How we determine who/what we audit

Each year we prepare a risk-based three year rolling audit plan, which is presented to the Audit Committee at its September meeting. Approval is sought for projects scheduled for Year 1, with proposed projects for Years 2 and 3 provided to the committee for information only. The three-year rolling plan is revisited each year to validate risk rankings and identify emerging risk areas, so that these are considered when annually updating the three-year plan.

The three-year rolling plan is developed with a focus on the identification of key risks facing UVic, as well as consideration of potential emerging risks likely to appear over the three-year audit plan cycle. This risk identification process includes:

  • review of UVic's Strategic Plan to gain an understanding of institutional goals & priorities
  • obtaining a high level understanding of the activities undertaken by each major business area within UVic. This includes education, student support, research, ancillary services, finance & administration, and other support functions such as Information Systems & Technology
  • a review of business plans for several of the key functions/departments
  • obtaining input from members of the Audit Committee as well as the Executive Council especially their perspective on key risks or concerns, and where they believe Internal Audit may be able to add value.
  • review of UVic’s risk register together with any other risk related information that may have been provided to the Audit Committee or the Board of Governors
  • obtaining an understanding of significant new initiatives planned for the coming years
  • identification and understanding of key inter-dependencies between various functional areas
  • identification of any recent or anticipated changes in key business processes or functions
  • internal Audit’s own experience based on business functions or processes previously reviewed
  • a high level understanding of internal or operational controls that may be in place to mitigate against identified risks
  • review of guidance material from professional bodies such as the Institute of Internal Auditors (IIA), the Information Systems Audit & Control Association (ISACA), the Association of Certified Fraud Examiners (ACFE) and others
  • communication & liaison with IA departments at other universities