Determining audit projects

NAU’s internal audit team: purposeful, reasonable, objective, disciplined

Internal Audit develops an audit plan utilizing the results of NAU’s Enterprise Risk Management Plan  and other inputs to identify the major areas, functions, processes, and other control activities for which an audit may prove beneficial to NAU in achieving its strategic objectives.  Other inputs include a formally defined audit universe, requests made by the ABOR Audit and Risk Management Committee or NAU leadership, higher education industry trends and emerging risk considerations,  and other information that may be available supporting audit needs. Factors included in the risk and project determination process include:

• financial impact

• historical data, prior audit results, and any known weaknesses/problems

• significant changes in personnel, operations, and policies

• the degree of risk or exposure to loss

• the results of audits by other auditors (ABOR, Auditor General, Federal)

• the extent of compliance with standard university policies and procedures as reported by processing departments (i.e., accounts payable, purchasing, payroll)

• the extent of compliance with federal, state, and local regulations

• input from the fiscal representatives for the vice presidents/provost and departments’ business managers

• new or changed laws/regulations

• reputational impact
• operational complexity and change
• information technology impact from both an operational and security perspective

Based on these assessments and discussions with administrators, an internal audit plan is recommended by the Internal Audit Department to the NAU Internal Audit Review Board (IARB).  The IARB reviews and discusses the proposed plan with the chief audit executive and comes to agreement on a final plan that is submitted to the ABOR Audit and Risk Management Committee for approval.  The plan is subject to modification depending on the urgency of projects/issues that may arise during the year where such changes must be approved by the IARB and reported to the ABOR Audit and Risk Management Committee.  The audit plan is intended to focus work where it would be most productive, address the highest-risk areas identified, and provide the most impact.