We provide assurance of processes, not audits of people. Each year, we choose processes to audit by evaluating several factors.

• University Risk Management’s Risk Portfolio – We map the current portfolio risks to an “audit universe” of the University’s processes. 
• Time since last audit – We take into account the timing and results of any recently conducted reviews of your process that have recently taken place.
• External or environmental factors – We leverage external (or environmental) information, including information received from peer institutions, that indicate areas of concern within the higher education community. 
• Input of senior management – Our professional standards indicate that input of senior administration and the Corporation should be considered in our selection process. 

We present an annual workplan to the Brown Corporation Committee on Risk and Audit and University management for their consideration and approval.

A good audit is a well-planned audit.  During the planning phase of an engagement we research the objectives of the area, identify risks that may prevent the achievement of these objective, and the activities performed to manage these risks.  We refer to this as the risk and control framework.

Within this phase the audit team is responsible for communicating the objectives of our review, inform you on the audit process, and begin the process of gathering information for use in the engagement. 

During the fieldwork phase of the engagement, we perform “tests of controls”.  The goal here is to identify that University processes are operating as designed and intended. 

Within this phase the audit team is responsible for communicating the final scope of the engagement and the initial results of our work including exceptions to policy or other outcomes of our testing procedures. Throughout this stage of the engagement, the audit team keeps you apprised of our possible process improvement opportunities as they develop. 

At the conclusion of the engagement, we will present the results of our work in a draft report.  The draft report will include any process improvement opportunities identified in the engagements. 

It is at this point of the engagement when we will share our recommendations and work with you to identify the appropriate management response, whether it be a corrective action plan or a risk mitigation plan.   The final version of the engagement report will incorporate your responses.

Our reports are typically available to the Committee on Risk and Audit, senior management, external auditors or regulators in addition to the distribution list you see on the final product. 

We follow-up on our recommendations and your action plans.  We will review the implementation of your management action plan to confirm its completion and the revised process is effectively operating. If your unit hasn’t been able to meet its deadlines, we’ll work with you to come up with a reasonable timeline to do so. Please keep in mind that it’s part of our job to bring unfinished actions to the attention of senior management.