About Internal Audit

We provide opportunities to improve DU operations.

The Office of Internal Audit independently and objectively examines and evaluates activities at the University. Our goal is to help identify opportunities to help DU improve operations and reduce risk, ultimately to increase the chances of meeting strategic goals.

Internal Audit selects areas of focus based on an organization-wide risk assessment designed to enable us to devote our resources to those areas that may be most meaningful to assess. In those areas, we endeavor to provide an objective opinion as to whether procedures in place reasonably achieve the goals of key processes. We work with the Chancellor and the Audit Committee to create an annual audit plan, which guides our process and helps us determine which areas of the University are the best candidates for our focus, given limited resources.

Our office also provides employees information about how to comply with relevant rules and regulatory requirements, and where to report suspicious or improper activity that may violate University policies.

Deciding What to Audit

Each year, Internal Audit proposes a slate of planned audits to the Audit Committee of the Board of Trustees for approval. We decide which departments to audit by considering:

  • The relative risk of various operations throughout the University, giving consideration to numerous types of risk
  • The results of past audits
  • Input from Internal Audit team members, the Audit Committee of the Board of Trustees, University administration, department managers and external auditors
  • Requests for internal audit work from trustees or members of management

 

The Audit Process

In general, if we select your department to be audited, we'll discuss such with senior managers in your office well in advance. While there's never a good time for an audit, there are often particular times that are the worst, and we do our best to avoid those.

We'll schedule a pre-audit meeting with leadership of the area to solicit input as to what areas would be best to address in the scope of the audit. This is a great time to ask questions or raise concerns about the process and how you can help.

After we solicit input from leadership and do preliminary information gathering, we finalize the scope of the audit and an estimated timeline of how long the audit will take.

 

Auditing Steps

Planning: We review any applicable regulatory standards, industry standards, and prior audit work papers. We then meet with key members of management with responsibility for the function to obtain insight into areas that could be a focus of the audit. This process helps us to scope the audit.

Fieldwork: We conduct interviews, observe your department's workflow, assess your department's controls, review and analyze documents, and compare and contrast record data. We may also perform detailed testing on specific samples. During fieldwork, we discuss any potential findings with management as they arise. If the finding is formalized, we request a responsive management action plan and a date by which it will be completed.

Updates: Our staff will regularly share information about the ongoing audit, the timeline and progress of the audit, any findings that have resulted from fieldwork performed and any areas that are stumbling blocks to completing the audit.

Draft Audit Report: Our audit reports include the scope of the audit as well as affirmative results and findings. The draft report is provided to area leadership for review. While this is the first time management sees the draft audit report, all findings will have already been communicated to management prior to this time.

Final Audit Report: Once management has had an opportunity to review and comment on the report, it is finalized and distributed. The standing distribution list for our audit reports includes a number of members of senior management and the chair of the Audit Committee of the Board of Trustees.

Findings Follow Up: Our office revisits management responsible for the action plans in response to findings, in order to ensure the management action plans have been satisfactorily implemented. Findings are not closed until we are confident that adequate response has taken place. Reports on past due findings are provided to executive leadership and the Audit Committee at their periodic meetings.