Frequently Asked Questions
Why are Internal Audit Assessments performed?
Our overall goal is to add value and improve the University's operations. We provide reasonable assurance to the Audit and Compliance Committee of the University’s Board of Trustees and management that risks are identified and managed; financial and operational information is accurate, reliable and timely; and the University is compliant with applicable policies, laws and regulations.
How are activities/processes selected for an assessment?
The frequency of assessments is based on a risk assessment process. A risk assessment is a systematic process for identifying and evaluating events (i.e. possible risks and opportunities) that could affect the achievement of objectives, positively or negatively. Events can be identified in the external environment (e.g. economic trends, regulations, competition) and within the internal environment (e.g. people, processes, technology, and infrastructure).
We consider factors such as the size and complexity of the process, research activity, compliance with regulations, amount of revenue and expenditures, changes in key personnel, etc. Processes deemed high risk will be assessed more frequently than those with medium or low risk. Also, Executive Leadership of NYU or the Audit and Compliance Committee of the Board of Trustees may request an assessment of a certain area.
Why would I want to request an assessment?
Assessments are very beneficial to evaluate the University's operations and control systems. If a department has recently changed business processes or is implementing new information systems, an assessment can review the current procedures to determine the effectiveness of internal controls. Also, periodic audits are recommended to ensure overall compliance and appropriate governance.
Why types of assessments do we perform?
- Information Technology
- Consulting and Advisory Services
- Special Investigations
What is the internal assessment process?
Our process for a given project involves a number of steps, including the following:
- Planning – Partner with process owner(s) to better understand the objectives of the processes and the risks that may impact achieving those objectives
- Scoping – Collaborate with management to prioritize the risks under review
- Fieldwork – Create procedures to assess both the designs of the processes and controls, and to determine if the process and controls are operating effectively
- Reporting and Recommendations – Identify practical action plans with management to address risks and control gaps
What is the outcome of an internal assessment?
Our internal assessments will conclude with a report that describes the scope and fieldwork accomplished throughout the review. We will continuously work with management when compiling the report and work together to agree upon recommended solutions involving risk as well as follow-up procedures to be performed by Internal Audit at a later date.
The key outcomes of all our projects, which ultimately end up in a report, are the following:
- Risks assessed during the assessment
- Observations of controls or processes that may need improvement
- Recommendations and agreed upon action plans to address any observations
- Follow-up actions that may be performed in future periods
How long does a typical internal assessment last?
Assessments vary from a few days to several weeks, depending on the nature and the scope of the review. The auditor(s) leading the review will provide a reasonable estimate of duration needed to complete the assessment prior to the start of fieldwork based on a collaborative model in which members of the area being assessed will be available to assist with the review on a limited basis. We will work with you to coordinate the review.
Will I get to see a copy of the report before it is issued?
Yes, management and/or those responsible for the area under review will be the first to receive the draft report. We will discuss all findings with management before the end of fieldwork. Once our fieldwork is complete, and management responses have been reviewed, we will issue the report.
What should I do if I learn of fraud, waste or abuse?
You may contact the University’s anonymous Compliance and Risk Reporting Line, or you may contact Public Safety or the Office of Internal Audit. The University does not tolerate retaliation against individuals who report compliance concerns in good faith.