The Senior IT Auditor II position is responsible for performing internal audit work throughout the University of Minnesota. The University encompasses a wide array of diverse activities including academic support functions, sponsored research, large scale business operations, academic health care, intercollegiate athletics, and municipal/utility operations. The complexity and size of audit assignments will vary significantly and will encompass audits of University units and processes, investigations, and other special projects. Incumbents are expected to have four or more years of applicable IT audit experience or a combination of: audit, IT and other relevant experience. Incumbents must also be able to demonstrate proficiency in performing internal audit work that conforms to the Institute of Internal Auditor’s professional standards. Work assigned to incumbents will generally be well-defined, but work direction and scope may on occasion require some additional research and refinement by the incumbent. It is expected this work will be carried out with limited supervision. Decisions regarding the scope of work to be performed, the nature of testing to be completed, and the reporting and disposition of results will be delegated to this position with oversight by supervisors or managers.
1. (~40%) Perform IT audit testing of both University units and processes to evaluate the efficiency and effectiveness of internal control, risk management and governance processes with limited guidance. This includes assessing whether:
• Risks are appropriately identified and managed by the process owners and/or University management. • Auditees’ actions are in compliance with policies, standards, procedures, and applicable laws and regulations. • Resources are acquired economically, used efficiently, and adequately protected. • Programs, plans, and objectives are achieved. • Quality and continuous improvement are fostered in the University’s control processes. • Significant legislative or regulatory issues impacting the University are recognized and addressed appropriately.
2. (~25%) Communicate the results of the audit work performed, using both verbal and written skills. This will include:
• Developing and documenting findings and recommendations that properly address risks and conclusions. • Meeting with the audit client(s) to discuss both the preliminary and final audit results. • Using appropriate audit judgment in evaluating the significance of audit findings and the impact/risk of the issue. • Drafting the initial audit report. • Ensuring recommendations made are both actionable and cost-effective and identify appropriate root cause.
3. (~15%) Perform engagement management activities associated with audits of University units or processes, generally those of medium and low risk and with guidance. This will include:
• Managing work assignments and evaluating work product of staff assigned to the audit. This includes being responsible for ensuring the work product is complete, logical and complies with both the Institute of Internal Auditor’s professional standards and department practices. • Ensuring staff are using appropriate audit judgment when drawing conclusions and evaluating the significance of audit findings. • Coaching staff regarding completion of IT audit processes, evaluation of the units and business processes being reviewed, and creation of recommendations. • Coordinating work effort and communication with line management responsible for assigned areas. • Performing reviews of others’ IT audit work to ensure it contains relevant facts to support audit scope and conclusions and adhere to internal audit policies and procedures.
4. (~20%) Plan medium to low risk IT audits with limited guidance. The plans and procedures are to be developed using a risk-based methodology, focusing our audit effort on those activities creating the greatest risks to the institution. Plans must be developed in recognition of the limited audit resources available for each audit engagement. This will include:
• Collecting background material needed through a variety of mechanisms including interviews and data queries for defining the scope of planned audits based on risk analysis and management needs. • Summarizing discoveries during the planning process. • Drafting engagement letters, audit programs, time budgets and work schedules for the audit.
The above audit work should be carried out by:
• Using accepted audit procedures and techniques during the audit, and performing audit steps in the programs established to evaluate the adequacy of controls, risk management and/or governance processes. • Documenting, reviewing and assessing internal controls and the efficiency and effectiveness of business practices used in the units/processes being audited. This typically is accomplished through the use of questionnaires, interviews and flowcharts, data analytics and also through the testing of transactional activity. • Obtaining, analyzing and appraising IT controls, transactions, documents, records, reports and methods that provide the basis for our conclusions on the effectiveness and efficiency of controls over the unit or process being audited. • Collecting and analyzing, through the use of data analytics and other methods, sufficient competent evidence to serve as a basis for our conclusions. • Preparing detailed, clearly labeled work papers that record and summarize data on the audit work assigned. • Exhibiting flexibility and agility in daily tasks and overall schedule. • Working effectively and efficiently in a team environment or individually as needed. • Assessing whether data analytics can be utilized in the assessment of risk and controls and properly collecting, interpreting, and concluding on data. • Developing and maintaining relationships with audit client contacts. • Participating in development of less experienced staff. • Displaying effective judgement and decision-making skills. • Develop depth and breadth of knowledge that includes operational, financial, technology, and regulatory understanding across multiple businesses and developing knowledge in critical subject areas as needed.
• Conduct follow-up work to determine the current status of prior recommendations made to management. • Complete training and other activities to maintain and enhance professional skills and abilities. • Gather, review and assess audit evidence as part of investigating allegations of misconduct. • Perform audit work related to non-IT activities.
The results of the audit work performed by this position is ultimately reported to the highest levels within the University, including the President and the Board of Regents Audit and Compliance Committee.
• A BA/BS in accounting, finance, management, IT management, or related fields and four or more years of audit experience or a combination of related education and work experience to equal eight years.
• Professional certification (e.g. CISA, CPA, CIA, CFE) and/or an advanced degree is highly desired and a CISA is preferred. • Basic computer skills (Microsoft Word, Excel, etc.) are required. • Effective interpersonal and communication skills are required. • Understanding of standard IT Audit principles, including IT General Controls, is required. • Knowledge of IT systems and system security audit principles and techniques (e.g., server and database configuration reviews) is highly desired. • Good analytical skills with high attention to detail and accuracy is essential. • A working knowledge of the University of Minnesota: its business processes; policies and procedures; governance practices; and regulatory obligations is desired. • Experience with PeopleSoft financial, human resource and student systems is desired. • Advanced data analytic skills and use of visual tools and techniques such as SQL and Tableau is desired (and expected to be developed)
Internal Number: 330112
About University of Minnesota, Twin Cities
The University of Minnesota, founded in the belief that all people are enriched by understanding, is dedicated to the advancement of learning and the search for truth; to the sharing of this knowledge through education for a diverse community; and to the application of this knowledge to benefit the people of the state, the nation, and the world.