Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The UVA Office of Audit and Compliance assists UVA’s Board of Visitors and University management in the discharge of their oversight, management, and operating responsibilities by providing independent assurance and consulting services to the University community. Our services add value by improving the control, risk management and governance processes to help the University achieve its business objectives

Audit Charter

COSO defines internal control in Internal Control – Integrated Framework (2013) and Enterprise Risk Management – Integrating with Strategy and Performance (2017) as follows:

A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

As this definition clearly points out, internal control is not solely about accounting and financial matters. Compliance with laws and regulations is one of the three fundamental objectives of an organization’s system of internal controls.

The following five components of internal control support all three categories of objectives:

• Control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring activities
  

Link to image text

The decision of what areas to audit is based in part on the audit plan which has input from university administration, Board of Directors, managers, and the Internal Audit staff. Based on these inputs, each auditable unit is scored, and the highest-scoring projects or units are selected for the audit work plan. The plan is monitored throughout the year and adjusted as necessary due to the changing risk environment.

The audit plan generally includes a scheduled audit in each school or organizational unit on a regular basis. The audit plan also has provisions for special management requests and investigation of possible irregularities in areas. Factors that are considered in selecting units to be audited include:

• Results of the last audit of the area and length of time since last audit
• The size and complexity of the operation
• Potential risk of financial loss
• Major changes in operations, program, systems, or controls
• Highly regulated operations or operations subject to a high level of public scrutiny

There are four distinct phases to an audit at the University and an understanding of these phases will help you to understand the process:

Internal Audit Process

Audits can take from a few weeks to several months depending upon the complexity of the operation and the condition of the records. During the entrance interview, the estimated length of the audit will be discussed. As the audit staff becomes more familiar with the operation and the records, it becomes easier to estimate the length of time an audit will take. Throughout the audit we will keep you informed about the progress of the audit.