controls Review— Review of organizational structure policies regarding documentation standards, access security, program change control and continuity of operations. This could be done in conjunction with other audits (Integrated Approach).
· Detailed Controls Review/Audit— Examination of general control systems such as:
· Access security
· Program change control
· Disaster Recovery
· Financial Application Controls Review— Examination of software systems processing applications such as:
· Accounts receivable
· General ledger
· Detailed Examination of Operating System— Audit specific to Unix operating system or Windows NT.
Audit and Consulting Services occasionally receives requests from management for assistance with information gathering and analysis that does not always necessitate a full audit. Upon agreement between Audit and Consulting Services and management, these can be accomplished as consulting engagements. Examples of consulting engagements include: assisting with inventory observation for a unit, reviewing a process or tentative revisions to a process for internal control weaknesses, reviewing position descriptions for a department or process to provide feedback regarding segregation of duties, polling other higher education institutions regarding a topic that management is interested in and researching new or revised compliance requirements for applicability to the University of Alaska.
The auditing profession is closely linked with the identification and mitigation of risk. As such, we are happy to assist with facilitating risk assessments for individual departments or for specific functions, processes or systems. Our link titled ‘Risk Assessment Tools’ provides an assortment of tools commonly utilized during the conduct of our audits or when facilitating risk assessments. This is not a comprehensive list, nor are these tools mandatory by Audit and Consulting Services when conducting a risk assessment for a University of Alaska department. Individual campuses may have mandatory requirements, so it is encouraged that you refer to your risk officer to inquire.
We have experience facilitating risk assessments that include the following elements:
1. Identification of risks that can prohibit achievement of the mission, stated objectives
2. Identification of opportunities that can enable achievement of mission, stated objectives or goals.
3. Discussion of the controls that currently mitigate the identified risks.
4. Involving groups of individuals for the ranking of risks and opportunities.
5. Prioritizing the ranked risks and opportunities and formatting as a visually appealing risk footprint or chart.
6. Assignment of a responsible party for the highest ranking risks.
7. Risk management plan template for the responsible party.
Our experience includes facilitating risk assessments from a high-level perspective to a detailed level, depending on the group.
We strive to incorporate the concepts of Enterprise Risk Management into our risk assessment processes.