The Audit Process
Every audit is unique but generally internal audits are a collaborative process designed to identify unmitigated risks, review business processes currently in place, and recommend potential changes, where advisable, to reduce risk to the University and to possibly increase efficiently. The audit life cycle is similar for most of our engagements and normally consists of the following stages:
Stages of an Audit
OACP, through dialogues with management, completes a risk assessment process for the University which culminates in the development of the annual Internal Audit Work Plan. The risk assessment process employed evaluates risks to the University's strategic plan, it's people, process, and technology.
Our Audit plan is developed based on our risk assessment and analysis of auditable entities, their inherent level of business risk, and input provided by senior management. The audit plan is shared with the Audit and Compliance Committee of the Board of Trustees. OACP is responsible for executing this plan and providing an annual report results back to the Committee. The Audit Plan is flexible and adjusted as needed, and risks continue to be monitored and evaluated throughout the year with appropriate adjustments to the Audit Work Plan as necessary.
Internal Audit projects are generally broken down into four phases, Planning, Fieldwork, Reporting, and Wrap Up. Our process is flexible to allow for the application of professional judgment based on the individual projects.
During the planning phase, The audit team performs research on the individual projects by reviewing any past audit work performed in the unit and available literature on the subject of the audit. Planning can also include introductory meetings with pertinent staff to better understand the unit’s goals, objectives and processes, discuss audit objectives, timelines, and other important information that can ease the internal audit process. Planning results in the development of the final audit scope and objectives.
Once the audit's scope and objectives are finalized an entrance conference with the unit supervisor is scheduled to formally initiate the audit work. During this entrance conference, we will discuss our proposed scope and objectives and explore any concerns that management may have. We will also discuss potential timing issues (e.g. scheduled vacations, major projects with strict deadline within the audit unit, etc.) in order to establish preliminary timelines for the engagement.
The evaluation phase of the audit is referred to as fieldwork. This phase includes assessing the adequacy of internal controls and compliance, testing of transactions, records, and resources, and performing other procedures necessary to accomplish the objectives of the audit.
It may be necessary for the audit team to conduct interviews with departmental personnel and to review departmental records and practices; however, efforts will be made to minimize disruptions and cooperate with audit clients to make the audit process as smooth as possible.
Throughout the audit, audit clients will be informed of the audit process through regular status meetings and/or communications. The audit team makes every effort to discuss audit observations, potential issues, and proposed recommendations as they are identified. In some instances, it is necessary to work directly with audit clients to determine or validate the root cause and discuss ways to eliminate the root cause.
The final result of an audit is a usually a written report that details the audit scope and objectives, results, recommendations for improvement, and the management action plans.
Draft Report – Audit reports are typically prepared in draft form and distribution is initially limited to the immediate manager of the area so it can be reviewed prior to further distribution of the audit report. If recommendations are made, written responses detailing the following are requested of the audit client and are included in the final audit report:
Management's comments on any recommendations made by the audit team;
The person who will be responsible for implementing the and suggested changes to business processes or controls, and;
An expected implementation date.
Closing Meeting – If necessary, a closing meeting will be held to provide an opportunity to resolve any questions or concerns the audit client may have about the audit results and to resolve any other issues before the seeking audit recommendation comments from the area under review's senior management.
Final Audit Report – The final audit report is addressed to the area under review's senior management. The final report is generally distributed up the chain of command (e.g. Dean, Provost, Vice President, President).
Client Surveys — Web-based audit surveys are distributed shortly after the final report to solicit feedback about the audit. This feedback is important to us as we seek to continuously improve our service delivery.
Engagement Performance Reviews — Each auditors’ performance is evaluated by the Audit Manager to ensure ongoing growth and continuous improvement.
Internal Audit performs a limited follow-up review to verify the completion of the action plans and report their completion to executive management and the Audit and Compliance Committee of the Board of Trustees.