Guide to internal audit

What to expect when you Faculty, Institute, Centre or School (FICS) is audited.

This guide outlines what to expect when your department is audited. The frequently asked questions give a quick overview of what an audit is, how to work with your auditor, and how the audit process can help your FICS.


1.1  How will I find out about the audit?
One of the Senior Internal Auditors working at the Internal Audit Function will contact you in advance.

1.2  Why are we being audited?
We plan our audit based on risk. It may be a while since your last audit, or there might be an issue in you FICS which management would like assurance about. Being audited does not mean you have done anything wrong. Virtually all audit work is normal and routine.

1.3  What will the auditor need to access?
This depends on what is being audited. We will ask for key document, and plan specific testing based on them. We only ask for the minimum amount of information necessary.

1.4  Who should I contact if I have concerns or questions?

You can discuss the audit with any member of the audit team, or the Chief Internal Auditor.

1.5  Can I prepare any documents before the audit begins?

We do not expect you to prepare any documents before our initial discussions. Be prepared to discuss system access, as well as general questions about your FICS, and how you manage risks.

1.6  What are the benefits of being audited?
If no issues are raised, it provides further assurance about your controls. We can highlight best practice in our report, and share it to improve controls across the University.

If issues are raised, we can help you improve working practices and strengthen controls, reducing risks and freeing up resources.
2.1  How will the audit begin?
An introductory meeting will be held where we will discuss the audit Terms of Reference.

2.2  How long will the audit take?
The audit budgets an amount of days. This includes planning and review time, which your FICS will not be involved. Every audit takes a different amount of staff time. We work flexibly as possible around staff commitments.

2.3  What actually happens during an audit?
This depends on the audit. Normally we will be present at your office for meetings or scheduled tests. Completion of checklists and drafting of report will be carried out at our office.

3.1  How should we respond to the draft report?
At the end of the audit fieldwork, we will draft the audit report. A closure meeting will be held with the auditee to discuss the findings and recommendations. The formal draft report will then be sent to the auditee as a pdf and word file. The latter is sent in order to allow the auditee to include his/her management feedback and complete the action plan on the document.

As an auditee you will be given ten working day to provide feedback. If you need additional time, you can contact the Internal Audit Function for an extension.



3.2  Do we need to reach a certain standard to ‘pass’ the audit?
Audits are not 'pass' or 'fail'. The report gives an overall opinion based on the individual ratings assigned to each finding included in the final audit report.

3.3  Will there be a follow up?
Yes. Once the agreed deadlines have passed, we will arrange a follow-up audit. We will ask for evidence that you have implemented the recommendation.

3.4  What is the timescale for implementing recommendations?
We are aware of the fact that implementing recommendations can sometimes take a long time. As a guide, we would normally expect actions to be completed within a 12-month period. Recommendations to address a ‘fundamental weakness’ should be actioned as soon as possible.

3.5  Who will see the final internal audit report?
The report is sent to the Rector, University Secretary and the Head of the respective FICS. In addition, a copy will also be forwarded to the Audit and Risk Committee members.

https://www.um.edu.mt/services/internalauditfunction/guidetointernalaudit