AUDIT

Audit

Audit

Question# 1

Audit Approach

As an element of the University's core business functions, Hospital/Facility Compliance Program processes will be audited once approximately every three to five years using a risk-based approach. The minimum requirements set forth in the “Compliance Program Infrastructure Overview and Risk Assessment” section below must be completed for the audit to qualify for core audit coverage. Following completion of the infrastructure overview and risk assessment, the auditor will use professional judgment to select specific areas for additional focus and audit testing.

Phase 1: Audit Planning

In this phase we plan the information system coverage to comply with the audit Objectives specified by the Client and ensure compliance to all Laws and Professional Standards. The first thing is to obtain an Audit Charter from the Client detailing the purpose of the audit, the management responsibility, authority and accountability of the Information Systems Audit function as follows:

Responsibility: The Audit Charter should define the mission, aims, goals and objectives of the Information System Audit. At this stage we also define the Key Performance Indicators and an Audit Evaluation process;

Authority: The Audit Charter should clearly specify the Authority assigned to the Information Systems Auditors with relation to the Risk Assessment work that will be carried out, right to access the Client's information, the scope and/or limitations to the scope, the Client's functions to be audited and the auditee expectations; and

Accountability: The Audit Charter should clearly define reporting lines, appraisals, assessment of compliance and agreed actions.

In addition to the Audit Charter, we should be able to obtain a written representation (“Letter of Representation”) from the Client's Management acknowledging:

Their responsibility for the design and implementation of the Internal Control Systems affecting the IT Systems and processes

Their willingness to disclose to the Information Systems Auditor their knowledge of irregularities and/or illegal acts affecting their organisation pertaining to management and employees with significant roles within the internal audit department.

Their willingness to disclose to the IS Auditor the results of any risk assessment that a material misstatement may have occurred

PHASE 2 - Risk Assessment and Business Process Analysis

Risk is the possibility of an act or event occurring that would have an adverse effect on the organisation and its information systems. Risk can also be the potential that a given threat will exploit vulnerabilities of an asset or group of assets to cause loss of, or damage to, the assets. It is ordinarily measured by a combination of effect and likelihood of occurrence. The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in making decisions such as:

The area/business function to be audited

The nature, extent and timing of audit procedures

The amount of resources to be allocated to an audit

The following types of risks should be considered:

Inherent Risk: Inherent risk is the susceptibility of an audit area to error which could be material, individually or in combination with other errors, assuming that there were no related internal ...