Senior VP for Operations

Internal Audit FAQ

What is internal auditing?

What is internal auditing?

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the University’s operations. It helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Where does the Internal Audit Department obtain its authority?

Where does the Internal Audit Department obtain its authority?

The Risk Management, Audit and Compliance Subcommittee of the Board of Trustees annually approve a Service Plan each fiscal year. In addition, the Internal Audit Department Charter, signed by the Risk Management, Audit and Compliance Subcommittee Chair and the President of the University, provides Internal Audit with full and unrestricted access to all Creighton University activities, records, properties and personnel.

What types of services do you provide?

What types of services do you provide?

Assurance Engagements (audits and attestations) - These engagements may include financial, operations, performance, compliance, information technology, and ethical conduct objectives and involve an examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the University.

Consulting Engagements (counsel, advice, facilitation, training) – These are advisory and related client service activities, the nature and scope which are agreed to by the client, intended to add value and improve the University’s governance, risk management, and control process.

Are you subject to professional standards and a code of ethics?

Are you subject to professional standards and a code of ethics?

Yes. As required by the Internal Audit Department Charter we are required to adhere to The Institute of Internal Auditors, Inc.’s (The IIA) International Standards for the Professional Practice of Internal Auditing (the Standards) and Code of Ethics.

Who audits you?

Who audits you?

We are subject to an independent external quality assessment once every five years. As allowed by the Standards, we perform a self-assessment and hire an external independent party to review the self-assessment and validate the results and make recommendations for improvement.

How are engagements selected for inclusion in the annual Service Plan?

How are engagements selected for inclusion in the annual Service Plan?

Activities, divisions, departments, programs, and systems (collectively referred to as units) are selected utilizing a risk-based methodology considering such factors as: financial impact, operational significance, strategic importance, regulatory and compliance environment, quality of internal controls, competence of personnel, degree of reliance on information technology resources, degree of change, stakeholder and management concern, the potential for adding value and improving operations, and the potential for fraud.

How much time will be required of us to assist you?

How much time will be required of us to assist you?

That depends on the nature of the engagement and the complexity and amount of information and assistance required. We attempt to disrupt as little as possible the normal course of your operations and retain a measure of flexibility in the performance of our engagements. We pledge to do all we can “behind the scenes” and strive to be well prepared for our client meetings, presentations, and inquiries thereby using time wisely.

What is your responsibility over confidential information and/or data provided to you in the course of an engagement?

What is your responsibility over confidential information and/or data provided to you in the course of an engagement?

In accordance with The IIA’s Code of Ethics, internal auditors shall be prudent in the use and protection of information acquired in the course of their duties and shall not use information for any personal gain or in any manner that would be contrary to law or detrimental to the legitimate and ethical objectives of the University.

Do you have the opportunity to respond to the audit findings?

Do you have the opportunity to respond to the audit findings?

Yes. Our engagement process typically includes a review of potential findings with our clients before we conclude our audit procedures in the field and at an exit conference if one is held. With concurrence at this stage, a preliminary draft report is prepared and provided to the client and the client’s immediate supervisor. When material or significant findings are reported, we request a written management response and action plan to include in the final report.

Who receives the final reports?

Who receives the final reports?

Distribution of assurance and consultation engagement reports is determined by the Internal Audit Director in consultation with client management.

Assurance engagement reports will generally be provided to the client (i.e. Unit leader), the Unit leader’s supervisor, the Division Vice President or Vice Provost as applicable, and the University’s external auditors. An executive summary is provided to the President, Provost, and Senior Vice President for Operations. The distribution of consulting engagement reports is typically limited to those parties to the services and authorized interested persons.

Twice per year brief engagement summaries are provided to members of the Risk Management, Audit and Compliance Subcommittee of the Board of Trustees.