Audit Process

Short- and long-term risk-based audit plans are developed by the Office of Internal Audit and Risk Management and approved by the Audit Committee.   An audit or review may also be included in the audit plan based on requests and input from management or other sources.  In most cases, the head of the unit or area being audited is informed in advance that an audit is scheduled.  However, in some cases, to meet the objectives of the review or audit, an audit may be conducted on a “surprise” basis.

During the planning phase, meetings are held for members of the audit team to meet with unit members and other stakeholders to gather information and perform a preliminary review of the operation being audited.  Information that may be requested includes organization charts, documented policies and procedures, and pertinent contracts and agreements.  

Also during the planning phase, key risks are identified, and a preliminary assessment of the adequacy of existing controls in relation to the risks associated with the department or function, is performed.  Audit objectives are also further refined and communicated to management during this phase of the audit, and an audit program is developed.  An audit program identifies the audit testing that will be performed in order to test the effectiveness of the controls and to assess if the controls are operating as intended.  The audit program may be adjusted to expand, eliminate, or otherwise adjust test work as the audit progresses.

During the fieldwork phase, the audit program is completed.  Some of the audit steps that may be included on the audit program are testing records for accuracy, and tracing a sample of transactions through the University function, activity, or unit under review.

Throughout this stage of the review, the audit team keeps the relevant managers or staff members, as appropriate, appraised of observations as they are discovered, and inquire of management how issues will be addressed.  Occasionally, based on the seriousness of an observation, an issue may be brought to the attention of appropriate senior management within the University. 

At the conclusion of the audit, exit meetings are held with appropriate University/unit management, and the results of the audit work are presented in a draft audit report for discussion purposes.  The draft report will include recommendations, and request management’s response to addressing the issues raised in the draft report.  

The final version of the audit report will incorporate management’s responses, and is typically distributed to the Audit Committee, to the senior management member responsible for the operation or function reported upon, and others as appropriate.    

Follow up
After a reasonable amount of time has passed, follow up may be performed to determine the status of actions outlined in the management’s response(s) section(s) of the final audit report.  The follow up may occur through a formal follow up audit, or less formally through inquiry with management.   In situations where a formal follow up audit is performed, an audit report will be issued at the audit’s conclusion.   The same draft and final audit report distribution processes apply for follow up audits.