U of T Home Internal Audit U of T Home Office of the President Login

 > Internal Audit > Processes > Annual Audit Plan

Annual Audit Plan



The Annual Audit Plan is developed by the Director and presented to the President/Vice-Presidents and the Audit Committee at the beginning of each fiscal year. This Plan outlines (for the coming year):

  • The Department's objectives.
  • A forecast of available audit hours.
  • The planned allocation of audit hours to each type of audit service.
  • A detailed schedule of planned departmental audits.

The Audit Plan is derived by combining the assessment of department-level risks across the University with the projection of available audit resources to determine the most effective schedule of audit activities for the year.

Requests for reviews or special investigations that are not part of the approved annual audit plan are reviewed with the President or his designate prior to acceptance by the Director.

Audit Resources

The Department has an appointed staff complement of eight, which includes the Director, two Managers, one Audit Supervisor, three Senior Auditors, and one Audit Assistant (see Staff Biographies).
At the Director's discretion, audit resources are allocated among department, information technology, continuous audit, special, and follow-up reviews, as well as, external audit commitments.


The risk-assessment includes a statistical review of the Annual Risk Self-Assessment Survey, the results and timing of prior audits including special reviews, and other information obtained by the Department. The Survey was launched in 1999/2000 and will be conducted annually beginning in 2003/2004 via the Department website.

A business risk model is used to sort identified risks within the following 3 broad categories:

  1. Environment Risk - e.g. legal and regulatory, external financial reporting, financial market.
  2. Process Risk - which includes 5 subcategories: Operations, Financial, Employee and Management Empowerment, Information Processing / Technology and Integrity.
  3. Information For Decision Making Risk - which includes 3 subcategories based on the type of information: Process/Operational, Business Reporting and Environment/Strategic.

The assessment results in the assignment of a risk indicator to each department/unit (e.g. Low, Moderate or High). The expected frequency of departmental audits is: discretionary for Low risk units, approximately 8 years for Moderate risk units, and approximately 4 years for High risk units.

The risk evaluation process has been developed with reference to a standardized framework for establishing and managing an effective enterprise-wide system of controls. For a brief summary of this framework, see Control Framework below.

Control Framework

The Department evaluates risks within the University's control environment with consideration of the Internal Control – Integrated Framework model (developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992). In particular, the following five critical components for an effective system of internal controls (as defined in the model) have contributed to the risk-assessment process:

Control Environment – This is the foundation for a system of internal control, providing the underlying discipline and structure through emphasis on such factors as: integrity and ethical values, management philosophy and operating style, organizational structure, assignment of authority and responsibility and the direction provided by the Governing Council, its boards and the Audit Committee.

Risk Assessment – This is the identification and evaluation of all risks to the achievement of defined organization-wide and process-level objectives for the purpose of determining how best to manage them.

Control Activities – These are the policies and procedures designed to ensure the achievement of organizational objectives.

Information and Communication – This refers to the need for relevant, accurate and timely information to be communicated effectively to ensure effective operations and communication of control responsibilities.

Monitoring – This is the continuous process for evaluating and reporting on the performance of the internal control environment through ongoing monitoring activities, particularly by management and supervisors, and separate evaluations including internal audit reviews.

Last updated: June 15, 2007