Information for Reviewees
The Internal Audit Services supports the University by carrying out systematic and independent reviews which look at:
- Internal Controls
- Risk Management
The reviews carried out are part of a broader Internal Audit Plan which aligns with the University’s Risk Register and to the Strategic Plan.
This page is available as a pdf document: Information for Reviewees
Overview of the Internal Audit Process
|Phase 1 - Planning||Phase 2 - Assessment||Phase 3 - Reporting||Phase 4 –Follow-up|
|Analyse entity;||Systems documentation & evaluation;||Audit file review;||Management response to findings;|
|Initial meeting with management;||Tests of controls;||Determine draft findings;||Finalise Internal Audit Report;|
|Risk assessment;||Substantive testing.||Assign priority levels to findings;||Present the finalised IA report to the UCC Audit & Risk Committee;|
|Determine audit scope;||Closing meeting with management;||Follow up review (circa 12 months)|
|Identify key processes.||Draft report issuance to management.|
Reporting Line of the Internal Audit Office
The Internal Audit Office report to the Audit & Risk Committee (ARC) of the University. This committee is appointed by the UCC Governing Body and has responsibility for oversight of Financial Reporting, Internal Controls and value-for-money. All Internal Audit Reports are presented to the Audit & Risk Committee on completion.
Access & Scope
In carrying out its duties, the Internal Audit Office have access to all information, explanations, records, assets and personnel as it considers necessary. All activities of the University fall within the scope of the Internal Audit Office.
Internal audit reviews are carried out in accordance with a defined methodology. (International Standards on the professional practice of Internal Auditing).
Advantages & Benefits of an Internal Audit Review
- Assists with the accomplishment of strategic objectives;
- Ensure you are achieving value-for-money in your operations;
- Highlight fraud risk in your area;
- Helps identify where your area does / does not comply with policy or regulation;
- Access to an experienced IA team and remove the need to employ costly consultants;
- Help identify issues in advance of other reviews / external audits;
- Good practice will also be highlighted in your report and in your follow-up review.
Frequently Asked Questions
Areas for review are selected based on risk assessment, strategy alignment and rotation. The selection of areas for review is set out in the overall Audit Plan which is reviewed and approved by the Audit & Risk Committee. Once selected for audit, the Head of Functional Area / School / Department will be notified together with the relevant UMTO member.
The purpose of an internal audit is different to that of a financial audit or an audit by a funding agency. Although we do consider the work undertaken by financial auditors in our audit plan, the occurrence of a financial audit will not preclude selection for internal audit.
It’s beneficial to identify main point of contact for the audit and ensure that other relevant staff members are available and aware that the audit will be taking place. It is useful to ensure that there is ready access to key systems and documentation when required (SOPs, legal contracts etc.) In addition, perhaps identify areas/processes that you would like IA to examine in detail and provide an opinion on.
This may vary depending on the scope of the review. The entire process is likely to take 4 – 6 months. This will be discussed in more detail at the planning meeting.
At the end of the review we will issue a report setting out our conclusion on how well controlled your area is. It will highlight ways that you can improve internal controls and give timelines for when these recommendations should be implemented. It will also highlight areas of your operations that are well controlled and where good practice exists.
Internal Audit Reports
|Priority Levels of Internal Audit Report Recommendations|
|Priority 1||Priority 2||Priority 3|
|A P1 recommendation arises where there is a critical weakness in internal controls that could potentially result insignificant loss to UCC:||A P2 recommendation arises where a control weakness has arisen that could undermine the system of internal controls and /or operational efficiency:||A P3 recommendation does not seriously detract from the system of internal controls and or operational efficiency however:|
|For example – a critical impact on operational performance (disruption /closure >3 days; loss of students); A critical monetary or financial statement impact; Critical breach in laws or regulations (material fines / penalties); critical impact upon UCC's brand or reputation (sustained adverse media)||For example – a substantial impact upon operational performance (disruption or closure < 3 days); Substantial monetary or financial statement impact; Substantial breach in laws or regulations (substantial fines / penalties); Substantial impact on UCC’s reputation (adverse media, student complaints).||For example - it could have a moderate impact upon operational performance (limited disruption); Moderate monetary or financial statement impact; Moderate breach in laws or regulations with no fine /regulatory investigation; moderate impact on UCC’s reputation (limited media coverage, complaints).|
|Priority 1 recommendations require immediate implementation.||Priority 2 recommendations require implementation within 3 months.||Priority 3 recommendations require implementation within 6 to 12 months.|
Implementation of Internal Audit Recommendations
Progress in relation to implementation is the responsibility of management within the functional area / school / department in question;
A follow-up review will take place approximately 1 year following the issuance of the internal audit report, as part of which, we will discuss and validate the level of implementation of the recommendations issued. A ‘Follow-Up Report’ will issue to management following completion of this review;
Where a Priority 1 recommendation is issued as part of an audit, management are required to provide monthly updates to the Internal Audit Office in relation to progress on implementation until such time as implementation is complete;
The following tiers of escalation apply where the implementation of a recommendation arising in an Internal Audit review is considered to be unsatisfactory by ARC:
- Level 1. A letter from ARC to the Head of function in the reviewee unit highlighting the point(s) of concern identified by the Committee and requesting a reply addressing the concern(s) to the Committee’s satisfaction within one month.
- Level 2. Where ARC does not receive a satisfactory response within 1 month, to the aforementioned letter, the reviewee management shall be requested to attend a meeting of the Committee to set out the reasons for the delay in implementation of Internal Audit’s recommendation(s).
- Level 3. Where further to the aforementioned, the progress of implementation of recommendation(s) is not satisfactorily addressed by the reviewee ARC may bring the matter to the attention of Governing Body.