Frequently Asked Questions (FAQ's)
1) What is the authority of the Office of Internal Audit Services?
The Office of Internal Audit Services receives its authority from the Corporation and the responsibilities are defined by the Audit Committee of the Corporation as part of their oversight function.
The internal audit activity will have free and unrestricted access to all members of the Corporation. Administratively, the Office reports to the Executive Vice President for Finance and Administration, and has access to the President of the University as necessary.
Members of the Office, or their designee, are authorized to have free, full, and unrestricted access as necessary to all and any University information, activities, records, property, manual and automated systems, and personnel for the purpose of carrying out their responsibilities.
For additional information, please see the Audit Charter section.
2) How are audits selected?
Audits are selected through a risk assessment process. There are several factors affecting the activities, departments, functions or units selected to be audited. For example, the Office of Internal Audit Services assesses the risk or exposure to loss that any given activity, department, function or unit represents to the University. This assessment is used to weigh the order in which they are selected. Audit requests may also come from departments, functions and units or external sources, such as our external auditors. All organizations directly or indirectly managed by Brown University can be subject to review by the Office of Internal Audit Services.
3) How long does an audit typically take?
The length of time it takes to complete an audit varies significantly. Generally, the time required for the audit will vary depending on the size, complexity and strength of the organization’s internal controls. Some take as little as a couple of weeks and others can take several months. The audit is a dynamic process, the scope of which can be expanded or reduced at any time depending on the issues.
4) How much of my time will the audit require?
For each audit, there will generally be an individual within your organization who will act as our main contact for the duration of the audit. The main contact will be responsible for meeting with us to help determine the scope of the audit, gathering requested documentation, discussing our audit issues and recommendations, and reviewing the final audit report. We will also need to meet with other key personnel during planning and fieldwork to complete our understanding of business processes. Length of meetings can vary depending on the subject matter.
5) What does the basic audit process involve?
An audit is broken down into four main parts. They are as follows:
- Planning: During this phase we gather various types of information from interviews with department, unit or function personnel and members of other offices with which the audited department, unit or function regularly interacts with, as well as from financial analyses we perform. This information helps us get a clear understanding of the various functions of the audited department, unit or function and establish the preliminary scope for the engagement.
- Fieldwork: This phase is where we begin spending a good deal of time "on site" in the department, unit or function. Since each is unique in its size, purpose, staffing, procedures and issues, audit fieldwork can also be unique. We perform tests of various department, unit or function transactions. The number of transactions tested varies from audit to audit depending on our scope. The transactions to be tested will be provided in advance so that department, unit or function personnel have ample time to gather the information before our arrival.
- Reporting: This is the compilation phase. During this part of the audit, we assemble any audit issues and/or suggestions in draft form for discussion with department, unit or function management. As a result, some issues are resolved and some remain to be included as part of the "official" audit report.
- Follow-up: It is anticipated that all Audit Reports will be followed up with the department, unit or function within a reasonable timeframe after the report is issued.
For additional information, please see the Audit Process section.
6) What are the benefits of the audit process to my department, unit or function?
The overall goal of our audit is to provide the department, unit or function being reviewed with an assessment of their control environment and compliance with appropriate policies, procedures, laws, regulations and mandates of senior management and the Corporation.
A secondary goal of our review is to make recommendations, if necessary, that are aimed to improve the efficiency and/or effectiveness by which certain procedures are performed. The Office of Internal Audit Services is uniquely qualified in this respect because it has broad exposure to the University and can therefore relate its experiences to the department, function and unit being reviewed.
7) How do I evaluate my department’s internal controls to ensure they are appropriate?
Internal controls are owned by the University Controller. The Office of Internal Audit Services has designed a self-assessment tool to help departments, functions and units perform an internal evaluation of their own processes and controls. Please see the Control Self Assessment (CSA) section for additional information on this tool.
8) May I request an audit?
You may contact the Office of Internal Audit Services if you want to request an audit. At this time, we will discuss the request to determine a mutually convenient time.
9) What information will I need to provide the auditors?
Prior to our review, we may submit an initial request for information to the department. This request may include general department information which aids us in gaining an understanding of the department, unit and function being reviewed. When we begin the fieldwork segment of our review, the department, unit or function will need to provide us with various details supporting the transactions we are testing.
10) How can I prepare for an audit?
For scheduled audits, the Office of Internal Audit Services will communicate in advance to the department, unit or function and senior management about an upcoming audit. After being notified, the department can prepare for an audit by doing the following (not a comprehensive list):
- Make ready for release to the audit team, the department’s organization chart, list of key personnel and their job descriptions, process flowcharts, operating policies and procedures.
- If applicable, make available the copies of recent external audit reports completed on your department within the audit period.
- Inform the department staff about the upcoming audit and encourage full cooperation with the audit team.
- If applicable, assign areas of the audit scope to key employees so they can effectively plan and prepare to respond to audit requests.
- Contact the audit team, in a timely manner, if you have questions or comments about the upcoming audit.
11) Will the audit interfere with normal workflow within my department?
Inevitably there will be some disruption within the department's daily schedule. However, we try to keep this disruption to a minimum and schedule our meetings with department, unit or function personnel at a mutually convenient time.
12) How confidential will the information I provide to you and my audit report be?
All information received and managed by the Office of Internal Audit Services is held at the appropriate level of confidentiality. Please see the Code of Conduct for additional information on confidentiality.
13) Who gets copies of audit reports?
In general, an audit report is issued to those in a position to see that corrective actions are taken and those with a need to know, generally, the Executive VP Finance and Administration, Senior Officials and key management personnel on a need to know basis, including members of the Audit Committee.
The distribution of reports to others that may request a copy must be approved by the Chief University Auditor. This restriction prevents an indiscriminate broadcasting of reported information to people without a need to know.
14) Who audits the Office of Internal Audit Services?
The Office of Internal Audit Services adheres to the International Standards for the Professional Practice of Internal Auditing, which requires an external assessment once every five years by a qualified, independent review team.
15) What is the difference between internal auditors and external auditors?
Internal auditors work in the Office of Internal Audit Services and are employees of Brown. They support management and the Corporation by performing audit activities that address risks and controls at all levels across the University.
External auditors are non-employees of Brown and they include the University appointed audit firm and external auditors from government / regulatory agencies (for example, Internal Revenue Service).
However, there may be situations where the Office of Internal Audit Services will contract an external audit firm or professional to perform an audit. In this situation, the external auditor will function in an internal audit capacity and their work will be supervised by an internal auditor from the Office of Internal Audit Services.