1. What is the difference between internal audit and external audit?
In the three lines of defence model (three-lines-model-updated.pdf (theiia.org)), internal audit is the third line of defence function which provides independent assurance. It provides an evaluation on the effectiveness of governance, risk management, and internal control to the University’s governing body and senior management. It can also provide assurance to regulators and external auditors that appropriate controls and processes are in place and operating effectively. OIA staff are employees of the University.
External audit is performed by independent third parties for compliance with regulations/laws or for verification that the University fulfils specific standards/requirements. External audits include annual financial audit, Quality Assurance Council’s quality audit, reviews by the Independent Commission Against Corruption, etc.
2. Why are we selected to be audited?
In principle, the University’s activities of all the academic and administrative matters are auditable. Operations audits of various subject matters are planned to be conducted on a rotational basis. Priority and frequency of audit review are considered based on criteria such as relevancy to the University’s strategic goals, maturity of the internal control system, complexity of the operation, etc. Please refer to Audit Planning Methodology for details.
3. What do I need to do during an audit?
Your support to us is essential for the success of an audit. We understand your operation through inquiring with relevant colleagues, observing processes and procedures, inspecting documents and records, re-performing certain activities, and deploying Computer-Assisted Audit Technique (“CAAT”). We will keep an open and ongoing dialogue with you throughout the review for confirmation of audit observations and agreement of audit recommendations.
4. How long does an audit take?
The duration of an audit is impacted by many factors such as complexity of the operations, required collaboration among different parties, potential conflict with the auditee’ other priorities, etc. Normally we expect to complete the audit review in 2 – 2.5 months and we will discuss and update the timeline with you throughout the review process.
5. Who receive the internal audit report?
Internal audit reports are provided to the auditee management (e.g. AVPs, Deans, Heads of academic or administrative departments) with a copy to the President. Auditee management may exercise his/her discretion to share the audit report with fellow colleagues as appropriate. Executive Summary of the report is submitted to the Audit Committee.
6. Can we ask OIA for assistance?
Yes. Besides the scheduled audits, we are also glad to provide consulting services on a particular process or area of your concern. However, the consulting services should not impair our independence. You can contact the Head of the OIA to discuss your needs and how we can assist.
7. If an activity concerns me, how can I report it?
We welcome you to join in protecting the University’s reputation and safeguarding its operations. If you would like to report improper practices, conducts, or issues, please send your message to the OIA’s e-mail. We will study your filing and take appropriate approach to address your concerns. Be rest assured that your message will be kept strictly confidential.