E N D
1. 1 Internal Audit and Management Consulting Services
2. 2
3. 3 Risk Management
Internal Audit – Identifies all auditable activities and relevant risk factors, and assess their significance through an annual risk assessment.
4. 4 Risk Management
5. 5 Internal Control
Key Concepts
Internal control is a process. It is a means to an end, not an end in itself.
Internal control is affected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
Internal control is geared to the achievement of organizational objectives.
6. 6 Risk Assessment
The Internal audit plan is designed to meet the objective of providing the most efficient and effective deployment of internal audit resources in a manner that addresses
(1) areas of highest relative risk,
(2) core business activities of the University,
(3) broad coverage across the University and the College of Medicine.
7. 7 Risk Assessment (continued)
Audit Scope – involves assessing the five interrelated components of Internal Control:
The control environment,
Risk assessments,
Control activities,
Monitoring activity, and
Information and communication
8. 8 INTEGRATED INTERNAL CONTROL FRAMEWORK
9. 9 INTEGRATED INTERNAL CONTROL FRAMEWORK
10. 10 Risk Assessment (continued)
Risk Factors utilized in Risk Model:
Factors Weighted Risk
Dollar/Volume .20
Operational Risk .25
Compliance Risk .10
Nature/Sensitivity of Business .20
Strategic .20
Last Time Audited .05
1.00
11. 11 Risk Assessment (Criteria)
Risk Factor criteria utilized in Risk Model:
Dollar/Volume (receive or disburse funds)
1 - < $100,000
2 - $100,001 to $250,000
3 - $250,001 to $500,000
4 - $500,001 to $1,000,000
5 - > $1,000,000
Operational Risk (based on complexity of process)
1 - Simple operation, small process
3 - Moderate operation, medium process
5 - Complex operation, large process
12. 12 Risk Factors criteria utilized in Risk Model (continued):
Compliance Risk (Federal, State, Local Government funds; also includes Federal, State, Local regulations to follow even if no funding is involved)
1 - no regulatory involvement
3 - moderately regulated (and/or $100,00 to $400,000 in funds)
5 - Highly regulated (Government funding > $400,000)
Nature/Sensitivity of Business (Student involvement, external relations, governmental, alumni)
1 - No involvement
3 - some involvement
5 - high involvement
13. 13 Risk Factors criteria utilized in Risk Model (continued):
Strategic – Critical to the strategic mission of the University or College of Medicine
1- not critical (no involvement in any of the strategic plan initiatives)
3- indirect involvement
5- directly involved
Last Time Audited
1- audited last fiscal year
3- audited within the last 3 years
5- not audited within the last 3 years
14. 14 Risk Assessment (continued)
Develop risk assessment model:
15. 15 Risk Assessment Update (continued)
Range Heat
3.5 – 5.0 High
2.5 – 3.4 Medium
1.0 – 2.4 Low
16. 16
17. 17 Develop an Audit Plan that Includes:
Board Concerns,
Management Needs,
Is Risk Based, and
Flexible in a Dynamic Environment