16.2 Audit and Consulting Engagement Scope
The USG Office of Internal Audit and Compliance conducts various types of engagements to include assurance engagements, consulting engagements, and special reviews or investigations. Engagement scope is determined by the USG Chief Audit Officer in consultation with auditee management. Potential engagement scopes are summarized below.. Some engagements may comprise more than one engagement type, e.g., a blend of assurance and consulting work.. Institutional auditors may conduct engagements comparable in scope to the engagements listed in Section 16.2.1. However, the actual engagements performed will be determined by the audit plan approved for that institutional auditor.
16.2.1 Potential Engagement Scope
The scope of internal auditing encompasses the examination and evaluation of the adequacy and effectiveness of the organization’s system of governance, risk management, compliance, internal control and the quality of performance in carrying out assigned responsibilities. The scope will vary by institution or area and may include:
- Review the effectiveness of governance processes to include the:
- Promotion of ethical behavior within the organization;
- Efficiency of organizational performance management and accountability;
- Communication of risk and control information to appropriate areas of the organization; and,
- Coordination of activities and information among the Board, external and internal auditors, and management.
- Review the effectiveness of risk management processes to include the:
- Alignment of organizational objectives in support of the USG and institutional missions;
- Identification and assessment of significant risks;
- Alignment of risk responses with the USG’s risk appetite; and,
- Capturing and communication of relevant risk information across the USG and its institutions so as to enable staff, management, and the Board to carry out their responsibilities.
- Review the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
- Review the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on operations and reports and whether the entity is in compliance with those systems.
- Review the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
- Review and appraise the economy and efficiency with which resources are employed.
- Review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
- Review the status of Information Technology policies and procedures, verifying that required hardware, software and process controls have been implemented and that the controls are functioning properly.
- Conduct special audits at the request of the Committee Chair, the Chancellor or institution presidents.
- Investigate reported occurrences of fraud, embezzlement, theft, waste, and other instances of malfeasance and recommend controls to prevent or detect such occurrences.
- Analyze and review public private ventures undertaken by the USG, USG institutions, and USG cooperative organizations.
- Provide consulting services at the request of institution management and with the CAO’s approval consistent with the IIA standards governing consulting engagements. Consulting engagements undertaken by the OIAC should have the potential to contribute to the improvement of governance, risk management, compliance, and/or internal controls within the USG or within a USG institution.
- Institutional auditors do not require CAO approval to conduct consulting engagements requested by management. However, significant changes to the institutional audit plan do require approval as noted in Section 16.3.1.