University Internal Audit

University of Massachusetts > Internal Audit > Types of Audits

While there are four major types of internal audits, financial, operating, compliance and information technology - it is not unusual to incorporate elements of each when we review a business process or department on any of the campuses. In addition, internal auditors are sometimes asked to perform special reviews.

Financial audits involve the evaluation of internal control processes over revenues and expenses, and the accuracy of their reporting in accordance with laws, regulations and internally developed policies and procedures. In addition, the safeguarding of the University's assets, as well as the fair presentation of its rights and obligations may be the subject of financial audits.

Operational audits examine the use of the university's resources to evaluate whether those resources are being used in the most efficient and effective way to fulfill the university's mission and objectives. These are sometimes called performance audits. An operational audit may include elements of both a financial and compliance audit.

Compliance audits review both financial and operating controls and transactions to see how well they conform to established laws, standards, regulations and procedures. In addition the audit might identify gaps between regulations and university procedures, and in turn, would suggest training and follow-up programs to ensure personnel are adequately informed about compliance requirements.

Information Technology audits evaluate the internal controls related to the management of information technology environments and related infrastructure, applications and data.  Typical areas assessed include: governance with related policy and process documentation; security (physical and logical over information, applications and infrastructure assets); change management; monitoring; and business continuity/disaster recovery.  Controls are evaluated based on industry organizations and audit standards such as ISO 27002 (International Organization for Standards), ISACA (Information Systems Audit and Control Association) and related COBIT (Control Objectives for Information and related Technology), and IIA (Institute of Internal Auditors), GTAG (Global Technology Audit Guides), as well as adherence to laws and regulations.

Sometimes internal auditors are asked to perform Special reviews by the campuses. Campuses may request specific reviews of: a department's internal controls, situations involving conflicts of interest, or financial irregularities.

The PDF files on this page require the free Adobe Acrobat Reader.