complete. The objective is to encourage students to work together to begin developing an engagement scope that identifies the risks, controls, and concerns over a business process. This project is to also provide the student the opportunity to identify and assess risks as internal auditors do when planning audits. The project will be graded based on the student's contribution to the project and responses to the questions. The project is $15\%$ of your grade and worth $100$ points. I am here for guidance. Please submit no later than Thursday, April $25,2024.$

It is your first day at Whitmore and Associates, which is a consulting organization that offers internal audit services. A local University has contracted with Whitmore and Associates to perform an audit of their University Building Access. The agreement terms include assessing and evaluating the internal control environment and risks. The Auditor$-$in$-$Charge asked you to help prepare Engagement Scope that will be used for determining areas to audit and possible audit procedures to consider.

Employees, faculty, and staff gain access to buildings by an approval form approved by their manager. The employee completes the form with their name, employee number, birthdate, phone number, building location, building access needs including days and hours. The form is then submitted to their employer for review and approval. The supervisor signs the form and returns it to the employee via email. The employee emails the form to Security who will contact the employee to bring their employee badge to their office for coding. The employee takes their badge to the Security office for coding and picks their badge up at the end of the day after the code has been placed on the employee's card. The employee will have access to the buildings that have been approved. When access to another building is needed, the employee contacts the Security office to gain access. There are no background checks done prior to granting access. When the employee separates from the university, their supervisor completes an electronic form to remove their access. There are no checks to determine that the employees' access has been terminated. When employees move to another department, their supervisor is responsible for removing their building access while their new supervisor must request building access. Building access request forms are maintained for one year. There are written policies and procedures that govern the building access process. The policies were written $10$ years ago and employees are asked to review the policies when they are hired. Employees do not acknowledge that they reviewed the

policies were written $10$ years ago and employees are asked to review the policies when they are hired. Employees do not acknowledge that they reviewed the polices The two employees who adds and removes access to buildings does not have anyone review their work. Employees are allowed to have access to at least $3$ buildings with proper approval. However, employees who work in facilities, events, and other areas where services are provided, have access to multiple buildings in accordance with their job duties.

Thinking about what we have been learning in our class, please answer the questions to contribute to the engagement scope and risk assessment. Auditors work together in teams, so feel free to work together! I'll start a discussion board and will be available to meet in Teams to give guidance. Let's have some FUN!

Building Access Review Engagement Scope

Purpose: To develop the engagement scope for evaluating and assessing the internal control environment and operational efficiencies and effectiveness related to building access.

Background

The Security team is responsible for providing and removing access to buildings.

Engagement Scope $($The Auditor$-$in$-$Charge has determined the preliminary engagement scope and objectives$)$

The Audit Team has determined that the preliminary engagement scope and objectives are:

Objective: To gain an understanding of and evaluate the control environment over granting access to and removing access from buildings.

Scope:

Governance $-$ Assess the process and controls that the Security Office has for monitoring and overseeing building access.

Safeguarding $-$ Determine how access is granted, removed, and monitored for unusual activity. Consider if there are any reports generated for monitoring building access.

Safety $-$ Determine the controls over mitigating the risks of unauthorized access.

Safety $-$ Determine the controls over mitigating the risks of unauthorized access.

Risks and Controls

The team brainstormed the following risks and potential controls to reduce the risks. These will be discussed with the client and considered during our fieldwork. Based on the overview of building access provided by the client and thinking of people having access to buildings, list at least $6$ risks $($remember the discussion on fraud risks$)$

No$.$ Risk Potential Control