How are topics selected for an internal audit?
A Year At A Glance
Throughout the year we collect ideas and inputs from the Board of Directors Audit & Enterprise Risk Committee, Management, DOE Fermi Site Office, DOE Consolidated Service Center, and DOE Office of Inspector General. We also reference the Contractor Assurance System (CAS) web pages for information about the structure of the systems. In addition, CAS (management system) owners are interviewed, as needed, with respect to Internal Audit’s risk assessments and audit plans.
We prepare reports that summarize the results of individual audits, as well issue an annual report of activities. Internal audit reports are distributed as they are issued, to a wide audience including the Audit & Enterprise Risk Committee, Management, the DOE Fermi Site Office, the DOE Consolidated Service Center, the DOE Office of Inspector General, and FRA’s external audit firm. Internal audit findings are subsequently tracked, follow-on activities are performed, and periodic status reports are provided to the DOE Fermi Site Office, the Audit & Enterprise Risk Committee and Management in conjunction with Audit Committee meetings.
The Risk Assessment Process
A quantitative risk based approach is used to rank the entities in the audit universe. Our audit universe is defined by management systems and major Fermilab function. Professionally accepted criteria are used to evaluate the relative risk of each function. The following criteria are considered: entity risk (system complexity and transaction volume), the extent to which policies, processes and personnel have changed, materiality, prior audit results, regulatory involvement (applicable DOE Orders), and potential for unallowable costs.
Risk assessment is a comprehensive process, therefore, we ask many different people for their inputs. For example, management system owners are asked to identify significant changes since the last assessment. The risk assessment process utilizes the CAS information primarily through internal audit’s participation in the Services Oversight Group/Assurance Council, Enterprise Risk Board, Senior Leadership meetings and as needed with the management system owners. To avoid duplication of audit effort, we also request copies of external audits and reviews conducted from Laboratory Management. We meet with the Audit & Enterprise Risk Committee, Management, the DOE Fermi Site Office, Consolidated Service Center, and the DOE Office of Inspector General in order to consider their views as we establish our risk based audit plan.
When the risk assessment process is complete, we prepare an annual internal audit plan. The plan is presented to DOE Office of Inspector General, DOE Fermi Site Office, DOE Consolidated Service Center, and Audit & Enterprise Risk Committee for review and approval. We usually focus our resources on the areas of highest risk. Additionally, we also select lower risk ranked topics, or “wildcards,” to ensure broad coverage of the audit universe. The final audit plan approved by the Audit & Enterprise Risk Committee is formally issued to the DOE Fermi Site Office, and copies are provided to the DOE Consolidated Service Center, the DOE Office of Inspector General, and FRA Audit & Enterprise Risk Committee.
Other Services Provided
The annual audit plan includes a provision for projects that may be performed throughout the year.
Fiscal Year 2023 Audit Plan
- Long Baseline Neutrino Facility: Fermilab/SDSTA
- Proton Improvement Plan II (PIP II)
- eMarketplace System: Process and Application
- Universities/Colleges Contracts
- Cybersecurity Plan/Program: NIST Revision 5 Process and Controls
- Construction Projects: Minor Construction
- Incurred Cost Electronically (ICE) Model Submission
- OMB Circular No. A-123 Testing
- Payment Integrity Certification
- Laboratory Director’s House Costs (DOE FSO Requested)
- Follow-on Verification Procedures
- Management Advisory Services