Audit provides independent, objective assurance and advisory services designed to add value and improve the operations of Duke University, Duke University Health System, DUMAC, and the support corporations, agencies and affiliates of these entities (collectively “Duke”). The Office of Audit, Risk and Compliance (OARC) helps Duke accomplish its objectives by bringing a systematic, disciplined and collaborative approach to evaluate and improve the effectiveness of risk management, internal controls, information technology controls, business process design, compliance requirements, and governance processes.
As a service provider within Duke, we first consider the needs of our stakeholders. With this approach, we foster open and collaborative relationships, risk-focused engagement, and opportunities to identify improvements to crucial governance, financial and operational processes and procedures. We have ensured that communication with our stakeholders and staff development supports our mission to advance and integrate risk awareness, internal controls, and compliance requirements, as well as to collaborate on proactive and innovative improvements to business processes through high-quality assurance and advisory services.
Plan Development and Types of Services
Developing the Annual Audit Plan
The institution-wide risk management process is led by senior leaders across the university, the health system, and DUMAC. It is a structured initiative that encourages senior leaders (and their functional areas) to periodically assess strategic, operational, financial, and compliance risk profiles. OARC links heat map risk statements, and the related acceptance or mitigation strategies, focusing on the auditable aspects of governance, policies, processes, and performance. Refer to Risk Management page for more details.
The audit plan year follows the fiscal year of July 1 through June 30. The audit plan emphasizes core assurance services that evaluate the internal control environment and assesses business process effectiveness. Each year, the directors and managers consider a wide array of financial, reputational, operational, compliance, and information technology risks, centralized business processes, business unit level internal control environment and significant changes or updates to the enterprise systems (SAP, PeopleSoft and EPIC). To obtain additional insight and validate the plan, we conduct one-on-one discussions with key stakeholders to prioritize opportunities for each audit plan year. During the year, we may make adjustments to the audit plan based on institutional priority shifts, timing contingencies, and special project requests.
We also determine the scope and timing of engagements based on discussions with senior leaders throughout the year and by monitoring trends in the industry. Key drivers for defining the audit plan, engagement prioritization, and scope include:
- Balance among operational performance, financial controls, compliance, and technology audits
- Focus on horizontal risks and business practices common across the university or health system to provide broadly-valued recommendations
- Vertical attention based on operational significance or financial materiality to ensure organization health and centralized services effectiveness
- Consideration of reputational factors, regulatory changes, organizational shifts, new initiatives, and deployment of new systems or technology tools
- Degree of reliance on technology to support the business process
- Leverage advisory engagements to partner with management for developing process change or risk mitigation strategy for known opportunities
Purpose of an Internal Audit
Internal audits provide assurance that business processes and internal controls are adequately designed, operating effectively, as well as, identify opportunities to make Duke more efficient and effective in achieving its objectives. Internal audits evaluate the strength and appropriateness of risk mitigation strategies and assists management in the improvement of internal controls by collaboration, coaching and facilitation. Audits include financial risks, business operations, and information technology, but also address matters such as organizational reputation, strategic initiatives, and the internal environments. Our goal is to evaluate, advise, and improve the effectiveness of governance, risk management, and internal control processes. The independent and objective audits help executive management, the board of directors and the audit committee demonstrate that they are managing the organization effectively.
Purpose of an Advisory Engagement
Advisory services aid the organization in an objective evaluation of business processes, internal controls, and operating effectiveness of entity-level governance. Our constituents call on these services to gain both transparency and an independent perspective on obstacles, complexities, or to ensure the right balance of risk mitigation and risk tolerance. Often, management has identified these engagements due to a known issue and they want our independent evaluation to help inform potential solutions. Our relationships with operational owners and executive leadership provide a unique opportunity to use our capabilities and entity knowledge to consult on practical business processes with a balanced organizational risk perspective. Our advisory services include process analysis, technology implementation, organizational change management assistance, internal control evaluation, strategy implementation, and/or operational improvement services.
Stoddard B. "Todd" Knowles
Associate Director of Privacy Information
Kenneth W. "Ken" Stern
Associate Director of University Audit
Ian A. Sterrett
Associate Director of Health System IT Clinical Operations
Cara N. Bonnett
Technology Risk Assurance Manager
Shared Services Audit Manager
Mark C. Ledman
Information Technology (IT) Audit Manager
Health System Principal Auditor, Requisition ID #1: 207051