Internal Auditing Standard - Planning
The Chief Audit Executive (CAE) is responsible for developing a risk‐based engagement plan, considering the organization’s risk management framework.
If a framework does not exist, the CAE uses his/her own judgment of risks after consideration of input from senior management and the board. The CAE must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
The primary objective of the risk assessment process is to build a comprehensive, data‐driven, and objective risk‐based engagement plan that follows a business focused approach, and allows flexibility. The engagement plan is designed to provide the College with the most comprehensive, timely audit coverage possible utilizing the resources available to the Internal Audit Department. As it is impractical to provide audit coverage to all College departments and functions on an annual basis, audit work is prioritized based on risk.
To be recognized as a collaborative, strategic, trusted advisor, and vital resource, providing information, analyses, and advice to help ensure operations are managed ethically, effectively, and efficiently.
Guided by a philosophy of adding value, the mission of the Internal Audit Department (IAD) is to enhance and protect organizational value by providing high‐quality, objective, risk‐based assurance and consulting services, advice, and insight, while embodying the commitment of improvement and betterment of the college, its students, and the community.
Definition of Internal Audit
Internal auditing is an independent, objective, assurance, and consulting activity designed to add value and improve the College’s operations. It helps the College accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, internal control, and governance processes throughout the various divisions and departments College‐wide.
In addressing our mission, the Internal Audit Department (IAD) supports and assists College leadership and staff in the effective discharge of their responsibilities and achievement of strategic objectives by providing analyses, recommendations, advice, and information concerning:
- The adequacy and effectiveness of the College ’s internal control structure;
- The safeguarding of assets;
- Compliance with applicable laws and regulations;
- Achievement of management’s operational objectives; and
- Effective business processes to achieve internal control efficiently and at a reasonable cost.
Internal Audit Department Structure
- Chief Internal Auditor - Lori Cox
- Assistant Internal Audit Director* - Paul Styrvoky
- Senior Auditor - Amanda Benson
- Senior Auditor - Corwyn Mitchell
- Internal Auditor - Antanette Malone
- Interal Auditor - Averil Fuller
*Note: Staff report to Assistant Director on a project basis.
Risk Assessment Process Overview
- Identify Objectives
- Identify Risks
- Measure Risks
- Prioritize Risks
- Select Engagement & Develop Plan
The IAD’s risk assessment and audit plan supports the College’s commitment to the following Board of Trustees defined priorities:
- Impact Income Disparity Throughout Our Community
- Streamline and Support Navigation to and Through Our College and Beyond
- Strengthen the Career Connected Learner Network and Implement the Student‐Centric One College Organization
- Foster an Equitable, Diverse and Inclusive Environment for Employees and Students
- Re‐design Professional Development to Create a Diverse and Inclusive High Performing Work and Learning Environment
- Serve as the Primary Provider in the Talent Supply Chain Throughout the Region
In conducting the risk assessment IAD met with senior management and surveyed staff to solicit information to understand areas of risk within the College. The risk assessment process will be a continual effort to remain informed of emerging risks, initiatives, and opportunities to work with the College to help manage risks, provide independent assurance, and consult on projects, implementations, and initiatives. In addition, IAD reviewed College information and reports; researched risks common to higher education and other organizations; and reviewed the top topics on corporate internal audit plans, to gain a more holistic view of risks that may be relevant to the College. Items identified include:
College Specific Risks and Concerns
Based on Surveys and Interviews
|Safety and Security||34%|
|Employee Recruitment & Retention||28%|
|Cyber & Information Security||28%|
|Records Management and Retention||24%|
|Business Continuity Planning||21%|
|Professional Development ‐ Staff||17%|
|Policies and Procedures||17%|
|Employee Grievance Procedures||17%|
The significance of risks is assessed based on impact, probability, and velocity.
- Impact (I):
The effect on the College and stakeholders if a risk event occurs or if the area is not functioning as intended. Impact can include lost revenue, increased expenses, fines, adverse publicity, sanctions, reputational damage, and reduced employee morale.
- Probability (P):
The likelihood that a risk event occurs or that the area is not functioning as intended. Probability factors can include prior audit results, turnover, management and staff concerns, lack of internal monitoring and/or governance, operational and control weaknesses, and poor training.
- Velocity (V):
The pace the organization is expected to experience the impact of risk. The speed of regulatory enforcement action is an example of velocity.
(1) Velocity is measured as Rapid, Reasonable, or Slow
*Areas of rapid velocity.
Likely Probability and Major Impact:
- Cyber & Information Security*
- Operating Policies & Procedures
- Professional Development-Staff
- Safety & Security
- Succession Planning
Likely Probability and Catastrophic Impact:
- Business Continuity Planning*
Possible Probability and Moderate Impact:
- Data Liability
- Employee Grievance Procedures
- Records Management and Retention
Possible Probability and Major Impact
- Employee Recruitment & Retention
- Performance Evaluation
Prioritize Risks and Plan Development
|Area/Function/Risk||PF||APC||SR||Included 2021-2022 Plan
or Future Plan (FP)
|Business Continuity Planning||✓|| || ||Yes|
|Cares Act Funding|| || ||✓||Yes|
|CLERY Compliance|| || ||✓||Yes|
|Cyber & Information Security||✓|| || ||Yes|
|Data Liability|| ||✓|| ||FP|
|Employee Recruitment & Retention|| ||✓|| ||FP|
|Fixed Assets|| || ||✓||Yes|
|Employee Grievance Procedures|| ||✓|| ||FP|
|Performance Evaluation|| ||✓|| ||FP|
|Police Dept. Property Room|| || ||✓||Yes|
|Policies and Procedures|| ||✓|| ||No*|
|Procurement||✓|| || ||Yes|
|Professional Development ‐ Staff||✓|| || ||Yes|
|Records Management & Retention|| ||✓|| ||FP|
|Richland Collegiate HS ‐ Attendance||✓|| || ||Yes|
|Richland Collegiate HS ‐ Curriculum Compliance|| || ||✓||Yes|
|Safety & Security||✓|| || ||Yes|
|Succession Planning||✓|| || ||Yes|
|Technology Governance||✓|| ||✓||Yes|
*A review of applicable policies and procedures will be incorporated into each engagement as appropriate.
In addition, top items that did not meet prioritization factors, items of general concern, and/or or “governance related” (i.e., accountability, collaboration) ‐ from interviews and questionnaires – will be discussed with the College leadership as applicable and appropriate and addressed through consulting engagements where possible and time permitting.
Audit Plan - FY 2021-2022
|Engagement Type||Description||Target Fiscal Quarter|
|Audits/Continuous Audits||Cyber & Information Security||Cont.|
|Richland Collegiate High School Attendance||4th|
|Safety & Security||Cont.|
|Special Reviews/ Consulting Engagements||Cares Act Funding Review||1st|
|Police Department Property Room||2nd|
|Police Department Property Room||3rd|
|Richland High School Curriculum Compliance||4th|
|Follow‐up Audits||Dual Credit||2nd|
|IT General Controls||2nd|
|Other Services, Duties & Special Projects|
|Business Continuity Planning|
|External Audit Assistance ‐ 2021 Financial and Single Audit|
|Fraud Hotline Administration and Monitoring (On‐Going)|
|Investigations (As Needed)|
|Workday Implementation Participation (On‐Going)|
Cont. – The review will be broken down into separate focus areas, completed periodically, due to the size and scope of the function/department.
To ensure the IAD can respond timely to emerging risks and issues, the Audit Plan is subject to change due to:
- New or emerging risks or priorities
- Management requests
- Special investigations or reviews
- Special consulting services/engagements
In addition to the activities outlined on the Engagement Plan, IAD development projects planned for the 2021/2022 fiscal year include:
- Fraud Hotline “Redevelopment”
- Internal Audit Related Training for College Employees
- Development of a continuous audit processes for key College functions/departments.
- Implementation of Audit Management Application to streamline IAD efficiency and effectiveness.