Tufts University

The Audit Process

AMAS’ audit process utilizes a consultative approach and auditing tools to provide recommendations that address internal control risks and business liability and regulatory compliance exposures. Our auditing activities concurrently identify more efficient and effective business processes and procedures. Best practices are researched by contacting other schools and industries, and contacting colleagues within the Association of College and University Auditors, the Little 10 Audit Directors and Little 10 Information Systems Auditors groups and other professional organizations. AMAS also periodically uses ACL, a computer assisted auditing tool (CAAT), to perform more comprehensive tests of selected financial transactions than traditional statistical sampling techniques allow. When appropriate, survey software and risk assessments are employed in certain audits, an approach that involves managers and other department employees in more participatory process reviews of their areas of responsibility with the goal of improving internal controls and certain aspects of their operations.

Audit Plan

On an annual basis, AMAS prioritizes the University’s financial processes, operations, regulatory compliance and information systems for future audits based on identified “risk drivers” (e.g. materiality, fraud risk, quality of internal controls). AMAS also surveys and interviews Tufts vice presidents, senior managers and executive deans of administration seeking their input concerning the strategic and operational risk areas that they perceive as appropriate for audits. Judgments are also applied based on the experiences of AMAS staff, recent audit report results and issues and trends in higher education. The risk assessment supports the determination of which Tufts departments, support operations, information technology and compliance areas should be reviewed with greater or less frequency. This information is used to establish the annual Audit Plan.

The frequency with which certain operating units, processes and systems are audited changes from year to year with the introduction of new information. New Tufts operations and programs that are brought to our attention are incorporated into any updated risk analysis. Deletions from the risk analysis also occur when AMAS is notified of discontinued programs and operations.

Types of Audits

While internal audits can be conducted in accordance with one of the categories described below, it is not atypical to incorporate elements of each when we review a functional unit or business process at the University.

Operational Audit: Sometimes called program or performance audits, this type of audit examines the use of an organization’s resources to evaluate whether those resources are being used in the most efficient and effective ways to fulfill the organization’s mission and objectives. An operational audit may include elements of a compliance audit, a financial audit, and an information systems audit.

Financial Audit: A financial audit involves an evaluation of control processes which are designed to provide assurance to management that:

• Revenues are accurately and completely captured and properly processed
• Expenses are reasonable, appropriate, properly approved and reported
• Financial reporting is accurate and reliable
• Laws, regulations, and internally developed policies and procedures are followed
• Assets are appropriately safeguarded

Compliance Audit: The goal of this type of review is to determine whether an organization is maintaining a sound internal control environment that facilitates regulatory compliance. Key components of a compliance review include:

• Identifying regulations that impact an organization
• Identifying policies and procedures established to ensure regulatory compliance
• Determining what organizational practices exist that are directed towards ensuring compliance
• Comparing organizational practices to established policies and procedures to ensure compliance or identify gaps
• Determining what training and follow-up programs exist to ensure personnel are adequately informed about compliance requirements

Information Technology (IT) Audit: An IT audit assesses the security of an IT application and its hardware, software and network operating environment. A typical IT audit would examine and assess some or all of the following:

• the architecture of the application, operating system and network infrastructure
• the presence of effective data and system access controls
• the presence of firewalls, and the use of virtual private networks (VPN), secure socket layer SSL website features, file encryption and other intrusion-preventative control strategies
• physical and functional security over system hardware and communication components of the system
• the ability of the IT application to meet the needs of the organization’s overall mission, functional, reporting and business objectives

To learn more about safe computing practices at Tufts University click here: Safe Computing FAQ’s (link this to Frequently Asked Questions about Safe Computing and IT Practices at Tufts (Also include as a link from Home Page)

Departmental Review: The objective of conducting this type of audit is to determine if a particular department is maintaining a sound internal control environment in the following areas:

• Purchasing and purchasing card transactions
• Travel and business expense reporting
• Expenses charged to research grants and contracts
• Security over management and research oriented information systems
• PeopleSoft financial transactions and reports

Self-Assessment questionnaires provide management with questions to guide them in evaluating the effectiveness of their internal control environment and identifying areas where enhancement of certain policies and procedures may be necessary. The questionnaire is typically used by a university organization as a self-assessment tool or to provide background information in advance of a more extensive internal audit.

Self-Assessment Questionnaire