Audit Process Overview
The audit process consists of three main phases:
- Planning & Risk Assessment
- Report & Follow-Up
A number of activities are completed in each phase as outlined below.
Planning & Risk Assessment
The purpose of this phase is to plan the audit and conduct an initial risk assessment of the area under review. This enables the auditor to identify and focus on the critical risks.
Conduct Opening Meeting
The Internal Audit Department schedules an opening meeting with the head of the department under audit to discuss the purpose and scope. Auditees are encouraged to discuss any concerns or questions they have about the audit and invite any of their direct reports to the meeting.
During the Planning & Risk Assessment phase, the Auditor typically requests the following information from the department:
- financial information
- organizational chart
- policies and procedures
- management reports utilized by the department
- agreements / contracts
- job descriptions
- strategic documents / mission statements
While performing the Risk Assessment, the auditor will:
- conduct interviews to obtain an understanding of the process under review;
- conduct walk-throughs of the process to ensure the process operates as stated;
- prioritize the noted risks based on the preliminary review; and
- develop the work program, audit scope, objectives and audit tests.
At the conclusion of the Planning & Risk Assessment phase, the Senior Auditor will create the work program and discuss this program with both the Chief Audit Executive and Executive Director, Internal Audit. The work program contains the audit scope, objectives and specific testing that will be performed during the audit. The work program and audit tests are determined based on the results of the Planning & Risk Assessment phase.
Fieldwork includes further walk-throughs, interviews, data analysis, control & process testing, and transaction & detail testing. The focus of Fieldwork is to determine if there is an adequate system of internal control and whether the system is functioning as intended. Controls are measured against University policies and procedures, State and Federal regulations, and generally accepted accounting principles. Areas of deficiency and potential recommendations are discussed with the appropriate staff and are documented in the audit work papers.
The audit work, noted deficiencies and potential recommendations are discussed with and approved by both the Chief Audit Executive and Executive Director, Internal Audit.
All findings and conclusions are based on the work performed in the Fieldwork phase of the audit.
All findings (opportunities) are transcribed into a formal written report based on the Internal Audit Department's five-step approach:
- Condition (what is)
- Criteria (what should be)
- Cause (root cause that allowed the control weakness to occur)
- Effect (the adverse result of the control weakness, it is highly recommended that the auditor quantify the result or potential result of the control weakness)
- Recommendation (steps taken to mitigate or transfer the risk)
Once the formal report is complete, it is sent to the process owner prior to the closing conference. All findings are discussed thoroughly and agreed upon before the Internal Audit Department issues the report. Internal Audit adheres to a 'no surprises' promise and discusses all observations and recommendations with the auditees before the closing conference and issuance of the report.
Once the report is agreed upon between Internal Audit and the auditees, the report is formally issued.
Work papers are submitted to the Executive Director for final review and approval. The Chief Audit Executive reviews the final report and sign-offs.
At the end of each audit, a closing conference is conducted and all comments in the report are fully discussed with the process owner and anyone who will be impacted by the report.
Management Action Plan Follow-Up and Escalation Procedure
Internal Audit will follow-up with auditees on the status of Management Action Plans in accordance with the Management Action Plan Follow-Up and Escalation Procedure. Internal Audit will review evidence to ensure that action plans are sufficiently closed. If a due date will not be achieved, Internal Audit will escalate the action plan to the Office of Program Management and Organizational Effectiveness (PMOE) who will assist departments with achieving the corrective action and implementation of audit recommendations.