How are topics selected for an internal audit?
A Year At A Glance
Throughout the year we collect ideas and input from the Board of Directors Audit Committee, Management, DOE Fermi Site Office and DOE Office of Inspector General. We also reference the Contractor Assurance System (CAS) web pages for information about the structure of the systems. In addition, CAS (management system) owners are interviewed with respect to Internal Audit’s risk assessments and audit plans.
We prepare reports that summarize the results of individual audits, as well issue an annual report of activities. Internal audit reports are distributed as they are issued, to a wide audience including the Audit Committee, Management, the DOE Fermi Site Office, the DOE Chicago Office, the DOE Office of Inspector General, and FRA’s external audit firm. Internal audit findings are subsequently tracked, follow-on activities are performed, and periodic status reports are provided to the DOE Fermi Site Office, the Audit Committee and Management in conjunction with Audit Committee meetings.
The Risk Assessment Process
A quantitative risk based approach is used to rank the entities in the audit universe. Our audit universe is defined by management system and major Fermilab function. Professionally accepted criteria are used to evaluate the relative risk of each function. The following criteria are considered: entity risk (system complexity and transaction volume), the extent to which policies, processes and personnel have changed, materiality, prior audit results, regulatory involvement (applicable DOE Orders), and potential for unallowable costs.
Risk assessment is a comprehensive process, therefore, we ask many different people for their inputs. For example, management system owners are asked to identify significant changes since the last assessment. The risk assessment process utilizes the CAS information primarily through internal audit’s participation on the Laboratory Director’s Advisory Council on Integrated Assurance and independent quality assessments. To avoid duplication of audit effort, we also request copies of external audits and reviews conducted. We meet with the Audit Committee, Management, the DOE Fermi Site Office, and the DOE Office of Inspector General in order to consider their views as we establish our risk based audit plan.
When the risk assessment process is complete, we prepare an annual internal audit plan. The plan is presented to the Audit Committee for review and approval. We usually focus our resources on the areas of highest risk. Additionally, we also select lower risk ranked topics, or “wildcards,” to ensure broad coverage of the audit universe. The final audit plan approved by the Audit Committee is formally issued to the DOE Fermi Site Office, and copies are provided to Management, the DOE Chicago Office, the DOE Office of Inspector General, and FRA’s external audit firm.
Other Services Provided
The annual audit plan includes a provision for projects that may be performed throughout the year.
Fiscal Year 2016 Audit Plan
- Project Management: Export Controls
- Visa and Immigration Process
- General Computing Policies, Procedures, and Governance: Computing Standards and Efficiencies
- Asset Management: IT Equipment and Applications
- Annual Allowable Cost Audit
- OMB Circular A-123 Testing
- Follow-on Verification Procedures
- Management Advisory Services