Audit Methodology

While fulfilling the University Grants Committee’s requirement on risk management, the Internal Audit Office (IAO) makes use of the risk information collected from the University’s risk management exercise initiated by the Risk Management Committee (RMC) for the internal risk assessment of internal audit.

In accordance with the annual risk review process endorsed by the RMC and to foster the risk culture, the University formulates an institutional risk register which helps the departments / units and the IAO set up a common platform for collection and identification of risks.

  • The RMC secretariat consolidates the local risk registers provided by departments / units and discusses them with the Local Risk Officers.
  • The RMC secretariat proposes an institutional risk register for discussion by the Chief Risk Officer with senior management.
  • The RMC endorses the institutional risk register and submits it to the Council for approval.

The IAO conducts its regular internal audit activities on selected topics / units in accordance with its risk-based internal audit plan, the risk items of which are collected from the above risk management process.

In helping each unit assess and update its annual risk register, the IAO selects and performs on a risk basis the internal control or compliance checkings on the local risk registers. This forms the IAO’s internal audit plan, which would also cover the annual audit plans for the subsequent rolling three years.