The Audit process is broken into 3 main phases: Preliminary Review, Conducting and Summary. A number of activities are completed in each stage as outlined here.
The purpose of this stage of the audit process is to conduct an internal risk assessment of the area under review. This enables the auditor to identify and focus on the critical risks within the area or process under review.
Conduct Opening Conference
The Internal Audit Department schedules an entrance conference with the head of the department to discuss the purpose and scope of the audit. Audit clients are encouraged to discuss any concerns or questions they have about the audit, and to invite any of their direct reports they think should be included in the opening conference.
The Auditor obtains the following information from the department:
- financial information, organizational chart, policy and procedure manuals and any other pertinent information
- obtains any management reports utilized by the department
- conducts interviews of department personnel to obtain an understanding of the processes under review
- based on the interviews and the process review, auditor will develop process flows and identify where the risks lie within the process or processes
- conducts a walkthrough of the process with the audit client to ensure the process operates as stated
- the noted risks based on the preliminary review are prioritized
- the areas for testing are identified and an audit program is developed.
The audit program and preliminary findings are discussed with the AVP or VP for audit and obtains approval to move to the next phase of the audit.
The results of the preliminary review are also discussed with the audit client. The audit then moves into the conducting phase.
Audit tests are completed based on the results of the Preliminary Review
The auditor starts testing during this phase, utilizing the audit program developed as a result of the preliminary review noted above. This includes obtaining documents or observing processes to further expand or negate what was identified in the Preliminary Phase. The focus of the conducting phase is to determine if there are adequate systems of internal control and whether the systems are function as intended. The controls are measured against University policies and procedures, and State and Federal regulations, as well as, generally accepted accounting principles. Areas of deficiency and potential recommendations are discussed with the appropriate staff and are documented in the audit work papers.
All audit tests as prescribed in the audit program are completed, and work is documented and summarized. The audit work, deficiencies noted, and potential recommendations are discussed with and approved by the AVP and/or VP for audit.
All findings and conclusions are written-up based on the work performed in the Conducting Phase of the audit
All findings (Opportunities) are formally written up utilizing the internal audit department's five step approach for report writing:
- Condition (what is)
- Criteria (what should be)
- Cause (root cause that allowed the control weakness to occur)
- Effect (the adverse result of the control weakness, it is highly recommended that the auditor quantify the result or potential result of the control weakness)
- Recommendation (steps taken to mitigate or transfer the risk)
Once the report is formally written, it is sent to the process owner prior to the closing conference and all findings are thoroughly discussed and agreed upon. Internal Audit has a no surprises approach prior to a closing meeting. After agreement is reached with the process owner and agreed upon action plans are developed, the report is shared with the VP for final comments or edits prior to the closing meeting.
At the end of each audit a closing conference is conducted and all comments in the report are fully discussed with the process owner and anyone that will be affected by the report (i.e., others where action is required per the action plan).
Once the report is agreed upon, the report is formally issued.
Work papers are submitted to AVP and VP for final review, sign-off and filed.
Program Management & Organizational Effectiveness (PMOE) will assist departments with the planning and implementation of audit recommendations.
A follow-up review is conducted approximately six to twelve months after the audit.
The purpose of the follow-up is to verify that management has implemented the agreed upon
corrective actions. Internal Audit will interview staff, perform tests and/or review new
procedures. A follow-up memo will be issued describing the results of the review and indicate
whether further actions are necessary. If further actions are necessary, PMOE will be responsible for assisting with implementation.